020#:HTB - Optimum
Another gloomy Friday and another box to hack. This one is called Optimum. First thing I noticed was that this room has 35,286 User Owns but only 28,396 System Owns… So, 6,890 hackers gave up before getting root! I can’t help but wonder if this is about to have me going down some massive rabbit hole. Only one good way to find out though.
We can see we are working with a web server that only has port 80 open. I started a gobuster scan and pull up the site in my browser to get started. This looks like we are dealing with some sort of file server and we can see its running HttpFileServer 2.3 by checking the bottom left of the page. Using searchsploit we can see there is a RCE exploit we can use against this version.
Reading the contents of the python script we can see its expecting a target, port, and command to be fed as arguments. Nmap showed us this machine is most likely Windows (besides the fact that HtB tells us as well) so we will want to use a powershell reverse shell as our command. I used SwissKyRepo’s cheat sheet for this and attempted the attack after starting my listener. This failed though so I played with the payload for a couple minutes before booting up Metasploit and just using the module there.
I used pgrep to identify lsass’s PID and tried to migrate to it, but my account has insufficient rights. I decide to drop into a shell and we find ourselves in the kostas user’s Desktop folder.
Time to explore. Running net users shows us that, besides our current user, it is just the Administrator account. Sysinfo shows us it’s a win server 2012 r2 machine (6.3 9600). I then tried an exploit here that failed. I tried upgrading my meterpreter session which moved it from x86 to x64.
I poked around for a while and reviewed some old study notes. I decided to upload winPEAS using metasploit and ran it. Going over the results of WinPEAS we discover the powershell version pretty early into it. I checked searchsploit for powershell vulns and one showed up for MS16-032. This is a priv esc exploit that works on 2012 R2. I searched this in metasploit and loaded the first module.
It looks like the exploit was successful. I checked my UID but I was still the kostas user. After backgrounding and listing the sessions though I can see we have a new session 3 that is running as NT AUTHORITY/SYSTEM. Dropping into session 3 and navigating to the Administrator user’s Desktop will net us our final flag.
