Optimum Walkthrough

Hello Everyone! Today we have an interesting machine from HackTheBox “Optimum”, in this machine we, will learn about a new tool for CVE scan, it’s useful, at the first let’s know more about our machine

Ok, let’s get started…

Nmap Scan

As we begin every machine we will scan the DNS for open ports, service running on them, OS detection, and more information we need to know

> nmap -A -T4 -oG blue.gnmap 10.10.10.8

-A : service detection, OS detection, script results 
-T4: Threads=4 to increase the speed 
-oG: to get the output in the extension gnmap to brute force the credentials.

The results say that there’s one open port 80 and one service running on it HttpFileServer 2.3 so we will take this as an entry point to search for any vulnerability in this service by google or searchsploit

So now we have exploitation from rapid7 which works with metasploit and also you can use this code from GitHub to hack it without metasploit but you need to edit it

we will use metasploit to hack this service so we will use metasploit search about this keyword as follow

nice, we have one here, let’s try it by typing use 0 and then show options and set the machine IP from RHOSTS and your local IP from LHOST and finally, type run to start attack

As you can see it’s worked and opened a new meterpreter session but it seems that we’re not the root so let’s get the user flag first..

Good, now we have the user flag, let’s try to get the root flag from Administrator directory

Unfortunately, we don’t have access to this directory, so let’s think about how to exploit the privileges escalation vulnerability to do that we need to do 2 things:

1. Get the system info from systeminfo

2. Try to search about the CVE available for this info

As you can see now we have the system information, let’s jump to the next step.

I have searched more and more about privilege escalation vulnerability for this info, but unfortunately, there’s nothing returned, so I’ve discovered a wonderful tool that will scan the machine for the CVE’s and return back me the results, a tool named Windows-Exploit-Suggester which needs the systeminfo data in .txt format as follows

Host Name:                 OPTIMUM
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00252-70000-00000-AA535
Original Install Date:     18/3/2017, 1:51:36 ��
System Boot Time:          16/12/2020, 12:19:02 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest
Total Physical Memory:     4.095 MB
Available Physical Memory: 3.528 MB
Virtual Memory: Max Size:  5.503 MB
Virtual Memory: Available: 4.979 MB
Virtual Memory: In Use:    524 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              \\OPTIMUM
Hotfix(s):                 31 Hotfix(s) Installed.
                           [01]: KB2959936
                           [02]: KB2896496
                           [03]: KB2919355
                           [04]: KB2920189
                           [05]: KB2928120
                           [06]: KB2931358
                           [07]: KB2931366
                           [08]: KB2933826
                           [09]: KB2938772
                           [10]: KB2949621
                           [11]: KB2954879
                           [12]: KB2958262
                           [13]: KB2958263
                           [14]: KB2961072
                           [15]: KB2965500
                           [16]: KB2966407
                           [17]: KB2967917
                           [18]: KB2971203
                           [19]: KB2971850
                           [20]: KB2973351
                           [21]: KB2973448
                           [22]: KB2975061
                           [23]: KB2976627
                           [24]: KB2977629
                           [25]: KB2981580
                           [26]: KB2987107
                           [27]: KB2989647
                           [28]: KB2998527
                           [29]: KB3000850
                           [30]: KB3003057
                           [31]: KB3014442
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.8
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

and then run the tool

$ ./windows-exploit-suggester.py --database 2020-06-06-mssb.xlsx --systeminfo systeminfo.txt

With all available exploitation with this machine, we will use one which will help us in the escalation process ms16-032 you will find it on the metasploit

but before using it you should put the meterpreter session in the background by typing background

now you can search about the exploitation and use it, then type show options and set SESSIONS 1 as you have the session 1

and then run. You will get a new shell with the root privileges

Congrats ❤