This box was an easy level windows box on HTB created by ch4p, it started with gaining user shell via a RCE exploit in the HFS server that is running on port 80. In post enumeration, we use Sherlock that finds a local privesc exploit MS16-32, we use it’s poc script present in Empire to get a shell as NT Authority\System.
As always let’s start off with nmap script nmap -sC for default scripts Alright, if it isn’t obvious yet I am a IPPSEC fanboi. Aight, firing up nmap to scan all open ports on the box.
And here is our nmap result
We only have one port open, so let’s start enumerating it.
Let’s start enumerating by looking at webpage of the HttpFileServer.
Hovering over the link in bottom left corner confirms that it is Rejetto HttpFileServer 2.3, so let’s look for it’s exploits.
And we get one python RCE exploit, windows/remote/39161.py.
On reading the exploit script, the comments had the instructions that, we will have to host a nc.exe so that it can be used by the exploit to give a reverse shell and change our Lhost IP address and Port Number in the exploit script to get a reverse shell.
After modifying the script, let’s start a listner using rlwrap nc -lvnp 9889 and host the netcat binary using python3 http server.
Time to run the exploit.
Looking at our netcat server and yes we got our shell.
The exploit workflow will be like this.
In post enumeration, running Sherlock to find any privilege escalation exploit. Also consider trying watson for this enumeration, I used Sherlock because i don’t have a windows system to build Watson’s binary.
Luckily Empire has a exploit configured for this CVE, Invoke-MS16032, we add the following command to download and execute our powershell revshell exploit from nishang in the exploit and now we are ready to root the box[Get shell as system].
Hosting our nishang reverse shell via python3 -m http.server 8000 and running the exploit.
Looking at our shell and yep we got as NT Authority/System.
The privesc exploit workflow will be like this.
Hope you learned something new, if you face any issues / have any query, feel free to contact me on social media.