Optimum HTB Writeup w/o Metasploit

Welcome! This next HTB machine were pwning is called Optimum. This is the fifth box were completing in preperation for the OSCP.

Let’s get started.

Enumeration

First we run our nmap scan to see what services are running on the machine. Remember enumeration is the most important part of ethical hacking so we need to be thorough and precise.

So I ran my initial nmap scan as

nmap -A 10.129.27.253

  • -A Enable OS detection, version detection, script scanning, and traceroute.

So there is only one service running on this machine which is HTTP on port 80. This should be our primary attack vector.

So let’s pull up our browser and take a look at what is being hosted on port 80.

So this is a HTTP file server. HFS (HTTP File Server) is used to send and receive files.

I’m going to try to see if we can find anything in the robots.txt file. A robots.txt file tells search engine crawlers which pages or files the crawler can or can’t request from your site. It is used to give instructions to search engine crawlers, about locations within the web site that robots are allowed, or not allowed, to crawl and index.

Robots.txt does not in itself present any kind of security vulnerability. However, it is often used to identify restricted or private areas of a site’s contents. (https://portswigger.net/kb/issues/00600600_robots-txt-file)

So we can see another indication of the http file service version number 2.3 that was also outlined in our nmap scan. Nothing here related to pages that cant be requested by web crawlers but I do see a link. Let’s see where it goes.

So this is interesting. Rejetto is the name of the HTTP File Server. This could be helpful when identifying an exploit.

So now that we have discovered those details lets look for a working exploit.

Let’s start with a searchsploit search for HFS to see what we find.

The first exploit looks promising and it’s for HFS version 2.3 which is the version we’re trying to exploit. Let’s try this one.

I’m going to download this exploit to the Desktop and try to execute.

Unfortunately this one is not working. I’m going to try to find another exploit.

Let’s run a search for Rejetto to see if maybe we can find something specifically tailored to the HFS I’m trying to exploit. I’m going to download 39161.py and give that one a try. First I need to see how the exploit works.

According to the usage details we need to be hosting netcat on our webserver for this to work. So let’s do that. First I’m going to copy netcat to the current directory.

Then we’re going to start an http server to host the netcat we just copied to the current directory. The victim machine is going to download netcat from our webserver once we execute the exploit the first time. After the first execution the victim machine will have netcat installed and will be able to connect back to the listener we’ve set up. So let’s start a listener on port 1337 using netcat.

Okay now there is one last thing I should have to do. I need to modify the lport and lhost on the exploit so it would connect back to me correctly once the exploit is executed the second time.

Okay, now that we meet all the requirements for the exploit we should be able to execute it and get a shell. The details of the exploit stated we may have to run it multiple times so thats what we’ll do.

Let’s check our netcat session to see if we have a shell spawned.

Okay bet. Now let’s check our privileges to see if we have SYSTEM access.

Nope. Okay so I have more work to do. I have to do some post exploitation to find an privesc exploit. Let’s grab the user flag while we’re here.

I have tried using windows-exploit-suggester but it does not work with python 3. I have to use an alternative to find a way to escalate my privs. I’m going to try another tool named “Sherlock”.

Let’s download it from github and give it a try.

Now we have to run Sherlock locally so I need to setup a http server in the Sherlock directory on my machine so the victim machine can run it.

Now I can run the powershell script on the victim machine and run Sherlock.

Okay so we have a few exploits that we could possibly use to escalate privileges.

I’m going to try Win32k Elevation of Privilege exploit. Let’s download it.

Okay so we’ve successfully downloaded it and transfered the file to the machine. Now let’s run it.

Okay so we have to specify version name. Let’s do that and run it again.

Still doesn’t work….

Okay, let’s try another exploit. At this point I’m annoyed but it’s all good lol I’m going to keep moving.

So I’m going to try another exploit. ‘RGNOBJ’ Integer Overflow (MS16–098)

First I need to grab it from github using wget.

Then I need to make it an executable using chmod.

Now just like the other privesc exploits I need to run it locally. So I download it to the machine in the %TEMP% folder using this powershell script.

Okay, we have moved it to the machine succesfully. Now let’s run it and pray lol.

IT WORRRRKED ! Sheesh.

Now lets grab the root flag and get the hell out of here.

Done.

Lessons Learned

It was a lot of trial and error on this one. I learned a few new ways to transfer files and powershell scripts onto Windows victim machines which was really useful. I ran a lot of exploits that didn’t work for me which was fustrating but I learned a lot about perserverance. Not every exploit that is expected to work is going to work and in those moments I need to be better at finding alternative methods. Fifth box done so I am overall pleased. Let’s move on.

mastering the craft of ethical hacking