HackTheBox Walkthrough - Optimum

HackerSploit · Intermediate ·🔐 Cybersecurity ·6y ago

Key Takeaways

The video demonstrates a walkthrough of the HackTheBox challenge Optimum, using tools such as Metasploit, Nmap, and HFS 2.3 to exploit vulnerabilities and gain access to the system. The video covers various topics including remote command execution, privilege escalation, and post-exploitation techniques.

Full Transcript

hey guys hackersploit here back again with another video welcome back to the hack the box walkthrough series um you know i've been getting tons of requests from you guys to actually cover some windows boxes on actor box and uh you know late i've been i've had a lot of time a lot of free time where i've been actually i've actually been able to delve back into hack the box because uh you know you you really need to uh to get used to how the box is set up and you know it's it's more of a ctf-based structure so it's been really exciting and fun you know getting back into ctfs like you know in boxes on activebox and i decided you know why not resume covering various boxes various retired boxes so in this video we are going to be taking a look at optimum which is a windows box and i've been going through this chronologically based on the boxes and when they were retired so again i did this quite a while ago i was actually set to record this video earlier last week but i didn't have the time to so i guess i'm doing it right now so i already have the nmap results here so uh cap i'm just going to cat sorry the end map results here and you can go ahead and take a look at my scan options uh they're fairly simple and immediately we we can see we only get one service or one port open which is port 80 and it's currently running in http file server version 2.3 something like that and we get the headers of course the header tells us it's running something called hfs 2.3 and also the http title telltales is the same uh as for and by the way i'm pretty sure i'd scanned all the ports um so let me just check this right now so yeah cat uh nmap default all dot txt and uh yeah we can see that we don't really have any other ports open up as for the operating system guesses we can see the most likely uh you know operating system that we're running all the boxes running is windows server 2012 that's about 91 percent probability so we are pretty sure that is running windows server um so first of all let's let's try and explore and see what we have on this let's see what we have running on this web server so we can see that we have what looks to be a file server right and we can take a look at the bottom here we have this is some system information and that tells us we're running something called http fault server version 2.3 so let's check out what that is and little the server uptime and a few other a few other bits of information here so this is the system and it's um it gives you an idea of what it does it's full sharing web server it's open source it's free so on and so forth you can use it to send or receive files and i'm pretty sure i have used this before uh in the early days of doing youtube where i was actually transferring files from one system to another before i'd set up my network correctly um so yeah this is uh hfs um hfs file server and it's version 2.3 so uh we can try and run a quick search exploit on this um hfs let's just see if we have any results here so we have a few interesting results and again this is through this is by a company called regetto um which i believe is also the same because i did see that here uh yeah so i told this regito.com hfs right so there we are um so we have a regeto http file server hfs remote command execution through metasploit i'm not really sure about the version we have version 2.3 arbitrary file upload and then version 2.3 onwards we have remote command execution so let's try and google and see what we can get here um so let's see what information we can get so we will just say hfs 2.3 exploit looks like we have a few search results and we have the first one which is the remote command execution so let's see what this exploit is about is probably a metasploit module i can already see that in the url so interesting so we can see that this works on version 2.3 on windows xp service pack 3 windows 7 service pack 1 and windows 8. and right at the bottom we have references and the module name so this is under regetto hfs exec which is again remote command execution so let's try and run this module so msf console and um let's take a look at a few other exploits that we have here um we have uh i think this is the same one i'm not really sure let's see this is the remote command execution and this is a python script and we can also use this instead of using metasploit um so let's see how this will work so you need to be using a web server to be using web server hosting netcat and you specify the attack as ip and netcat.exe interesting so let's try out the first module and let's see so let's see the various options that we have all right interesting so we have our hosts and the r port which is set correctly uh server host and the server port which i guess is fine 88 is fine not really hosting anything on that and the target uri is fine uh if i check it yes we're currently in the root of the web server uh not under any particular directory so let's start setting the options here so set set our hosts and the target is going to be 10.10.10.8 right and um set the uh server host i'll just set that to my to my tunnel interface which is currently what is used to communicate to the private network you know through hack the box and open vpn so i'll hit enter and that gives me my ip as expected do i have to change anything else let me just show the options one more time just to make sure i have everything set up correctly and yeah so i'm just going to run and uh let's see if this will give us a interpreter session or we'll have to use the python script which i'm guessing is doing the same thing um so let's see what this yeah so it gives us interpreter session and it tells us try to delete a file under a temp directory and it's a visual basic script so we'll take a look at that shortly um so first off uh so sysinfo and it tells us the computer name is optimum this is windows windows server 2012 r2 uh build 9600 okay that's going to be useful let's see this is the architecture 64-bit we have one logged on user and the meterpreter session is 32-bit all right so the first thing i want to do is let's see if we can get a shell here all right looks like we can get a shell uh first of all who am i exactly looks like we are cost us a user called cost us and we are currently on the desktop um so let's see if we can access uh yeah it looks like we have the temp directory that we're supposed to delete and the user.txt so let's see if we can access that first uh this was fairly simple so user.txt.txt and yeah we get the user flag which is you know fairly simple and that's probably why the box is pointing more towards cve um a cv rated box so that's interesting um so uh looks like we got that uh one thing i want to do before we try and perform let's see if i can actually see what other users we have um so i'm in the users directory we only have administrator and costas so [Applause] uh administrator access denied all right so what i'm going to do so i'm just going to exit from here and let's see if i can say get a system let's see if we can get it i doubt this will work there we are um so that didn't work even through token duplication which usually works with windows server 2012 uh get privs let's see if we can do that and we can actually probably load the kiwi module uh to see if we can get credentials i'm not really sure that whether that works or not um [Music] i probably i'm not really sure whether that work we can try it out but before we do that um there are a few things i want to check out first so um if i list the processes um do we have any 64-bit processors uh yeah we have explorer.exe which is a good host to migrate to and the process id is that the process id uh yeah that's pid so the process id is 2136 so let's see if we can migrate to that because it's much you'll get a much more stable session uh if it's 64-bit uh so 2136 and also want to perform some also want to run the post exploitation exploit suggested tool with module so we'll migrate to that hopefully we can actually migrate successfully and i can get a 64-bit meterpreter session so it looks like it completed successfully um let's see if we have successfully migrate and looks like we have all right excellent that's cool so what i can do now is i can background this and search for the suggester right um so search for the suggester and that is a post this is a post exploitation module uh that again will automatically suggest various um various exploit and post exploitation modules that you can use if i show the options now uh what we need to specify is because it's a post exploitation module we need to specify the session right so i'm just going to say set session and what are the session numbers here uh we only have one session and it's session id one so set uh session one and let's run this and let's see what exploits our post exploitation uh or post or privilege escalation modules we can get um so that's going to take a few few minutes here let's take a look at the the python script i guess the python script um the python script will actually have to uh we have the target ip target port number um so it's different not really getting any more information regarding this exploit um it's again rce we can probably try this out as well let's see if we can just get the exploit and that is exploit 39 161 we should have probably copied it with um uh from the exploit db database through search split um looks like we get a few options here although i doubt this will work since this user access control uh that usually never works as a you know as a good means or a good you know method of performing privilege escalation um so what i'm going to do now is we can actually just try this uh python script so i'm just gonna copy the this from the downloads and we'll just say uh from downloads we're gonna get the 31 do we have the script downloaded um let's see if we have it downloaded not really sure um what's files we have 39 right so it's 39. yeah it's 39 161 and i'm going to copy this into my documents and under hack the box and under optimum right and we want to go into the uh documents active box and under optimum that's where i saved the script here and let's see how this works so hmod plus x and let's give this script you know some uh some permission so that we can execute it um so if we try and run it by default let's see what version of python it uses probably python uh python 2 so 39 161. pi so we specify the target ip which is 10 10 10.8 and port 80 right and we hit enter uh looks like it executed it successfully um they didn't interfere with the interpreter session here not really sure so sessions one and that's still working um so what we can do is let's see if i can run a netcat listener so netcat and vlp and one two but that actually needs to be done uh so in order to you need to be running a web server hosting a netcat oh yeah all right so you know what that's uh that's just too much uh right now i already have a session uh probably need to do this manually so this is the local ip and the port number so yeah what i'll do now is instead of running this manually just to get the same session through netcat i'm just going to exit and um what i'll do is we will just exit from here as well and let's see if we can escalate our privileges without you know having to go that way let me just get rid of that um okay so we're running windows server 2012 r2 windows um server 2012 r2 privilege escalation let's see if we can find a module that will allow us to do this we have the first one which uses um that is let's see this works through partial that is ma16 o32 but through powershell um let's see how that will work exactly so this is a powerful implementation of ms-16032 this exploit targets all vulnerable operating systems that support powershell all right so this is based on powershell let's see what this this uh this cve is referring to um specifically so this is let's see if we have some all right so it looks like we have a few modules here and the other one that we were seeing that was a powershell module so this is again ms-16032 this is a logon handle privilege escalation module exploits the lack of sanitization of standard handles in windows secondary on service the vulnerability is known to affect versions of windows 7 to 10 2ka 2k12 32 and 64-bit all right cool and this module will only work uh against those versions of windows with partial 2.0 and later on systems with two more two or more cpu cores or interesting so uh let's see if we can we can actually get uh or escalate our privileges using this module um so let's background that um so use and we use that module so show options and uh set the session to one just going to run now and it's going to start the reverse tcp handler and let's see if we get uh a shell or uh looks like we have something interesting going on so it uses the it sniffs out the privilege impersonation token and the thread belongs to service host the thread is suspended uh and success open system token handle one three four eight i'm not really sure then it sniffs out a system shell duplicating system tokens starting the token race process raise holy handle leak batman we have a system shell so it looks like that was successful um and it's executed on target machine but it looks like the session is hung here it tells us exploit completed but no session was created and it deletes the partial script here however it looks like uh using it's using the thread handle one three five two one three four eight interesting um if we say sys info and um yeah that's i don't think um who am i oh yeah i need to go get a shell [Applause] uh who am i and we're still optimum sorry we're still cost us let me just exit let's see the system processes um uh so we have one three five two that's the one that that was the we so look out for svc host um interesting all right so we have this one here that's that's that one and um 64 bit that task host x explorer.exe that's interesting and if i just [Applause] just take a look at this so if i show the options here uh it looks like the l host is set to my local all right so um set l host to sorry to tunnel 0 and if we run it now let's see if we get a because it starts a reverse tcp handler now it's starting it on the correct ip all right so yeah so it sends the stage and there we are we get a metabolization so that's what i was wondering it didn't actually latch on to a service that we can then migrate to and get the you know the privileges that way uh instead i needed to set the interface and my ip correctly so that we also again it's info it's still this is now a 32-bit us um session but we have three logged on users which is weird um so let's get a shell and um so we'll see who am i and we are the nt authority or the administrator for lack of a better word uh let's go into the administrator directory so users a cd ad ministry um sorry that is administrator like so and uh desktop and let's see if we can get the root so there we are so we type root.txt and we get the root flag so yeah that was pretty simple and again this was based more that's primarily on cves i actually remember doing this the other way or the last time i did it using the python script and having to use netcat but that's really really a long procedure just to get a shell in the first place and then uh using the powershell script you probably have to copy it over through you know creating a partial script that will then download the script from your local file server so yeah that's quite cumbersome um so that was quite simple um it was cv based let me know what you guys think the write-up for this particular box will be on packersplay.org and you can check it out it will cover this all in depth and i'll probably also add the python script method where you can actually do it manually instead of using metasploit and yeah that's going to be it for this video and i'll be seeing you in the next video [Music] you

Original Description

In this video, I will be showing you how to pwn Optimum on HackTheBox. 📈 SUPPORT US: Patreon: https://www.patreon.com/hackersploit Merchandise: https://teespring.com/en-GB/stores/hackersploitofficial SOCIAL NETWORKS: Reddit: https://www.reddit.com/r/HackerSploit/ Twitter: https://twitter.com/HackerSploit Instagram: https://www.instagram.com/hackersploit/ LinkedIn: https://www.linkedin.com/company/18713892 WHERE YOU CAN FIND US ONLINE: Blog: https://hsploit.com/ HackerSploit - Open Source Cybersecurity Training: https://hackersploit.org/ HackerSploit Academy: https://www.hackersploit.academy HackerSploit Discord: https://discord.gg/j3dH7tK LISTEN TO THE CYBERTALK PODCAST: Spotify: https://open.spotify.com/show/6j0RhRiofxkt39AskIpwP7 We hope you enjoyed the video and found value in the content. We value your feedback. If you have any questions or suggestions feel free to post them in the comments section or contact us directly via our social platforms. Thanks for watching! Благодарю за просмотр! Kiitos katsomisesta Danke fürs Zuschauen! 感谢您观看 Merci d'avoir regardé Obrigado por assistir دیکھنے کے لیے شکریہ देखने के लिए धन्यवाद Grazie per la visione Gracias por ver شكرا للمشاهدة #HTB
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from HackerSploit · HackerSploit · 0 of 60

← Previous Next →
1 How To Install Kali Linux 2.0 On Virtual Box
How To Install Kali Linux 2.0 On Virtual Box
HackerSploit
2 100 Subscriber Q&A! - How I Learned Ethical Hacking
100 Subscriber Q&A! - How I Learned Ethical Hacking
HackerSploit
3 BlackArch Linux Review - Better Than Kali Linux?
BlackArch Linux Review - Better Than Kali Linux?
HackerSploit
4 How to Access the Deep Web Safely | Deep Web Starter Guide 1.0
How to Access the Deep Web Safely | Deep Web Starter Guide 1.0
HackerSploit
5 Wireshark Tutorial for Beginners - Installation
Wireshark Tutorial for Beginners - Installation
HackerSploit
6 Wireshark Tutorial for Beginners - Overview of the environment
Wireshark Tutorial for Beginners - Overview of the environment
HackerSploit
7 Wireshark Tutorial for Beginners - Capture options
Wireshark Tutorial for Beginners - Capture options
HackerSploit
8 Wireshark Tutorial for Beginners - Filters
Wireshark Tutorial for Beginners - Filters
HackerSploit
9 Complete Ethical Hacking Course - Become a Hacker Today - #1 Hacking Terminology
Complete Ethical Hacking Course - Become a Hacker Today - #1 Hacking Terminology
HackerSploit
10 Complete Ethical Hacking Course #2 - Installing Kali Linux
Complete Ethical Hacking Course #2 - Installing Kali Linux
HackerSploit
11 Parrot OS 3.5 Review | The Best Kali Linux Alternative
Parrot OS 3.5 Review | The Best Kali Linux Alternative
HackerSploit
12 Nmap Tutorial For Beginners - 1 - What is Nmap?
Nmap Tutorial For Beginners - 1 - What is Nmap?
HackerSploit
13 Katoolin | How To Install Pentesting Tools On Any Linux Distro
Katoolin | How To Install Pentesting Tools On Any Linux Distro
HackerSploit
14 Nmap Tutorial For Beginners - 2 - Advanced Scanning
Nmap Tutorial For Beginners - 2 - Advanced Scanning
HackerSploit
15 Nmap Tutorial For Beginners - 3 - Aggressive Scanning
Nmap Tutorial For Beginners - 3 - Aggressive Scanning
HackerSploit
16 Zenmap Tutorial For Beginners
Zenmap Tutorial For Beginners
HackerSploit
17 How To Setup Proxychains In Kali Linux - #1 - Stay Anonymous
How To Setup Proxychains In Kali Linux - #1 - Stay Anonymous
HackerSploit
18 How To Setup Proxychains In Kali Linux - #2 - Change Your IP
How To Setup Proxychains In Kali Linux - #2 - Change Your IP
HackerSploit
19 How To Change Mac Address In Kali Linux | Macchanger
How To Change Mac Address In Kali Linux | Macchanger
HackerSploit
20 How To Setup And Use anonsurf On Kali Linux | Stay Anonymous
How To Setup And Use anonsurf On Kali Linux | Stay Anonymous
HackerSploit
21 Ubuntu 17.04 "Zesty Zapus" Review - Bye Unity
Ubuntu 17.04 "Zesty Zapus" Review - Bye Unity
HackerSploit
22 VPN And DNS For Beginners | Kali Linux
VPN And DNS For Beginners | Kali Linux
HackerSploit
23 Tails OS Installation And Review - Access The Deep Web/Dark Net
Tails OS Installation And Review - Access The Deep Web/Dark Net
HackerSploit
24 Steganography Tutorial - Hide Messages In Images
Steganography Tutorial - Hide Messages In Images
HackerSploit
25 The Lazy Script - Kali Linux 2017.1 - Automate Penetration Testing!
The Lazy Script - Kali Linux 2017.1 - Automate Penetration Testing!
HackerSploit
26 Best Linux Distributions For Penetration Testing
Best Linux Distributions For Penetration Testing
HackerSploit
27 Netcat Tutorial - The Swiss Army Knife Of Networking - Reverse Shell
Netcat Tutorial - The Swiss Army Knife Of Networking - Reverse Shell
HackerSploit
28 Gaining Access - Web Server Hacking - Metasploitable - #1
Gaining Access - Web Server Hacking - Metasploitable - #1
HackerSploit
29 Web Server Hacking - FTP Backdoor Command Execution With Metasploit - #2
Web Server Hacking - FTP Backdoor Command Execution With Metasploit - #2
HackerSploit
30 How To Install Kali Linux On VMware  - Complete Guide 2018
How To Install Kali Linux On VMware - Complete Guide 2018
HackerSploit
31 Q&A #1 - Best Cyber-security Certifications?
Q&A #1 - Best Cyber-security Certifications?
HackerSploit
32 Terminator - Kali Linux - Multiple Terminals
Terminator - Kali Linux - Multiple Terminals
HackerSploit
33 Shodan Search Engine Tutorial - Access Routers,Servers,Webcams + Install CLI
Shodan Search Engine Tutorial - Access Routers,Servers,Webcams + Install CLI
HackerSploit
34 Q&A #2 - Mr Robot?
Q&A #2 - Mr Robot?
HackerSploit
35 Metasploit Community Web GUI  - Installation And Overview
Metasploit Community Web GUI - Installation And Overview
HackerSploit
36 Linux Expl0rer - Forensics Toolbox - Installation & Configuration
Linux Expl0rer - Forensics Toolbox - Installation & Configuration
HackerSploit
37 QuasarRAT - The Best Windows RAT? - Remote Administration Tool for Windows
QuasarRAT - The Best Windows RAT? - Remote Administration Tool for Windows
HackerSploit
38 Metasploit For Beginners - #1 - The Basics - Modules, Exploits & Payloads
Metasploit For Beginners - #1 - The Basics - Modules, Exploits & Payloads
HackerSploit
39 Metasploit For Beginners - #2 - Understanding Metasploit Modules
Metasploit For Beginners - #2 - Understanding Metasploit Modules
HackerSploit
40 Kali Linux Quick Tips - #1 - Adding a non-root user
Kali Linux Quick Tips - #1 - Adding a non-root user
HackerSploit
41 Metasploit For Beginners - #3 - Information Gathering - Auxiliary Scanners
Metasploit For Beginners - #3 - Information Gathering - Auxiliary Scanners
HackerSploit
42 Spectre Meltdown Vulnerability  - How To Check Your System
Spectre Meltdown Vulnerability - How To Check Your System
HackerSploit
43 Metasploit For Beginners - #4 - Basic Exploitation
Metasploit For Beginners - #4 - Basic Exploitation
HackerSploit
44 ARP Spoofing With arpspoof - MITM
ARP Spoofing With arpspoof - MITM
HackerSploit
45 WordPress Vulnerability Scanning With WPScan
WordPress Vulnerability Scanning With WPScan
HackerSploit
46 Generating A PHP Backdoor with weevely
Generating A PHP Backdoor with weevely
HackerSploit
47 Nikto Web Vulnerability Scanner - Web Penetration Testing - #1
Nikto Web Vulnerability Scanner - Web Penetration Testing - #1
HackerSploit
48 How To Install Kali Linux On Windows 10 - Windows Subsystem For Linux
How To Install Kali Linux On Windows 10 - Windows Subsystem For Linux
HackerSploit
49 Stacer - System Optimizer And Monitoring Tool For Linux
Stacer - System Optimizer And Monitoring Tool For Linux
HackerSploit
50 Kali Linux 2018.1 - Kernel Updates & Patches
Kali Linux 2018.1 - Kernel Updates & Patches
HackerSploit
51 MITM With Ettercap - ARP Poisoning
MITM With Ettercap - ARP Poisoning
HackerSploit
52 Password Cracking With John The Ripper - RAR/ZIP & Linux Passwords
Password Cracking With John The Ripper - RAR/ZIP & Linux Passwords
HackerSploit
53 How To Detect Rootkits On Kali Linux - chkrootkit & rkhunter
How To Detect Rootkits On Kali Linux - chkrootkit & rkhunter
HackerSploit
54 Channel Updates - How To Post Questions & Video Suggestions
Channel Updates - How To Post Questions & Video Suggestions
HackerSploit
55 Web App Penetration Testing - #1 - Setting Up Burp Suite
Web App Penetration Testing - #1 - Setting Up Burp Suite
HackerSploit
56 Web App Penetration Testing - #2 - Spidering & DVWA
Web App Penetration Testing - #2 - Spidering & DVWA
HackerSploit
57 Cl0neMast3r - GitHub Repository Cloning Tool
Cl0neMast3r - GitHub Repository Cloning Tool
HackerSploit
58 Kali Linux On Windows 10 Official - WSL - Installation & Configuration
Kali Linux On Windows 10 Official - WSL - Installation & Configuration
HackerSploit
59 DoS/DDoS Protection - How To Enable ICMP, UDP & TCP Flood Filtering
DoS/DDoS Protection - How To Enable ICMP, UDP & TCP Flood Filtering
HackerSploit
60 Web App Penetration Testing - #3 - Brute Force With Burp Suite
Web App Penetration Testing - #3 - Brute Force With Burp Suite
HackerSploit

This video provides a comprehensive walkthrough of the HackTheBox challenge Optimum, covering topics such as remote command execution, privilege escalation, and post-exploitation techniques. The video demonstrates how to use tools such as Metasploit, Nmap, and HFS 2.3 to exploit vulnerabilities and gain access to the system.

Key Takeaways
  1. Scan ports using Nmap
  2. Identify open services using Nmap
  3. Use HFS 2.3 to send and receive files
  4. Exploit HFS 2.3 remote command execution vulnerability using Metasploit
  5. Run Metasploit module 'regetto hfs exec'
  6. Set up options for the module
  7. Use the Python script for remote command execution
  8. Delete a file under a temp directory
  9. Access the user.txt file
💡 The video highlights the importance of understanding system architecture and identifying potential vulnerabilities in order to exploit them effectively.

Related AI Lessons

Up next
Cyber security threats @FameWorldEducationalHub #cybersecurity #threats #shorts #ytshorts
FAME WORLD EDUCATIONAL HUB
Watch →