Optimum — HTB walkthrough

Kernel exploit

Vulnerability Integer overflow

nmap scan for services and OS

Visiting web browser we see

On looking at source code we see, server info says rejetto server

Searching for exploit, we get

Rejetto HTTP File Server (HFS) 2.3.x — Remote Command Execution (2)

Vulnerability : REGEX parsing in file ParseLib.pas , which cannot handle null byte and instead of parsing it executes the macro.

Exploit

Link: https://www.exploit-db.com/exploits/39161

This exploit does is : Attacker machine hosts nc.exe (a vulnerable macro) on server at port 80.

Target machine connects to nc.exe and gives you reverse shell on the host and port you mentioned in exploit.

How to perform exploit

1) locate nc.exe and copy to your cwd and host a server on port 80

Now download exploit from the link mentioned. And change the local host IP and port in python file to your IP and port you are listening from netcat to.

On exploit.py

On your machine: Nc -lvp 443

Then run the script

And on netcat you see

Enumerating

After enumerating a lot , I finally ran exploit suggester. And found

Microsoft Windows 8.1 (x64) — ‘RGNOBJ’ Integer Overflow (MS16–098)

Shift this to target machine

Checking privileges

Getting flags

ROOTED !!!