Optimum

13 Dec 2020

Optimum was running a vulnerable file sharing server that was exloited using a remote code execution script. Once on the host system was gained by using the kernel exploit MS16-098.

I used nmap to do initial port discovery.

The only port open on the host is port 80 http. There seems to be a HttpFileServer running so I’ll verify this by visiting the page in the web browser.

First thing I like to look for is any known vulnerabilities if there is any kind of file sharing system running. Using searschploit I’ll look for just that.

Immediately I see there are several vulnerabilities listed. Looking at the ones available, Remote Code Execution seems to be well documented so I’ll try that out first.

Reading through the source code I see the script is using the %00{.+””.} characters as input for the search parameter to run the command enclosed. The script takes advantage of this by reaching out to my host to grab a copy of nc.exe and then using netcat to create a connection back to my machine.

In order for this script to work properly I need to have nc.exe hosted on port 80.

After running the script I check my listener and see a reverse shell running as the kosta user account.

Right away I run systeminfo to get a sense of what I’m working with on this machine.

Back on my machine I put the results of the systeminfo through windows-exploit-suggester to get a list of possible kernel exploits.

Cross referecing them with the pre-compiled executibles from SecWiki I have a list of possible exploits to use.
In order to use these I first need to be able to transfer files from my machine to the victim machine.
Back on the victim machien I verify that powershell is installed.

Using powershell I can grab the exploit, MS16-098, that I am hosting on port 8000.

Running the exploit I now verify that I am system.