HTB: Optimum Writeup w/o Metasploit
Recon
Per usual, we start out with our Nmap scans. One of our Nmap scans shows port 80 open using HttpFileServer httpd 2.3. This is a file service that is accessible over http (the web). In other words, you can use this to store and share files.
Browsing to the server on port 80 reveals the HFS server.
Enumeration
After enumerating this version (hfs 2.3) of hfs we find a few exploits; we used searchsploit to find them. One of the exploit is a python script (39161.py) that returns a shell if ran successfully.
The exploit can execute commands on the remote server due to a vulnerability in the way it manages null bytes. The script takes a target ip address and the port number hfs 2.3 is running on, in our case that’s port 80.
In addition, for this script to work you need a web server running locally on port 80 (right window pane below), and a listener listening on port 443 (left window pane below). One more thing, netcat (nc.exe) needs to be running in the same directory you started the web server within. This is because the python script will execute nc.exe to call back to your listener.
Our exploit returns a shell as a user named kostas. We are on his/her desktop and you can see the user.txt.txt flag there. I did not open it up just yet; wanted to escalate privileges first.
Privilege Escalation
I tried manual enumeration on the box from our initial entry. I looked for special privileges, vulnerable configurations, admin passwords, I even ran winpeas but I didn’t get anywhere. Eventually I ran the windows-exploit-suggester which led me to the next exploit to escalate my privileges. To use the windows-exploit-suggester you will need the output of the “systeminfo” command. I ran systeminfo on the target machine, copied and saved the output to a file on my attacking machine.
Before using the exploit-suggester, you will also need to run the “ — update” to get the latest db file to use the exploit-suggester with. This is the command to run the exploit-suggester: windows-exploit-suggester.py --db 2021–12–23-mssb.xls --systeminfo systeminfo.txt.
Below are the first few results of the exploiter suggester. The first exploit is a DOS attack which I will not be doing here. The second one is a kernel exploit (MS16–098).
After a few google searches on MS16–098, I learned it was a privilege escalation vulnerability that exploits the way a process reallocates memory. Fortunately, there was an executable file to exploit the vulnerability.
We just need to transfer the executable file to the target machine. I am going to use smbserver.py to host a smb server on my attacking machine. Then I will retrieve the executable (MS16–098) from the windows shell we have open.
We started the smbserver above. Notice I’m in the directory where the ms16–098 exploit is. Next, we retrieve the bfill.exe file from our target machine and the execute it.
Below, I copied the bfill.exe (ms16–098 exploit) to our target machine and then launched it to get system level access.
Conclusion
This was another straightforward box. Enumeration was key here to escalate your privileges. The hfs sever gave us our initial foothold onto the box. Afterwards we ran our windows-exploit-suggester to point us to MS16–098, and then boom we popped a system level shell. Thanks for reading my writeup! Here is a video walkthrough if you are a visual learner.
