10.10.10.8 OPTIMUM hackthebox machine writeup

OPTIMUM 10.10.10.8 Write Up

Machine Created by ch4p

Tools Used for Enumeration:

1. nmap

Tools Used for Exploitation:

1. metasploit

Steps for primary enumeration:

1. At first we use nmap (Network Mapping tool) to scan the box ip. When we run it we got list of some open ports and services running on those ports. On the popcorn box we can see, open port and service are, port port 80 for HFS 2.3.
Command used: nmap -A 10.10.10.8

Steps to get user.txt: 

1. After some Google we found HTTPFileServer httpd (HFS) 2.3 is vulnerable to remote code execution. Fortunately, a metasploit module is there "exploit/windows/http/rejetto_hfs_exec".

2. After viewing all options using "show options" we can exploit it. Firstly need to set payload "windows/meterpreter_reverse_tcp", rhost to 10.10.10.8, lhost to tun0 ip address and srvhost to tun0 ip address, then we can exploit to get meterpreter shell.

3. We can use "cat c:/Users/kostas/Desktop/user.txt.txt" command to get user flag.

Steps to get root.txt:

1. Using "post/multi/recon/local_exploit_suggester" we got "exploit/windows/local/bypassuac_dotnet_profiler" exploit for priviledge escalation.

2. That was not working. It will work after regaining the meterpreter with payload "windows/x64/meterpreter/reverse_tcp".

3. Now after getting shell, we can use command "cat c:/Users/Administrator/Desktop/root.txt" to get root flag.

Flags:

1. user.txt flag: d0c39409d7b994a9a1389ebf38ef5f73
2. root.txt flag: 51ed1b36553c8461f4552c2e92b3eeed

References:

1. https://medium.com/@ranakhalil101/hack-the-box-optimum-writeup-w-o-metasploit-3a912e1c488c

Videos:

1. IppSec walkthrough: https://www.youtube.com/watch?v=kWTnVBIpNsE