HTB Optimum- Without Metasploit
A walkthrough of Hack the Box Machine Optimum using Powershell.
The initial Nmap scan reveals only port 80 open:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-02 14:00 EDT
Nmap scan report for 10.10.10.8
Host is up (0.039s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.36 secondsIf we open up the IP in the web browser we see the HttpFileServer version 2.3 as listed in the Nmap scan.
Let's do a quick google search for any vulnerabilities with HttpFileServer 2.3
Exploit Database shows there is a vulnerability when passing a null byte to the search function of the HttpFileServer. The server has a regular expression that searches and replaces any special characters that may result in remote code execution. However, when prefixing a null byte (x00) to the search string, the regex is stopped allowing for the special characters to be passed through and remote code execution becomes possible.
To take advantage of this, let’s get a better understanding of the Rejetto scripting commands through another simple google search.
The first search result is the wiki for the Rejetto scripting language. Let’s search that page for the exec command.
As demonstrated in the example, the exec command is as follows:
{.exec|command.}Where ‘command’ is replaced with the command you want to run. Now that we know the file server is vulnerable to remote code execution, let’s use Burp Suite to confirm that code is being executed on the server. Opening Burp Suite, click on the Proxy tab and turn Intercept on.
Once that is running, let’s go ahead and type in the null byte and look at the response.
Making sure that our traffic is going to burp with FoxyProxy, we see that our intercept proxy is working. Now let’s send this over to Repeater with CTL+R to get a better view of what is happening. After CTL+R the Repeater tab will light up orange like the proxy tab. Click on the Repeater tab to view the search request.
In the repeater, we see our search query on line 1. Clicking ‘Send’ will send the request and the response will be displayed.
We see that the search passed the null byte. Let’s see if this stopped the search and replace regular expression as mentioned in the PoC we found. Using the Rejetto execute command {.exec|ping OURIP.} to ping ourselves, we can see if the remote command execution is occurring. To know if we are getting pinged, let’s set up a quick packet capture using TcpDump. This is set to our VPN interface tun0.
Now we can modify the repeater request using the above mentioned execute command.
Looking at the TcpDump we see that we are getting ICMP packets coming from 10.10.10.8, our victim machine.
Now let’s try adding a command to execute PowerShell.
Once again, we are going to URL encode this and send it. Viewing TcpDump we see that this command was run by the ICMP traffic from 10.10.10.8
Now that we have access to PowerShell let’s use Nishang to invoke a PowerShell TCP shell. You can git nishang from Github. We want to look into the Shells folder for Invoke-PowerShellTcp.ps1 and copy it over to our optimum working directory.
With Invoke-PowerShellTcp.ps1 open, look for, and copy the highlighted reverse shell example. We are going to paste this at the foot of the document with our IP Address instead of the one in the example.
Make sure that our command is outside the last bracket of the script at the very bottom of the document like so:
Now we need to set up a SimpleHTTPServer to serve this file over the internet. Using python we can sever the whole directory with a short command. The default port of SimpleHTTPServer is 8000.
We can go back to our Burp repeater and add the file to our exec command.
Now we must URL encode this using CTL+U and open up a NetCat listener on our chosen port 4444. Now that our exec command is URL encoded and the Netcat listener is on, we can send the request and wait for our PowerShell shell.
We got a shell! Let’s grab the user flag then get to work on privilege escalation.
To see if there are any privilege escalation vulnerabilities we can use a PowerShell script called Sherlock. This is included in PowerShell Empire or you can google “sherlock powershell” and git clone from there. I found my powershell-empire modules in the following directory:
We are going to copy the Sherlock.ps1 file to our working optimum directory because we will be modifying the file, and do not want powershell-empire to act up in the future. Once we open the file we see there are multiple commands you can run, but one will find all vulnerabilities it has in it.
Find-AllVulns is the argument we want to call so we will add it to the end of the document.
Now let’s host the directory containing Sherlock.ps1 and go back to our shell and call this file from our hosted directory.
If we scroll down the page we will see two vulnerabilities have been found.
This machine appears vulnerable to MS16–032 and MS16–135. If you remember the directory where we got Sherlock.ps1 from these vulnerabilities should look familiar.
Invoke-MS16032.ps1 is listed in this directory as well as Invoke-MS16135.ps1, thus we have two PowerShell exploits at the ready.
Let’s copy the Invoke-MS16032.ps1script to our working directory and open it up.
We are going to use the highlighted example. However, if you look at the top of the script you will see that there is no dash in MS16032 function, so we must remember to fix that as we copy it down to the bottom of the script.
We also need to create another Invoke-PowerShellTcp.ps1 file to send us a shell with system privileges after the exploit is run. The only difference will be the port number and the name which we can just call shell.ps1
Now that we have all of our scripts modified, we once again host the directory containing the files and jump back to our user shell. We invoke an expression that calls to the Invoke-MS16032.ps1 script which in turn gets us system privileges and then executes our shell.ps1 script to hand us a reverse shell with those privileges. Don’t forget to set up a Netcat listener on our port 8081.
Now we can go back to our new listener on port 8081 and see that we have a shell with administrator privileges!
Thank you for reading my writeup on HTB Optimum. Please let me know if you enjoyed it!
