Optimum was after Nibbles; I went in blind and struggled a bit.
Ports
HTTP only. Well, that’s a start.
HTTP
On the webpage we see something called “HttpFileServer 2.3” is running; we can searchsploit this and find it’s trivially exploitable. There is a python exploit:
I run systeminfo, capture the output and run it against Windows Exploit Suggester NextGen and get information overload; it’s not clear what the best option is. I upload WinPEAS both as a batch file and as binaries but it doesn’t seem to want to run, at all.
After some beating about the bush, I google for the privesc vulnerability. It’s (intended to be) MS16-032, or a vulnerability in the Windows Secondary Logon Service. There are a variety of Powershell exploits, but I can’t get them to run.
After a while I relent, and run the whole thing through Metasploit. This uses msf6 exploit(windows/http/rejetto_hfs_exec) for the foothold. I run msf6 post(multi/recon/local_exploit_suggester) and it does point out:
[+] 10.10.10.8 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
I run this, and the second time I try it works:
Without MSF
Not satisfied with this - particularly after trying and failing to do it via PS1 scripts - I look at another writeup. This one uses an entirely different privesc vulnerability (MS16-098), with a precompiled binary.
In order to run this I need nc on the box, so I copy it up from my powershell reverse shell, along with the exploit:
Next, I use the foothold exploit to trigger a netcat shell:
And then I can fire the exploit:
At the end of the day that’s pretty straightforward but there’s a lot for me to work on here.