This series will follow my exercises in HackTheBox. All published writeups are for retired HTB machines. Whether or not I use Metasploit to pwn the server will be indicated in the title.

Optimum

Difficulty: Easy

Machine IP: 10.10.10.8

As always, I start enumeration with AutoRecon.

I see a web server is up at TCP/80. By looking at WhatWeb's results, I see that it is an HFS server running version 2.3.

I run HFS through searchsploit and come back with several exploits.

I decide to look at exploits/windows/remote/39161.py - remote code execution would be nice.

I need to set up netcat to listen on a local port, edit the exploit to update my local host and port, and set up an nc.exe executable on a local web server for the exploit to run on the target machine. I grab an .exe version of netcat and start my local Apache server.

I start netcat:

I modify a copy of the exploit script to set it to my IP and my netcat listener's port:

And I execute the exploit.

Success! I have a user shell.

Let's grab the user flag and move to escalate our privileges.

Now I enumerated a number of services and network and system settings, but I wasn't sure what to do. I'm new to this. I opted to get a user shell through Metasploit so I could take advantage of it's local_exploit_suggestor module to figure out how to escalate my privilege.

I search Metasploit for "HFS" modules and do not find anything. Maybe it was because I mis-typed 'HFS' as 'HSF.' However, I remember that the searchsploit title of my RCE exploit was "Rejetto HTTP File Server..." I look for "rejetto" modules. Success.

I run the module and get a user shell.

Now I background the meterpreter session, as I already have the user flag, and run the local_exploit_suggestor module for privilege escalation options.

There are 2 results. I know from my previous enumeration that the kostas user is not in the Administrators group, so the first module will not work. I try the second:

And get a root shell.

Now I can grab my root flag: