Optimum Walkthrough
Hello Everyone! Today we have an interesting machine from HackTheBox βOptimumβ, in this machine we, will learn about a new tool for CVE scan, itβs useful, at the first letβs know more about our machine

Ok, letβs get startedβ¦
Nmap Scan
As we begin every machine we will scan the DNS for open ports, service running on them, OS detection, and more information we need to know
> nmap -A -T4 -oG blue.gnmap 10.10.10.8
-A : service detection, OS detection, script results
-T4: Threads=4 to increase the speed
-oG: to get the output in the extension gnmap to brute force the credentials.
The results say that thereβs one open port 80 and one service running on it HttpFileServer 2.3
so we will take this as an entry point to search for any vulnerability in this service by google
or searchsploit


So now we have exploitation from rapid7 which works with metasploit
and also you can use this code from GitHub to hack it without metasploit
but you need to edit it

we will use metasploit to hack this service so we will use metasploit search about this keyword as follow

nice, we have one here, letβs try it by typing use 0
and then show options
and set the machine IP from RHOSTS
and your local IP from LHOST
and finally, type run
to start attack

As you can see itβs worked and opened a new meterpreter
session but it seems that weβre not the root so letβs get the user flag first..

Good, now we have the user flag, letβs try to get the root flag from Administrator
directory

Unfortunately, we donβt have access to this directory, so letβs think about how to exploit the privileges escalation vulnerability to do that we need to do 2 things:
Get the system info from
systeminfo
Try to search about the CVE available for this info

As you can see now we have the system information, letβs jump to the next step.
I have searched more and more about privilege escalation vulnerability for this info, but unfortunately, thereβs nothing returned, so Iβve discovered a wonderful tool that will scan the machine for the CVEβs and return back me the results, a tool named Windows-Exploit-Suggester which needs the systeminfo
data in .txt
format as follows
Host Name: OPTIMUM
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00252-70000-00000-AA535
Original Install Date: 18/3/2017, 1:51:36 οΏ½οΏ½
System Boot Time: 16/12/2020, 12:19:02 οΏ½οΏ½
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest
Total Physical Memory: 4.095 MB
Available Physical Memory: 3.528 MB
Virtual Memory: Max Size: 5.503 MB
Virtual Memory: Available: 4.979 MB
Virtual Memory: In Use: 524 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: \\OPTIMUM
Hotfix(s): 31 Hotfix(s) Installed.
[01]: KB2959936
[02]: KB2896496
[03]: KB2919355
[04]: KB2920189
[05]: KB2928120
[06]: KB2931358
[07]: KB2931366
[08]: KB2933826
[09]: KB2938772
[10]: KB2949621
[11]: KB2954879
[12]: KB2958262
[13]: KB2958263
[14]: KB2961072
[15]: KB2965500
[16]: KB2966407
[17]: KB2967917
[18]: KB2971203
[19]: KB2971850
[20]: KB2973351
[21]: KB2973448
[22]: KB2975061
[23]: KB2976627
[24]: KB2977629
[25]: KB2981580
[26]: KB2987107
[27]: KB2989647
[28]: KB2998527
[29]: KB3000850
[30]: KB3003057
[31]: KB3014442
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.8
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
and then run the tool
$ ./windows-exploit-suggester.py --database 2020-06-06-mssb.xlsx --systeminfo systeminfo.txt
With all available exploitation with this machine, we will use one which will help us in the escalation process ms16-032
you will find it on the metasploit

but before using it you should put the meterpreter session in the background by typing background

now you can search about the exploitation and use it, then type show options
and set SESSIONS 1
as you have the session 1

and then run.
You will get a new shell with the root privileges


Congrats β€
Last updated