Optimum
Nmap
Browsing to the only port available we have a web page titled 'HFS" and we can see 'HttpFileServer 2.3'
Researching exploits for this we come to: CVE-2014-6287.
Description:
The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.
Searching for exploits on exploit-db.com we have the following PoC available:
I downloaded the exploit and amended the correct information for the variables shown below:
Executing the exploit next we get a shell on the target system as the user 'kostas'.
Now that we are on the system I was able to use the systeminfo
command to pull system information. I copied this to a text file on my attacking machine and run this against windows-exploit-suggester.py which I have linked below:
After running windoiws-exploit-suggester.py we get the results below:
Where it is reported that the target system is vulnerable to a RGNOBJ Interger Overflow otherwise known as MS16-098.
Description of MS16-098
:
This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system.
This security update is rated Important for all supported releases of Windows. For more information, see the Affected Software and Vulnerability Severity Ratings section.
The security update addresses the vulnerabilities by correcting how the Windows kernel-mode driver handles objects in memory. For more information about the vulnerabilities, see the Vulnerability Information section.
I downloaded a precompiled binary from the follow GitHub:
Before transferring the binary over we need to gain a cmd.exe
shell as the current PS shell is bound. I will use msfvenom
to generate a reverse shell on my attacking machine.
I then started a Python SimpleHTTPServer on my attacking machine to host the msfvenom
binary.
Then on the attacking machine used certutil.exe
to download the msfvenom
binary.
Then set a netcat
listener on my attacking machine to the port specified in the msfvenom
binary.
Then executed the shell on the target system to gain a cmd.exe
shell.
From here I then transferred the MS16-098 binary 'bfill.exe' over to the target system.
With the binary now on the target system I executed it with the following command to gain a SYSTEM shell.
Last updated