User File Flag

Running an Nmap scan yields a hosted fileserver.

“# Nmap scan initiated Tue Aug 7 11:26:29 2018 as: nmap -sV -T5 -oG optimumNmap 10.10.10.8
Host: 10.10.10.8 () Status: Up
Host: 10.10.10.8 () Ports: 80/open/tcp//http//HttpFileServer httpd 2.3/ Ignored State: filtered (999)
# Nmap done at Tue Aug 7 11:26:46 2018 — 1 IP address (1 host up) scanned in 17.53 seconds”

Going to the webpage shows that it uses an HFS service for hosting. Doing a Nikto scan shows us that it uses HFS 2.3 version. In Metasploit we can do a simple search for this:

exploit/windows/http/regetto_hfs_execution: This exploit wont need much editing!

Using the "regetto_hfs_execution" exploit we just need to edit the 'Rhost' to point to our vulnerable fileserver.

A successful exploit will award us with a 'Meterpreter' session.

Always do 'sysinfo' command to check the system information. This is a 64bit OS, but our 'Meterpreter' session is in a 32bit process. This will be a bigger problem further down in our privilege escalation portion.

After getting our sessions started we can run a 'ls' command to list out what is currently in the directory. We find the file 'user.txt.txt' completing our 'User flag' portion:

You can use the 'cat' command to view and then copy the hash in the 'user.txt.txt'

Next we will continue with this machine and do our Privilege escalation exploit. I will talk about the importance of having the 'Meterpreter' session (with payloads) in a x64 process rather than a x32 process.