search

HackTheBox - Optimum

hashtag
Nmap scan (Basic and all port)

All port scan gave us the same results, so our main intention is to lookout at port 80 (HTTP Server)

hashtag
Website Surface Testing

Looks like the website is running Rejetto HTTP File Server. There was a known vulnerability for this specific version. Version Running: HttpFileServer 2.3

We can use searchsploit or can even use google to checkout the vulnerability.

hashtag
CVE-2014-6287 (Exploit)

circle-info

From rejetto wiki. Also known as template macros, these are commands with some useful effects that users can input in HFS to improve a template or to create functionality not otherwise available.

hashtag
Manual Exploitation

The search parameter is vulnerable and we can write HFS script to get Remote Code Execution.

We get a ping request back, that means we can have RCE. Let's try to get a reverse shell using powershell. We will use nishang's Invoke-PowershellTCP.ps1 script to get a connection back.

Github link: https://github.com/samratashok/nishang/tree/master/Shellsarrow-up-right

circle-info

Note : Make sure to URL encode the payload.

hashtag
Running Sherlock.ps1 (By Rastamouse)

Github Link : https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-MS16032.ps1arrow-up-right

So the system looks vulnerable to MS16-032 Secondary Logon Handle Privilege Escalation. We can get the script from exploit.db but Empire already has a modified script and we can use that.

hashtag
MS16-032 Exploitation (Secondary Logon Handle Privilege Escalation)

Add the following line of code at the end of MS16-032 script and edit it according to your need.

PreviousHackTheBox - AccessNextHackTheBox - Bounty

Last updated