HackTheBox Optimum - with Metasploit

Ari Kalfus | Feb 16, 2020 min read

This series will follow my exercises in HackTheBox. All published writeups are for retired HTB machines. Whether or not I use Metasploit to pwn the server will be indicated in the title.


Difficulty: Easy

Machine IP:

As always, I start enumeration with AutoRecon.

autorecon results

I see a web server is up at TCP/80. By looking at WhatWeb’s results, I see that it is an HFS server running version 2.3.

whatweb results

I run HFS through searchsploit and come back with several exploits.

searchsploit hfs

I decide to look at exploits/windows/remote/39161.py - remote code execution would be nice.

hfs rce code

I need to set up netcat to listen on a local port, edit the exploit to update my local host and port, and set up an nc.exe executable on a local web server for the exploit to run on the target machine. I grab an .exe version of netcat and start my local Apache server.

apache local

I start netcat:

netcat listening

I modify a copy of the exploit script to set it to my IP and my netcat listener’s port:

rce modified

And I execute the exploit.

rce run

Success! I have a user shell.

user shell

Let’s grab the user flag and move to escalate our privileges.

user flag

Now I enumerated a number of services and network and system settings, but I wasn’t sure what to do. I’m new to this . I opted to get a user shell through Metasploit so I could take advantage of it’s local_exploit_suggestor module to figure out how to escalate my privilege.

I search Metasploit for “HFS” modules and do not find anything. Maybe it was because I mis-typed ‘HFS’ as ‘HSF .’ However, I remember that the searchsploit title of my RCE exploit was “Rejetto HTTP File Server…” I look for “rejetto” modules. Success.

rejetto msf

I run the module and get a user shell.

msf user shell

Now I background the meterpreter session, as I already have the user flag, and run the local_exploit_suggestor module for privilege escalation options.

local privesc suggestor

There are 2 results. I know from my previous enumeration that the kostas user is not in the Administrators group , so the first module will not work. I try the second:

local privesc options

And get a root shell.

root shell

Now I can grab my root flag:

root flag
comments powered by Disqus