menu

HackTheBox: Optimum - Writeup

  • date_range 04/05/2019 17:54 info
    sort
    htb
    label

HackTheBox: Optimum was a fairly easy machine which involved exploiting CVE’s to get a reverse shell and system privileges.

1.1 Enumeration


I first started by doing a port scan of Optimum (10.10.10.8).

Nmap scan report for 10.10.10.8
Host is up (0.42s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows


The port scan reveals that only 1 port is open (port 80). Several useful information including the version of the web server is displayed which can be enumerated to check for a CVE.

A quick look at website shows that it is a web server for browsing files. The version is displayed httpFileServer 2.3, confirming again the version which was also shown in the nmap scan.



2.1 Exploitation


Using searchsploit to search for a vulnerability on the version, one is found for hfs which is remote command execution (RCE), this can be used to get a reverse shell on the web server. The exploit is in metasploit which is booted up and the exploit is exploited successfully.



The user is then found easily, however the shell does not have root privileges which means further enumeration on the system has to be conducted to get system access.

3.1 Post Exploitation


The first thing to check for is the system information, including architecture, operating system and versions. This can be done by running the command systeminfo. In addition to that looking around the file system to check what files is there. A windows local exploit finder can be used to gather possible vulnerabilities that the system contains.

Sherlock is a powershell script which searches for possible vulnerabilities locally. Sherlock is downloaded from the GitHub repository: https://github.com/rasta-mouse/Sherlock

Once downloaded, i then uploaded the powershell scrip to the target using meterpreter's upload command.



Success, the powershell script was uploaded.

3.2 Post Exploitation - Running Sherlock


The powershell scrip is executed by doing:

powershell .\Sherlock.ps1

Several vulnerabilities are found with Sherlock after running the script. The exploits MS16-034 and MS16-135 did not work for me, even after some changes to the code. However, after looking through the output of the script, i found it is also vulnerable to the MS16-098 exploit, which works! Searching the exploit on google, the exploit is then downloaded and ready for transfer onto the target.

The exploit is uploaded and the privileges are escalated. Then by navigating to the Administrator directory, the root flag is found!