Optimum HackTheBox Walkthrough

Matthew

1. Enumeration

So we got http file server, with a login field on the top left, however, admin:admin does not work

On search sploit, we can find remote command execution exploits, just need to find out if the exploit requires the user to be authenticated

2. Exploitation

Edit the IP and port number

And now we need to have netcat in our web server

First we locate nc.exe. Well i know i have a lot, but we only need one, and we are using the one with windows-binaries since we are dealing with windows machine

Next we head into the directory and open a server at port 80

Then we run the script

And hooray!

Well, not an administrator, so we have to escalate privileges

3. Privilege Escalation

First we look at the systeminfo to understand our machine. I recently found that there is this script called Windows-Exploit-Suggester, that detect potential missing patches on the target in order for a user to exploit it. Here are the steps.

First through sysinfo, we found that we have a machine running on windows 2012, x64. (64-bit machine)

We copy the systeminfo into a txt file

Then, we get the xls file through the command after cloning the git.

Run the exploit script with the systeminfo and the updated xls file, and you can find several privilege escalation exploit script

The above are some of the exploits we can use to escalate privileges based on systeminfo

First up, we have MS16-135 privilege escalation, and the last exploit is a c script

So with the c script, we have to compile it to a executable file, since it is windows, and on the script there are links to the exe file under CVE-2016-7255

So we first download it

change permission to executable, before transferring files via smbserver

Hmm.. the exploit does not work. But we have a lot more to try, so we shall not waste time on this. The next one is MS16-098, an integer buffer overflow, again buffer overflow can allow us to get a root shell so this is not to be left out

So here we have 2 scripts, again, one being a C language script

https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-098

Here we have a github link with the executable MS16-098, again we transfer this file via smbserver and run it on our target machine

https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-098?redirectedfrom=MSDN

Here’s more information about MS16-098!

And we are root once we execute the exe file!

root.txt!

Alright, this machine is not difficult, however, it is important that we have the right enumeration tool for privilege escalation, or else a lot of time will be wasted! It would have been better if i could escalate privileges without kernel exploit though! I may try and play around and post if i could do so!

Till next box!

Published by Matthew

Currently a final (fourth) year student in NUS (National University of Singapore) and an intern in GOVTECH Singapore. (Will be ending in early Dec sobs. T_T) , major in Information Security and thinking about whether or not to minor in Forensic Science. (YES. It's a vast difference) [EDIT: I decided not to minor in Forensic Science for no particular reason. Really.]