DEV Community

loading...

Writeup: HackTheBox Optimum - with Metasploit

artis3n profile image Ari Kalfus Originally published at blog.artis3nal.com on ・3 min read

This series will follow my exercises in HackTheBox. All published writeups are for retired HTB machines. Whether or not I use Metasploit to pwn the server will be indicated in the title.

Optimum

Difficulty: Easy

Machine IP: 10.10.10.8

As always, I start enumeration with AutoRecon.

autorecon-results

I see a web server is up at TCP/80. By looking at WhatWeb's results, I see that it is an HFS server running version 2.3.

whatweb-results

I run HFS through searchsploit and come back with several exploits.

searchsploit-hfs

I decide to look at exploits/windows/remote/39161.py - remote code execution would be nice.

hfs-rce-code

I need to set up netcat to listen on a local port, edit the exploit to update my local host and port, and set up an nc.exe executable on a local web server for the exploit to run on the target machine. I grab an .exe version of netcat and start my local Apache server.

apache-local

I start netcat:

netcat-listening

I modify a copy of the exploit script to set it to my IP and my netcat listener's port:

rce-modified

And I execute the exploit.

rce-run

Success! I have a user shell.

user-shell

Let's grab the user flag and move to escalate our privileges.

user-flag

Now I enumerated a number of services and network and system settings, but I wasn't sure what to do. I'm new to this. I opted to get a user shell through Metasploit so I could take advantage of it's local_exploit_suggestor module to figure out how to escalate my privilege.

I search Metasploit for "HFS" modules and do not find anything. Maybe it was because I mis-typed 'HFS' as 'HSF.' However, I remember that the searchsploit title of my RCE exploit was "Rejetto HTTP File Server..." I look for "rejetto" modules. Success.

rejetto-msf

I run the module and get a user shell.

msf-user-shell

Now I background the meterpreter session, as I already have the user flag, and run the local_exploit_suggestor module for privilege escalation options.

local-privesc-suggestor

There are 2 results. I know from my previous enumeration that the kostas user is not in the Administrators group, so the first module will not work. I try the second:

local-privesc-options

And get a root shell.

root-shell

Now I can grab my root flag:

root-flag

Discussion (0)

pic
Editor guide