Optimum is a beginner-level machine that is more of enumeration of services with known exploits. These exploits are easy to work out and get the flag. We will be having two parts in this blog. This is the first part
Tools Used:
• Nmap • Metasploit • Windows Exploit Suggester
$ sudo nmap -sSV -T5 -p- 10.10.10.8 –allports
We can see that only PORT 80 is open. HttpFileServer (HFS) version 2.3 is running on the webserver.HFS rejetto is an open-source file-sharing webserver. The latest version is 2.3m but this machine runs on version 2.3 which is outdated and vulnerable. After a quick google search, I found this version has multiple Remote Code Execution.
As always, I opened my Metasploit and searched if there is a pretty good exploit. I got an excellent RCE. let’s try it and see if the magic works.
I did a mistake while setting options, I didn’t add SRVHOST and SRVPORT. So, it simply did not open the meterpreter session. After checking the options I came to know SRVHOST option is used when exploiting a webserver.
I mentioned SRVHOST and SRVPORT and it worked perfectly.
At last, I got the session, and let’s check what we can extract. I checked for the system info and got a bunch of information.
The machine runs in windows 2012 R2 and x64 architecture. Also, the build is 6.3 9600 which is a pretty old version. If this is not well patched, we can easily exploit and gain access.
Now I want to view the full system information. So I opened the shell and gave the command systeminfo and got the below information
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>systeminfo
systeminfo:
Host Name:
OPTIMUM
OS Name:
Microsoft Windows Server 2012 R2 Standard
OS Version:
6.3.9600 N/A Build 9600
OS Manufacturer:
Microsoft Corporation
OS Configuration:
Standalone Server
OS Build Type:
Multiprocessor Free
Registered Owner:
Windows User
Registered Organization:
Product ID:
00252-70000-00000-AA535
Original Install Date:
18/3/2017, 1:51:36
System Boot Time:
9/9/2021, 8:20:21
System Manufacturer:
VMware, Inc.
System Model:
VMware Virtual Platform
System Type:
x64-based PC
Processor(s):
1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version:
Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:
C:\Windows
System Directory:
C:\Windows\system32
Boot Device:
\Device\HarddiskVolume1
System Locale:
el;Greek
Input Locale:
en-us;English (United States)
Time Zone:
(UTC+02:00) Athens, Bucharest
Total Physical Memory:
4.095 MB
Available Physical Memory:
3.492 MB
Virtual Memory: Max Size:
5.503 MB
Virtual Memory: Available:
4.951 MB
Virtual Memory: In Use:
552 MB
Page File Location(s):
C:\pagefile.sys
Domain:
HTB
Logon Server:
\\OPTIMUM
Hotfix(s):
31 Hotfix(s) Installed.
[01]: KB2959936
[02]: KB2896496
[03]: KB2919355
[04]: KB2920189
[05]: KB2928120
[06]: KB2931358
[07]: KB2931366
[08]: KB2933826
[09]: KB2938772
[10]: KB2949621
[11]: KB2954879
[12]: KB2958262
[13]: KB2958263
[14]: KB2961072
[15]: KB2965500
[16]: KB2966407
[17]: KB2967917
[18]: KB2971203
[19]: KB2971850
[20]: KB2973351
[21]: KB2973448
[22]: KB2975061
[23]: KB2976627
[24]: KB2977629
[25]: KB2981580
[26]: KB2987107
[27]: KB2989647
[28]: KB2998527
[29]: KB3000850
[30]: KB3003057
[31]: KB3014442
Network Card(s):
1 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.8
As I go the full sysinfo, Here I used the Windows-Exploit-Suggester as this is Windows server 2012 R2. So before we run this exploit I have to download the system info in a text file and run it with the windows exploit suggester.
After downloading and saving it in my local I used the sysinfo with exploit suggester.
$ python2 windows-exploit-suggester.py –database 2017-08-27 -mssb.xls –systeminfo /location of the txt file you downloaded
But it threw an error mentioning excel(xls) library. I tried to update the windows exploit suggester but that didn’t work
$ python2 windows-exploit-suggester.py –update
Here I like to mention that there are two ways, one is windows exploit suggester and another one is using Metasploit exploit suggester. I am trying to use Windows exploit suggester as this is a new tool I’m working on.
I am currently troubleshooting the error and will fix this and show you guys both the exploit suggester in the next part