Optimum

This box is based on web service exploitation.

Overview

Initial Foothold : Rejetto HTTP File Server Exploitation

Privilege Escation : Kernel Exploit

Enumeration

Starting with port scanning

Port Scanning

PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012|2008|2016|7|Vista (91%
OS CPE: cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%), Microsoft Windows Server 2016 (85%), Microsoft Windows 7 Professional or Windows 8 (85%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008                                                                                                            R2 SP1 (85%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (85%), Micros                                                                                                           oft Windows 7 Professional (85%)

From Port scanning we only got port 80 open. Lets start with web enumeration

Web Enumeration

By visiting we can confirm that port 80 is running HttpFileServer 2.3

This looks odd lets search for this on google

We got some exploits for this web application

We will try to use CVE-2014-6287

Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)Exploit Database

Summary

We got exploit for vulnerable HTTP File Server 2.3

Exploitation

We have exploit for HTTP File Server 2.3

There are prerequisite for this exploits lets see that

This exploit require to host nc.exe on port 80

lets do that

Now change the ip_addr and local port in the script

Start listener on port 443

Now launch the exploit

This exploit require to be run 2-3 times and we got our shell back

We got user kostas shell

Get the user.txt.txt file

Privilege Escalation

This box was vulnerable to kernal exploit

Kernel Exploit

Lets use windows-exploit-suggester.py script for finding any kernel exploit

you can download it from below link

GitHub - AonCyberLabs/Windows-Exploit-Suggester: This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.GitHub

Update the database for this script of kernel exploits

Now gather systeminfo information from our target host

Copy the above information to our local host machine

and execute the windows-exploit-suggester script

We got many kernel vulnerablities

If the kernel exploit is not working try to reset the machine and try again

Now we will use prebuild binaries for exploitation

You can get this from

GitHub - SecWiki/windows-kernel-exploits: windows-kernel-exploits Windows平台提权漏洞集合GitHub

After trying many kernel exploits we got system shell from ms16-032 exploit

How ??

Download the ms16-032 binary from above github repo

Now transfer this bfill.exe binary to windows host

and execute this binary

Got the system shell

Now get the root text file

Thats all for this box

Good Bye :)