Post

HTB Windows Easy: Optimum

Optimum is an Easy rated Windows machine on HTB.

Posted
By Gregory Allegoet
1 min read
HTB Windows Easy: Optimum

Nmap

Pasted image 20240714201249.png

Initial Foothold

Enumerating HTTP (Port 80)

Web service is running a vulnerable version of HttpFileServer. Pasted image 20240714201239.png

Exploit vulnerability

Searchsploit. Pasted image 20240714201233.png

Make a PowerShell reverse shell script file that we will invoke using a command injection vulnerability, also start a Python webserver to make sure the file is reachable. Pasted image 20240714201229.png

Now set up a nc listener and execute the script. Pasted image 20240714201219.png

You should now have a shell as the kostas user: Pasted image 20240714201215.png

Priv Esc

OS info: Pasted image 20240714201211.png

Looking for an exploit using searchsploit we find a PowerShell script that should escalate our privileges. Pasted image 20240714201206.png

Since for some reason I couldn’t get the script to work. I decided to go the Metasploit route, first we need a regular session within Metasploit: Pasted image 20240714201202.png

Now we can background this session and use it to escalate our privileges using MS16-032. Pasted image 20240714201152.png

We now have a privileged shell as the SYSTEM user. Pasted image 20240714201147.png

User.txt

Pasted image 20240714201138.png

Root.txt

Pasted image 20240714201132.png

You have PWNED!!!

Pasted image 20240714201128.png

Sources

CTF, HTB
Windows Easy
This post is licensed under CC BY 4.0 by the author.