This machine was pretty straightforward and much easier than I expected it to be. I truly feel like I have improved a lot in the past 2-3 weeks because 2 weeks ago, I definitely would’ve not been able to solve this machine by myself. I still have a lot of room to develop, and I found myself freezing and getting lost when it came to the privilege escalation stage. I definitely need to spend more time working on it. Still, I think I deserve to be proud of myself for tackling this machine (almost) entirely on my own.
nmap scan showed that only 1 port open, which is the port 80 with the version of HttpFileServer httpd 2.3
navigated to the web of target ip address 10.10.10.8.
couldn’t find anything juicy excpet when I clicked on the login button there was this pop-up asking for credentials.
I searched on searchsploit to see if there is an exploit for Httpfileserver 2.3 that I found through an nmap scan and there was one exploit titled Rejetto HttpFileserver 2.3.x - Remote Command Execution. RCE attack is exactly what I was hoping for.
Since I knew there exists an exploit for the version that’s running on the server, I moved on to metasploit
on the options page of the exploit, configured every required option including RHOSTS, RPORT, SRVHOST, SRVPORT, LHOST, and LPORT.
successfully executed the exploit and gained access to the user shell.
obtained the user flag.
However with the current user privilege, I could not access the root user directory. It was time for privilege escalation to move up vertically.
As I learned from the previous machines, searched for a post/multi/recon module and it returned 4 modules. The second module is the one I’ve used before on a machine which explores the current compromised local session and suggests all the potential exploits.
The post/multi/recon represents a category of post-exploitation modules designed to perform reconnaissance tasks on compromised systems.
-
post: short for post-exploitation. These modules are used after gaining access to a target system. They help gather additional information or achieve specific tasks once the initial compromise has been made.
-
multi: indicates that the module is applicable to multiple platforms or operating systems.
-
recon: short for reconnaissance, these modules are used to collect information about the target system or network.
As you could see the module requires me to list a session I would like to use the exploit on. In my case, I listed the session that I previously obtained which had id 2.
It outputted all the possible exploits I could run on the current backgrouned session and what I decided to use was named exploit/windows/local/ms16_032_secondary_logon_handle_privesc. As you could notice from its name, it is used for a privilege escalation exactly what I was looking for.
successfully executed the exploit and gained the root shell! as you could see the getuid command returned NT AUTHORITY\SYSTEM, another name for root!
Got the root flag :)
