{"componentChunkName":"component---src-templates-post-template-js","path":"/hackthebox-windows-optimum-en","result":{"data":{"markdownRemark":{"id":"36e4539c-ed5f-523d-a50e-ccb5d98ab1bc","html":"
\n

This page has been machine-translated from the original page.

\n
\n

I use the penetration-testing learning platform “Hack The Box” to study security.\nAt the time of writing this article, my rank on “Hack The Box” is ProHacker.

\n\"Hack\n

This time, I am writing up the retired HackTheBox machine “Optimum”.

\n

\n \n \n \n \n \n \n \n \n

\n\n

About This Article

\n

The content of this article is not intended to encourage acts that are contrary to social order.

\n

Please note in advance that attempting attacks against environments other than those you own or are authorized to use may violate the Act on the Prohibition of Unauthorized Computer Access (the Unauthorized Access Prohibition Act).

\n

All statements here are my own and do not represent any organization I belong to.

\n\n

Table of Contents

\n\n

Enumeration

\n

As usual, I started with an Nmap scan.

\n
Starting Nmap 7.92 ( https://nmap.org ) at 2021-10-27 20:22 JST\nNmap scan report for 10.10.10.8\nHost is up (0.30s latency).\nNot shown: 999 filtered tcp ports (no-response)\nPORT   STATE SERVICE VERSION\n80/tcp open  http    HttpFileServer httpd 2.3\n|_http-title: HFS /\n|_http-server-header: HFS 2.3\nService Info: OS: Windows; CPE: cpe:/o:microsoft:windows\n\nService detection performed. Please report any incorrect results at https://nmap.org/submit/ .\nNmap done: 1 IP address (1 host up) scanned in 42.09 seconds
\n

It seems that an application called HttpFileServer httpd 2.3 is running.

\n

A quick search immediately turned up exploit code.

\n

Reference: HFS (HTTP File Server) 2.3.x - Remote Command Execution (3) - Windows remote Exploit

\n

Using it as-is was enough to get a reverse shell.

\n

About the Vulnerability

\n

The vulnerability exploited by this exploit code was CVE-2014-6287.

\n
\n

The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.

\n
\n

It appears that entering %00 into the search box allows arbitrary code execution.

\n

In terms of vulnerability classification, it falls under CWE-158: Improper Neutralization of Null Byte or NUL Character.

\n

In this case, the issue was that a regular expression in parserLib.pas did not properly handle NULL bytes, so if %00 was entered into the search box, the command that followed it would be executed.

\n

By exploiting this vulnerability, I was able to obtain a reverse shell.

\n

Local Enumeration

\n

For the time being, I ran winPEAS.

\n
Basic System Information\nCheck if the Windows versions is vulnerable to some known exploit https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits\n    Hostname: optimum\n    ProductName: Windows Server 2012 R2 Standard\n    EditionID: ServerStandard\n    ReleaseId: \n    BuildBranch: \n    CurrentMajorVersionNumber: \n    CurrentVersion: 6.3\n    Architecture: AMD64\n    ProcessorCount: 2\n    SystemLang: en-US\n    KeyboardLang: English (United States)\n    TimeZone: (UTC+02:00) Athens, Bucharest\n    IsVirtualMachine: True\n    Current Time: 3/11/2021 1:02:07 ??\n    HighIntegrity: False\n    PartOfDomain: False\n    Hotfixes: KB2959936, KB2896496, KB2919355, KB2920189, KB2928120, KB2931358, KB2931366, KB2933826, KB2938772, KB2949621, KB2954879, KB2958262, KB2958263, KB2961072, KB2965500, KB2966407, KB2967917, KB2971203, KB2971850, KB2973351, KB2973448, KB2975061, KB2976627, KB2977629, KB2981580, KB2987107, KB2989647, KB2998527, KB3000850, KB3003057, KB3014442, \n\n  [?] Windows vulns search powered by Watson(https://github.com/rasta-mouse/Watson)
\n

I confirmed that it was a 64-bit Windows Server 2012 R2 system.

\n

Because Watson’s vulnerability search only works on Windows Server 2016 and later, I used Sherlock for enumeration.

\n

I confirmed that the system was affected by the following three vulnerabilities.

\n
Title      : Secondary Logon Handle\nMSBulletin : MS16-032\nCVEID      : 2016-0099\nLink       : https://www.exploit-db.com/exploits/39719/\nVulnStatus : Appears Vulnerable\n\nTitle      : Windows Kernel-Mode Drivers EoP\nMSBulletin : MS16-034\nCVEID      : 2016-0093/94/95/96\nLink       : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034?\nVulnStatus : Appears Vulnerable\n\nTitle      : Win32k Elevation of Privilege\nMSBulletin : MS16-135\nCVEID      : 2016-7255\nLink       : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135\nVulnStatus : Appears Vulnerable
\n

MS16-032

\n

This is a vulnerability in which Secondary Logon does not properly manage request handles in memory, allowing arbitrary code execution with administrator privileges.

\n

Reference: Microsoft Security Bulletin MS16-032 - Important | Microsoft Docs

\n

Secondary Logon is a service that allows a process to be started with different credentials, and it is used by the “Run as different user” feature.

\n

MS16-034

\n

This is a vulnerability in the way Windows kernel-mode drivers manage objects in memory, and it appears to allow arbitrary code execution.

\n

Reference: Microsoft Security Bulletin MS16-034 | Microsoft Docs

\n

The exploit is here.

\n

MS16-135

\n

This appears to be a vulnerability that leaks information from the kernel, leading to an ASLR bypass.

\n

Reference: Microsoft Security Bulletin MS16-135 | Microsoft Docs

\n

PowerShell Session

\n

Since MS16-032 and MS16-034 are vulnerabilities that allow RCE with administrator privileges, I decided to use one of them.

\n

When I looked for exploit code, I found a script for MS16-032 that can be run from PowerShell, so I used that one.

\n

First, MS16-032 can only be exploited from a 64-bit process.

\n

Therefore, the process from which the reverse shell was obtained also needs to be 64-bit.

\n

You can easily determine whether the currently running process is 64-bit by using the following .NET command.

\n
[Environment]::Is64BitProcess
\n

Reference: Environment.Is64BitProcess Property (System) | Microsoft Docs

\n

The paths for 64-bit and 32-bit PowerShell are as follows, so it may be useful to remember them for later.

\n\n

The table below shows the combinations of CPU/OS/application bitness and the bitness of the resulting process.

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
CPUOSProcess
32-bit CPU32bit32bit32bit
32-bit OS64bit32bit32bit
32-bit application64bit64bit32bit(WOW)
64-bit application64bit64bit64bit
\n

In this case, the CPU and OS architecture are 64-bit, but if you run 32-bit PowerShell, the process also becomes 32-bit.

\n

So, after obtaining a reverse shell in a 64-bit process and firing off the MS16-032 exploit, I was able to get root privileges.

\n

Summary

\n

I decided to study hacking seriously, so for now I will keep solving retired machines.

","fields":{"slug":"/hackthebox-windows-optimum-en","tagSlugs":["/tag/hack-the-box-en/","/tag/windows-en/","/tag/easy-box-en/","/tag/english/"]},"frontmatter":{"date":"2021-10-28","description":"A writeup of the retired HackTheBox machine 'Optimum'.","tags":["HackTheBox (en)","Windows (en)","EasyBox (en)","English"],"title":"HackTheBox Writeup: Optimum (Easy/Windows)","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/hackthebox-windows-optimum-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}