11 April 2021

Pentesting Fun Stuff

following the cyber security path…



This write-up is not public because of the restrictions given by the HTB team.

Getting Started

I start with a nmap scan to see which ports are open en what services are running on them.

When I take a look at the webserver it runs Http File Server version 2.3. According to exploit-db there is a metasploit exploit available. It seems that Rejetto HttpFileServer (HFS) is vulnerable to remote command execution attack due to a poor regex in the file ParserLib.pas. This module exploit the HFS scripting commands by using ‘%00’ to bypass the filtering. This module has been tested successfully on HFS 2.3b over Windows XP SP3, Windows 7 SP1 and Windows 8.
Time to load up msfconsole and get the right exploit module.

Moving onward.

And there is the hash to show I own the user. Now for owning the system.

After a quick look at exploit-db there is an interesting exploit which I try next. But the architecture of my meterpreter shell is wrong. So first I need to migrate the process.
Because I now have migrated my meterpreter session into a process that isn’t likely to be shutdown, I can get some recon on the system and try to get elevated rights. For this I use winsploit. To get this to work I copy the systeminfo from the windows machine to a local file. And from there I run the program.

There are a lot of false-positives, but because I know what version is running I can narrow my search.

Lets check exploit-db for the exploit.

That’s not good. Let’s check the exploit.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.