- Email: info@clearinfosec.com
- 1800 760 5656
Optimum is a beginner-level machine that is more of enumeration of services with known exploits. These exploits are easy to work out and get the flag. We will be having two parts in this blog. This is the first part
Tools Used:
• Nmap
• Metasploit
• Windows Exploit Suggester
$ sudo nmap -sSV -T5 -p- 10.10.10.8 –allports
We can see that only PORT 80 is open. HttpFileServer (HFS) version 2.3 is running on the webserver.HFS rejetto is an open-source file-sharing webserver. The latest version is 2.3m but this machine runs on version 2.3 which is outdated and vulnerable. After a quick google search, I found this version has multiple Remote Code Execution.
As always, I opened my Metasploit and searched if there is a pretty good exploit. I got an excellent RCE. let’s try it and see if the magic works.
I did a mistake while setting options, I didn’t add SRVHOST and SRVPORT. So, it simply did not open the meterpreter session. After checking the options I came to know SRVHOST option is used when exploiting a webserver.
I mentioned SRVHOST and SRVPORT and it worked perfectly.
At last, I got the session, and let’s check what we can extract. I checked for the system info and got a bunch of information.
The machine runs in windows 2012 R2 and x64 architecture. Also, the build is 6.3 9600 which is a pretty old version. If this is not well patched, we can easily exploit and gain access.
Now I want to view the full system information. So I opened the shell and gave the command systeminfo and got the below information
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>systeminfo
systeminfo:
Host Name: | OPTIMUM |
OS Name: | Microsoft Windows Server 2012 R2 Standard |
OS Version: | 6.3.9600 N/A Build 9600 |
OS Manufacturer: | Microsoft Corporation |
OS Configuration: | Standalone Server |
OS Build Type: | Multiprocessor Free |
Registered Owner: | Windows User |
Registered Organization: |
|
Product ID: | 00252-70000-00000-AA535 |
Original Install Date: | 18/3/2017, 1:51:36 |
System Boot Time: | 9/9/2021, 8:20:21 |
System Manufacturer: | VMware, Inc. |
System Model: | VMware Virtual Platform |
System Type: | x64-based PC |
Processor(s): | 1 Processor(s) Installed. |
| [01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz |
BIOS Version: | Phoenix Technologies LTD 6.00, 12/12/2018 |
Windows Directory: | C:\Windows |
System Directory: | C:\Windows\system32 |
Boot Device: | \Device\HarddiskVolume1 |
System Locale: | el;Greek |
Input Locale: | en-us;English (United States) |
Time Zone: | (UTC+02:00) Athens, Bucharest |
Total Physical Memory: | 4.095 MB |
Available Physical Memory: | 3.492 MB |
Virtual Memory: Max Size: | 5.503 MB |
Virtual Memory: Available: | 4.951 MB |
Virtual Memory: In Use: | 552 MB |
Page File Location(s): | C:\pagefile.sys |
Domain: | HTB |
Logon Server: | \\OPTIMUM |
Hotfix(s): | 31 Hotfix(s) Installed. |
| [01]: KB2959936 |
| [02]: KB2896496 |
| [03]: KB2919355 |
| [04]: KB2920189 |
| [05]: KB2928120 |
| [06]: KB2931358 |
| [07]: KB2931366 |
| [08]: KB2933826 |
| [09]: KB2938772 |
| [10]: KB2949621 |
| [11]: KB2954879 |
| [12]: KB2958262 |
| [13]: KB2958263 |
| [14]: KB2961072 |
| [15]: KB2965500 |
| [16]: KB2966407 |
| [17]: KB2967917 |
| [18]: KB2971203 |
| [19]: KB2971850 |
| [20]: KB2973351 |
| [21]: KB2973448 |
| [22]: KB2975061 |
| [23]: KB2976627 |
| [24]: KB2977629 |
| [25]: KB2981580 |
| [26]: KB2987107 |
| [27]: KB2989647 |
| [28]: KB2998527 |
| [29]: KB3000850 |
| [30]: KB3003057 |
| [31]: KB3014442 |
Network Card(s): | 1 NIC(s) Installed. |
| [01]: Intel(R) 82574L Gigabit Network Connection |
| Connection Name: Ethernet0 |
| DHCP Enabled: No |
| IP address(es) |
| [01]: 10.10.10.8 |
As I go the full sysinfo, Here I used the Windows-Exploit-Suggester as this is Windows server 2012 R2. So before we run this exploit I have to download the system info in a text file and run it with the windows exploit suggester.
meterpreter> execute -f “cmd.exe /c systeminfo>sysinfo.txt”
After downloading and saving it in my local I used the sysinfo with exploit suggester.
$ python2 windows-exploit-suggester.py –database 2017-08-27 -mssb.xls –systeminfo /location of the txt file you downloaded
But it threw an error mentioning excel(xls) library. I tried to update the windows exploit suggester but that didn’t work
$ python2 windows-exploit-suggester.py –update
Here I like to mention that there are two ways, one is windows exploit suggester and another one is using Metasploit exploit suggester. I am trying to use Windows exploit suggester as this is a new tool I’m working on.
I am currently troubleshooting the error and will fix this and show you guys both the exploit suggester in the next part