HackTheBox Walkthrough - Optimum
Key Takeaways
The video demonstrates a walkthrough of the HackTheBox challenge Optimum, using tools such as Metasploit, Nmap, and HFS 2.3 to exploit vulnerabilities and gain access to the system. The video covers various topics including remote command execution, privilege escalation, and post-exploitation techniques.
Full Transcript
hey guys hackersploit here back again with another video welcome back to the hack the box walkthrough series um you know i've been getting tons of requests from you guys to actually cover some windows boxes on actor box and uh you know late i've been i've had a lot of time a lot of free time where i've been actually i've actually been able to delve back into hack the box because uh you know you you really need to uh to get used to how the box is set up and you know it's it's more of a ctf-based structure so it's been really exciting and fun you know getting back into ctfs like you know in boxes on activebox and i decided you know why not resume covering various boxes various retired boxes so in this video we are going to be taking a look at optimum which is a windows box and i've been going through this chronologically based on the boxes and when they were retired so again i did this quite a while ago i was actually set to record this video earlier last week but i didn't have the time to so i guess i'm doing it right now so i already have the nmap results here so uh cap i'm just going to cat sorry the end map results here and you can go ahead and take a look at my scan options uh they're fairly simple and immediately we we can see we only get one service or one port open which is port 80 and it's currently running in http file server version 2.3 something like that and we get the headers of course the header tells us it's running something called hfs 2.3 and also the http title telltales is the same uh as for and by the way i'm pretty sure i'd scanned all the ports um so let me just check this right now so yeah cat uh nmap default all dot txt and uh yeah we can see that we don't really have any other ports open up as for the operating system guesses we can see the most likely uh you know operating system that we're running all the boxes running is windows server 2012 that's about 91 percent probability so we are pretty sure that is running windows server um so first of all let's let's try and explore and see what we have on this let's see what we have running on this web server so we can see that we have what looks to be a file server right and we can take a look at the bottom here we have this is some system information and that tells us we're running something called http fault server version 2.3 so let's check out what that is and little the server uptime and a few other a few other bits of information here so this is the system and it's um it gives you an idea of what it does it's full sharing web server it's open source it's free so on and so forth you can use it to send or receive files and i'm pretty sure i have used this before uh in the early days of doing youtube where i was actually transferring files from one system to another before i'd set up my network correctly um so yeah this is uh hfs um hfs file server and it's version 2.3 so uh we can try and run a quick search exploit on this um hfs let's just see if we have any results here so we have a few interesting results and again this is through this is by a company called regetto um which i believe is also the same because i did see that here uh yeah so i told this regito.com hfs right so there we are um so we have a regeto http file server hfs remote command execution through metasploit i'm not really sure about the version we have version 2.3 arbitrary file upload and then version 2.3 onwards we have remote command execution so let's try and google and see what we can get here um so let's see what information we can get so we will just say hfs 2.3 exploit looks like we have a few search results and we have the first one which is the remote command execution so let's see what this exploit is about is probably a metasploit module i can already see that in the url so interesting so we can see that this works on version 2.3 on windows xp service pack 3 windows 7 service pack 1 and windows 8. and right at the bottom we have references and the module name so this is under regetto hfs exec which is again remote command execution so let's try and run this module so msf console and um let's take a look at a few other exploits that we have here um we have uh i think this is the same one i'm not really sure let's see this is the remote command execution and this is a python script and we can also use this instead of using metasploit um so let's see how this will work so you need to be using a web server to be using web server hosting netcat and you specify the attack as ip and netcat.exe interesting so let's try out the first module and let's see so let's see the various options that we have all right interesting so we have our hosts and the r port which is set correctly uh server host and the server port which i guess is fine 88 is fine not really hosting anything on that and the target uri is fine uh if i check it yes we're currently in the root of the web server uh not under any particular directory so let's start setting the options here so set set our hosts and the target is going to be 10.10.10.8 right and um set the uh server host i'll just set that to my to my tunnel interface which is currently what is used to communicate to the private network you know through hack the box and open vpn so i'll hit enter and that gives me my ip as expected do i have to change anything else let me just show the options one more time just to make sure i have everything set up correctly and yeah so i'm just going to run and uh let's see if this will give us a interpreter session or we'll have to use the python script which i'm guessing is doing the same thing um so let's see what this yeah so it gives us interpreter session and it tells us try to delete a file under a temp directory and it's a visual basic script so we'll take a look at that shortly um so first off uh so sysinfo and it tells us the computer name is optimum this is windows windows server 2012 r2 uh build 9600 okay that's going to be useful let's see this is the architecture 64-bit we have one logged on user and the meterpreter session is 32-bit all right so the first thing i want to do is let's see if we can get a shell here all right looks like we can get a shell uh first of all who am i exactly looks like we are cost us a user called cost us and we are currently on the desktop um so let's see if we can access uh yeah it looks like we have the temp directory that we're supposed to delete and the user.txt so let's see if we can access that first uh this was fairly simple so user.txt.txt and yeah we get the user flag which is you know fairly simple and that's probably why the box is pointing more towards cve um a cv rated box so that's interesting um so uh looks like we got that uh one thing i want to do before we try and perform let's see if i can actually see what other users we have um so i'm in the users directory we only have administrator and costas so [Applause] uh administrator access denied all right so what i'm going to do so i'm just going to exit from here and let's see if i can say get a system let's see if we can get it i doubt this will work there we are um so that didn't work even through token duplication which usually works with windows server 2012 uh get privs let's see if we can do that and we can actually probably load the kiwi module uh to see if we can get credentials i'm not really sure that whether that works or not um [Music] i probably i'm not really sure whether that work we can try it out but before we do that um there are a few things i want to check out first so um if i list the processes um do we have any 64-bit processors uh yeah we have explorer.exe which is a good host to migrate to and the process id is that the process id uh yeah that's pid so the process id is 2136 so let's see if we can migrate to that because it's much you'll get a much more stable session uh if it's 64-bit uh so 2136 and also want to perform some also want to run the post exploitation exploit suggested tool with module so we'll migrate to that hopefully we can actually migrate successfully and i can get a 64-bit meterpreter session so it looks like it completed successfully um let's see if we have successfully migrate and looks like we have all right excellent that's cool so what i can do now is i can background this and search for the suggester right um so search for the suggester and that is a post this is a post exploitation module uh that again will automatically suggest various um various exploit and post exploitation modules that you can use if i show the options now uh what we need to specify is because it's a post exploitation module we need to specify the session right so i'm just going to say set session and what are the session numbers here uh we only have one session and it's session id one so set uh session one and let's run this and let's see what exploits our post exploitation uh or post or privilege escalation modules we can get um so that's going to take a few few minutes here let's take a look at the the python script i guess the python script um the python script will actually have to uh we have the target ip target port number um so it's different not really getting any more information regarding this exploit um it's again rce we can probably try this out as well let's see if we can just get the exploit and that is exploit 39 161 we should have probably copied it with um uh from the exploit db database through search split um looks like we get a few options here although i doubt this will work since this user access control uh that usually never works as a you know as a good means or a good you know method of performing privilege escalation um so what i'm going to do now is we can actually just try this uh python script so i'm just gonna copy the this from the downloads and we'll just say uh from downloads we're gonna get the 31 do we have the script downloaded um let's see if we have it downloaded not really sure um what's files we have 39 right so it's 39. yeah it's 39 161 and i'm going to copy this into my documents and under hack the box and under optimum right and we want to go into the uh documents active box and under optimum that's where i saved the script here and let's see how this works so hmod plus x and let's give this script you know some uh some permission so that we can execute it um so if we try and run it by default let's see what version of python it uses probably python uh python 2 so 39 161. pi so we specify the target ip which is 10 10 10.8 and port 80 right and we hit enter uh looks like it executed it successfully um they didn't interfere with the interpreter session here not really sure so sessions one and that's still working um so what we can do is let's see if i can run a netcat listener so netcat and vlp and one two but that actually needs to be done uh so in order to you need to be running a web server hosting a netcat oh yeah all right so you know what that's uh that's just too much uh right now i already have a session uh probably need to do this manually so this is the local ip and the port number so yeah what i'll do now is instead of running this manually just to get the same session through netcat i'm just going to exit and um what i'll do is we will just exit from here as well and let's see if we can escalate our privileges without you know having to go that way let me just get rid of that um okay so we're running windows server 2012 r2 windows um server 2012 r2 privilege escalation let's see if we can find a module that will allow us to do this we have the first one which uses um that is let's see this works through partial that is ma16 o32 but through powershell um let's see how that will work exactly so this is a powerful implementation of ms-16032 this exploit targets all vulnerable operating systems that support powershell all right so this is based on powershell let's see what this this uh this cve is referring to um specifically so this is let's see if we have some all right so it looks like we have a few modules here and the other one that we were seeing that was a powershell module so this is again ms-16032 this is a logon handle privilege escalation module exploits the lack of sanitization of standard handles in windows secondary on service the vulnerability is known to affect versions of windows 7 to 10 2ka 2k12 32 and 64-bit all right cool and this module will only work uh against those versions of windows with partial 2.0 and later on systems with two more two or more cpu cores or interesting so uh let's see if we can we can actually get uh or escalate our privileges using this module um so let's background that um so use and we use that module so show options and uh set the session to one just going to run now and it's going to start the reverse tcp handler and let's see if we get uh a shell or uh looks like we have something interesting going on so it uses the it sniffs out the privilege impersonation token and the thread belongs to service host the thread is suspended uh and success open system token handle one three four eight i'm not really sure then it sniffs out a system shell duplicating system tokens starting the token race process raise holy handle leak batman we have a system shell so it looks like that was successful um and it's executed on target machine but it looks like the session is hung here it tells us exploit completed but no session was created and it deletes the partial script here however it looks like uh using it's using the thread handle one three five two one three four eight interesting um if we say sys info and um yeah that's i don't think um who am i oh yeah i need to go get a shell [Applause] uh who am i and we're still optimum sorry we're still cost us let me just exit let's see the system processes um uh so we have one three five two that's the one that that was the we so look out for svc host um interesting all right so we have this one here that's that's that one and um 64 bit that task host x explorer.exe that's interesting and if i just [Applause] just take a look at this so if i show the options here uh it looks like the l host is set to my local all right so um set l host to sorry to tunnel 0 and if we run it now let's see if we get a because it starts a reverse tcp handler now it's starting it on the correct ip all right so yeah so it sends the stage and there we are we get a metabolization so that's what i was wondering it didn't actually latch on to a service that we can then migrate to and get the you know the privileges that way uh instead i needed to set the interface and my ip correctly so that we also again it's info it's still this is now a 32-bit us um session but we have three logged on users which is weird um so let's get a shell and um so we'll see who am i and we are the nt authority or the administrator for lack of a better word uh let's go into the administrator directory so users a cd ad ministry um sorry that is administrator like so and uh desktop and let's see if we can get the root so there we are so we type root.txt and we get the root flag so yeah that was pretty simple and again this was based more that's primarily on cves i actually remember doing this the other way or the last time i did it using the python script and having to use netcat but that's really really a long procedure just to get a shell in the first place and then uh using the powershell script you probably have to copy it over through you know creating a partial script that will then download the script from your local file server so yeah that's quite cumbersome um so that was quite simple um it was cv based let me know what you guys think the write-up for this particular box will be on packersplay.org and you can check it out it will cover this all in depth and i'll probably also add the python script method where you can actually do it manually instead of using metasploit and yeah that's going to be it for this video and i'll be seeing you in the next video [Music] you
Original Description
In this video, I will be showing you how to pwn Optimum on HackTheBox.
📈 SUPPORT US:
Patreon: https://www.patreon.com/hackersploit
Merchandise: https://teespring.com/en-GB/stores/hackersploitofficial
SOCIAL NETWORKS:
Reddit: https://www.reddit.com/r/HackerSploit/
Twitter: https://twitter.com/HackerSploit
Instagram: https://www.instagram.com/hackersploit/
LinkedIn: https://www.linkedin.com/company/18713892
WHERE YOU CAN FIND US ONLINE:
Blog: https://hsploit.com/
HackerSploit - Open Source Cybersecurity Training: https://hackersploit.org/
HackerSploit Academy: https://www.hackersploit.academy
HackerSploit Discord: https://discord.gg/j3dH7tK
LISTEN TO THE CYBERTALK PODCAST:
Spotify: https://open.spotify.com/show/6j0RhRiofxkt39AskIpwP7
We hope you enjoyed the video and found value in the content. We value your feedback. If you have any questions or suggestions feel free to post them in the comments section or contact us directly via our social platforms.
Thanks for watching!
Благодарю за просмотр!
Kiitos katsomisesta
Danke fürs Zuschauen!
感谢您观看
Merci d'avoir regardé
Obrigado por assistir
دیکھنے کے لیے شکریہ
देखने के लिए धन्यवाद
Grazie per la visione
Gracias por ver
شكرا للمشاهدة
#HTB
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from HackerSploit · HackerSploit · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
How To Install Kali Linux 2.0 On Virtual Box
HackerSploit
100 Subscriber Q&A! - How I Learned Ethical Hacking
HackerSploit
BlackArch Linux Review - Better Than Kali Linux?
HackerSploit
How to Access the Deep Web Safely | Deep Web Starter Guide 1.0
HackerSploit
Wireshark Tutorial for Beginners - Installation
HackerSploit
Wireshark Tutorial for Beginners - Overview of the environment
HackerSploit
Wireshark Tutorial for Beginners - Capture options
HackerSploit
Wireshark Tutorial for Beginners - Filters
HackerSploit
Complete Ethical Hacking Course - Become a Hacker Today - #1 Hacking Terminology
HackerSploit
Complete Ethical Hacking Course #2 - Installing Kali Linux
HackerSploit
Parrot OS 3.5 Review | The Best Kali Linux Alternative
HackerSploit
Nmap Tutorial For Beginners - 1 - What is Nmap?
HackerSploit
Katoolin | How To Install Pentesting Tools On Any Linux Distro
HackerSploit
Nmap Tutorial For Beginners - 2 - Advanced Scanning
HackerSploit
Nmap Tutorial For Beginners - 3 - Aggressive Scanning
HackerSploit
Zenmap Tutorial For Beginners
HackerSploit
How To Setup Proxychains In Kali Linux - #1 - Stay Anonymous
HackerSploit
How To Setup Proxychains In Kali Linux - #2 - Change Your IP
HackerSploit
How To Change Mac Address In Kali Linux | Macchanger
HackerSploit
How To Setup And Use anonsurf On Kali Linux | Stay Anonymous
HackerSploit
Ubuntu 17.04 "Zesty Zapus" Review - Bye Unity
HackerSploit
VPN And DNS For Beginners | Kali Linux
HackerSploit
Tails OS Installation And Review - Access The Deep Web/Dark Net
HackerSploit
Steganography Tutorial - Hide Messages In Images
HackerSploit
The Lazy Script - Kali Linux 2017.1 - Automate Penetration Testing!
HackerSploit
Best Linux Distributions For Penetration Testing
HackerSploit
Netcat Tutorial - The Swiss Army Knife Of Networking - Reverse Shell
HackerSploit
Gaining Access - Web Server Hacking - Metasploitable - #1
HackerSploit
Web Server Hacking - FTP Backdoor Command Execution With Metasploit - #2
HackerSploit
How To Install Kali Linux On VMware - Complete Guide 2018
HackerSploit
Q&A #1 - Best Cyber-security Certifications?
HackerSploit
Terminator - Kali Linux - Multiple Terminals
HackerSploit
Shodan Search Engine Tutorial - Access Routers,Servers,Webcams + Install CLI
HackerSploit
Q&A #2 - Mr Robot?
HackerSploit
Metasploit Community Web GUI - Installation And Overview
HackerSploit
Linux Expl0rer - Forensics Toolbox - Installation & Configuration
HackerSploit
QuasarRAT - The Best Windows RAT? - Remote Administration Tool for Windows
HackerSploit
Metasploit For Beginners - #1 - The Basics - Modules, Exploits & Payloads
HackerSploit
Metasploit For Beginners - #2 - Understanding Metasploit Modules
HackerSploit
Kali Linux Quick Tips - #1 - Adding a non-root user
HackerSploit
Metasploit For Beginners - #3 - Information Gathering - Auxiliary Scanners
HackerSploit
Spectre Meltdown Vulnerability - How To Check Your System
HackerSploit
Metasploit For Beginners - #4 - Basic Exploitation
HackerSploit
ARP Spoofing With arpspoof - MITM
HackerSploit
WordPress Vulnerability Scanning With WPScan
HackerSploit
Generating A PHP Backdoor with weevely
HackerSploit
Nikto Web Vulnerability Scanner - Web Penetration Testing - #1
HackerSploit
How To Install Kali Linux On Windows 10 - Windows Subsystem For Linux
HackerSploit
Stacer - System Optimizer And Monitoring Tool For Linux
HackerSploit
Kali Linux 2018.1 - Kernel Updates & Patches
HackerSploit
MITM With Ettercap - ARP Poisoning
HackerSploit
Password Cracking With John The Ripper - RAR/ZIP & Linux Passwords
HackerSploit
How To Detect Rootkits On Kali Linux - chkrootkit & rkhunter
HackerSploit
Channel Updates - How To Post Questions & Video Suggestions
HackerSploit
Web App Penetration Testing - #1 - Setting Up Burp Suite
HackerSploit
Web App Penetration Testing - #2 - Spidering & DVWA
HackerSploit
Cl0neMast3r - GitHub Repository Cloning Tool
HackerSploit
Kali Linux On Windows 10 Official - WSL - Installation & Configuration
HackerSploit
DoS/DDoS Protection - How To Enable ICMP, UDP & TCP Flood Filtering
HackerSploit
Web App Penetration Testing - #3 - Brute Force With Burp Suite
HackerSploit
More on: AI Security
View skill →Related AI Lessons
⚡
⚡
⚡
⚡
I found 10 bugs in my own security scanner. Here's what they taught me about false positives.
Dev.to · Zein Saleh
Sudden SSL Error for github pages custom domain website
Reddit r/webdev
Reverse-proof protector
Medium · Cybersecurity
The 7 IAM Misconfigurations We See in Almost Every AWS Account
Dev.to · Shieldly
🎓
Tutor Explanation
DeepCamp AI