DEV Community

Ari Kalfus
Ari Kalfus

Posted on • Originally published at on

Writeup: HackTheBox Optimum - with Metasploit

This series will follow my exercises in HackTheBox. All published writeups are for retired HTB machines. Whether or not I use Metasploit to pwn the server will be indicated in the title.


Difficulty: Easy

Machine IP:

As always, I start enumeration with AutoRecon.


I see a web server is up at TCP/80. By looking at WhatWeb's results, I see that it is an HFS server running version 2.3.


I run HFS through searchsploit and come back with several exploits.


I decide to look at exploits/windows/remote/ - remote code execution would be nice.


I need to set up netcat to listen on a local port, edit the exploit to update my local host and port, and set up an nc.exe executable on a local web server for the exploit to run on the target machine. I grab an .exe version of netcat and start my local Apache server.


I start netcat:


I modify a copy of the exploit script to set it to my IP and my netcat listener's port:


And I execute the exploit.


Success! I have a user shell.


Let's grab the user flag and move to escalate our privileges.


Now I enumerated a number of services and network and system settings, but I wasn't sure what to do. I'm new to this. I opted to get a user shell through Metasploit so I could take advantage of it's local_exploit_suggestor module to figure out how to escalate my privilege.

I search Metasploit for "HFS" modules and do not find anything. Maybe it was because I mis-typed 'HFS' as 'HSF.' However, I remember that the searchsploit title of my RCE exploit was "Rejetto HTTP File Server..." I look for "rejetto" modules. Success.


I run the module and get a user shell.


Now I background the meterpreter session, as I already have the user flag, and run the local_exploit_suggestor module for privilege escalation options.


There are 2 results. I know from my previous enumeration that the kostas user is not in the Administrators group, so the first module will not work. I try the second:


And get a root shell.


Now I can grab my root flag:


Top comments (0)