Optimum

Personal Rating: Easy

Enumeration

sudo nmap -A <IP>

nmap: PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-title: HFS /
|_http-server-header: HFS 2.3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
<SNIP>

There is a html login at view-source: http://10.10.10.8/~login

HFS RCE

There seems to be a RCE for the tool HFT 2.3 that is running on the server. I found a Python PoV (CVE-2014-6287)

rejetto_hfs_exec

HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)Exploit Database

Credential Pillaging

There is a file called hfs.exe in the user folder

I ran LaZagne on the host to find credentials:

???????????? RDP Sessions
    SessID    pSessionName   pUserName      pDomainName              State     SourceIP
    1         Console        kostas         OPTIMUM                  Active    

Logon Id:                     223667

???????????? Looking for AutoLogon credentials
   Some AutoLogon credentials were found
    DefaultUserName               :  kostas
    DefaultPassword               :  kdeEjDowkS*

???????????? Enumerating Security Packages Credentials
  Version: NetNTLMv2
  Hash:    kostas::OPTIMUM:1122334455667788:9ff31d29534077ed01593e0b36129655:0101000000000000b6a223a7954cd90162427ab7f97a15d500000000080030003000000000000000000000000020000059e3276229747c33b040dbd9582ed5fc450d68281352578d738581afeeabf1650a00100000000000000000000000000000000000090000000000000000000000

This could have been done with other scripts and also with manual enumeration in Powershell for example if you needed to be more stealthy or LOL

Privilege Escalation with AutorunsHackTricks

Basic Privesc

For the hfs executable I found there was a privesc called ms16_032_secondary_logon_handle_privescthat I found after running a local exploit suggester.

PreviousNibbles NextPaper

Last updated 1 year ago