Disassembly of ippsec’s youtube video HackTheBox - Optimum. Windows box completed two different ways with and without Metasploit. Focusing on the usage of Powershell, enumerating the privesc with Sherlock and executing an exploit with a shell from Nishang and Empire.
Legal Usage: The information provided by execute@will is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risks/responsibilities.
This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.
Enumeration
nmap scan:
1 |
|
(results)
initially just looking at a web-server on port 80.
navigating to web-server
Worth testing the login feature with standard logins: admin/admin
Setting up a hydra on the back-end to brute force while continuing enumerating is not a bad idea.
Gained information: Application HttpFileServer 2.3D
Switching to an incognito window as the login is somehow adding a cookie thus making continued enumeration difficult. While incognito mode wouldn’t allow this.
google search HttpFileServer Exploit
Rapid7 CVE-2014-6287 Remote Code Execution exploit looking promising.
investigating CVE
The exploit works by taking advantage of the *findMacroMaker*
function in *parserLib.pas*
and allows for remote attackers to execute arbitrary programs via %00 null byte sequence in a search action.
HttpFileServer webapp
by sending a scripted function into the search we should be able to pass commands to the server.
there is a script that replaces the *{ } . |*
on the application is where the vulnerability exists. By sending a %00 null byte we are telling the application end of string and terminates the regular expression and from that point afterward is injectable.
HFS scripting commands
Link: http://www.rejetto.com/wiki/index.php/HFS:_scripting_commands (page needs to be opened as cached)
Command of interest:
1 |
|
1 |
|
Inject exec with Burp
Turn Burp on and capture a request:
captured request and send to repeater (ctrl+r)
%00 null byte is captured in the GET “?search=” request.
Next we add /?search=%00{.exec|ping 10.10.14.17
and setup tcpdump to capture the ICMP request.
RCE
tcpdump setup:
1 |
|
successfully captured an ICMP and at this point we have Remote Code Execution (RCE).
RCE to Reverse Shell (Nishang)
At this point since we have remote code execution via the exec
we can now setup a reverse shell using Nishang.
Nishang Github Link: https://github.com/samratashok/nishang
1 |
|
use the *Invoke-PowerShellTcp.ps1*
copy *Invoke-PowerShellTcp.ps1*
to working directory
1 |
|
Configure Invoke-PowerShellTcp.ps1
Checking out the powershell script:
The example shows the syntax we wnat to use:
1 |
|
copy that go to the bottom of the script and paste and change to target:
setup listener
1 |
|
SimpleHTTPServer setup
1 |
|
in directory of the .ps1 that we will upload to the sever
Windows 32bit / 64bit directories
1 |
|
Listen on tcpdump
1 |
|
confirmed connection
Sending ps1 payload:
1 |
|
Url encode with ctrl+u:
Target executes the download:
executed x4 times but after execution on the 1337 listener we get a response:
Priv-Esc (windows)
First step:
1 |
|
gets all the info on the box to include the hotfixes
2012 R2 Standard Boot times
use/edit Sherlock to enumerate KBs
copy Sherlock to directory
Sherlock Github Link: https://github.com/rasta-mouse/Sherlock
Grep for functions within sherlock:
1 |
|
we are going to want to edit the script to “Find-AllVulns” and add line to bottom.
save.
Target InvokedShell Download Sherlock:
1 |
|
(returns)
MS16-032 : Appears Vulnerable MS16-135 : Appears Vulnerable
if you were to search all the KBs on the target system you would see it was last patched in 2016.
google “Vulnerable” exploits
search for exploits:
first result happens to be metasploit.
search “MS16-032 powershell”
good proof of concept if we had an interactive shell with gui. Luckily, EMPIRE does have exploit.
1 |
|
viewing “Invoke-MS16032.ps1”
example:
1 |
|
There was a mistake with the example as it included a “-” where the filename doesn’t. Corrected in above example.
at very bottom of script copy/paste command:
get rid of “-”, change google to localip with “shell.ps1” and save.
Copy “Invoke-PowershellTcp.ps1” to “Shell.ps1”
1 |
|
edit to port 1338
setup listener for port 1338
1 |
|
Target nc session download Invoke-MS16032.ps1
1 |
|
download it our webserver:
(returns)
Root&Loot
on port “1338” the Shell.ps1 is loaded
NT Authority\System level access!
He continues onward to explain how to perform the same exploit with metasploit. Seeing as the OSCP exam only allow for one usage of metasploit we’ll leave this “Disassembled” at this point.
If you don’t know who IppSec is check him out at: Youtube: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA
Twitter: https://twitter.com/ippsec