search

Optimum HTB

IP 

10.10.10.8

initial nmap scan

nmap -p- --min-rate 10000 10.10.10.8 | cut -d"/" -f1 | tr '\n' ','

we have the following ports open on the target

80

Lets run a more in-depth scan of the target machine

sudo nmap -sCV -p80 10.10.10.8 -oA nmap_results

Results

PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-title: HFS /
|_http-server-header: HFS 2.3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Looks like we have a file server up and running on the target Lets check it out

we can see

  • the version 2.3

using searchsploit we can see this particular version is likely vulnerable to RCE

we will be able to see different methods of RCE with this specific version of rejetto

One we bring down the following

and we print out the exploit we can see the following

Once given a command for RCE, the exploit will encode our command using the (urllib.parse.quote function) in the URL query with the search parameter, we can do this without the exploit

To test this we will run tcpdump on our machine and have the target ping us

  1. running tcpdump on local machine

  1. Lets use the target machine to ping ourselfs

  1. we can see traffic generated from the IP 10.10.10.8 within tcpdump

Now all thats left is to gain a reverse shell on the target

Lets utilize a Powershell script

Lets copy our nishang shell into our current working directory

let's modify it slightly to run once to has been picked up by the target

we can see we execute the powershell function to connect back to our local machine

Alright Now we have a our payload ready, lets pick it up and run it on our target machine

  1. Start a python server

  1. start a nc listner

  1. Lets craft our command to pick up the script and run it, for ease we will utilize burps repeater

  • Notice our payload is URL encoded

  • we specified full path of the Powershell.exe

Now we have a shell on the system

Lets grab information on the system and see if we can find any Priv Esc exploits

results

Lets utilize wes-ng to find any exploits that may be present on the system,

LogoGitHub - bitsadmin/wesng: Windows Exploit Suggester - Next GenerationGitHubchevron-right

first lets update wes-ng

Now Let's place all the system information we found into a Txt file and run wes against it

this will produce a list of possible exploits on the system

We could also utilise sherlock.ps1 from rasta mouse

LogoGitHub - rasta-mouse/Sherlock: PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.GitHubchevron-right

Lets download sherlock.ps1 onto the target machine

we want to make some slight modifications to the script as we just want to find vulnerabilities on the machine, to do this we make a slight addition to the bottom of the script

  1. start a python3 http server

  1. within our shell lets download it onto the target machine

we can see we now have Sherlocks output

results

from the results we can assume this machine is vulnerable to

We can utilise MS16-032 using Powershell empire

clone Empire

LogoGitHub - EmpireProject/Empire: Empire is a PowerShell and Python post-exploitation agent.GitHubchevron-right

within the data/module_source/privesc we can see Invoke-MS16032.ps1

  1. Lets copy the powershell script to our working directory

  1. Lets slightly modify the script to run once downloaded

we want it to

  • it will pick up our nishang shell again which we modified to connect to port 9010

  1. start a nc listner

  1. start a python3 http server

  1. download and run on target

when we check our other shell we should see we are nt authority/system

PreviousGrandpa HTBNextLegacy

Last updated