DEV Community


Writeup: HackTheBox Optimum - with Metasploit

artis3n profile image Ari Kalfus Originally published at on ・3 min read

This series will follow my exercises in HackTheBox. All published writeups are for retired HTB machines. Whether or not I use Metasploit to pwn the server will be indicated in the title.


Difficulty: Easy

Machine IP:

As always, I start enumeration with AutoRecon.


I see a web server is up at TCP/80. By looking at WhatWeb's results, I see that it is an HFS server running version 2.3.


I run HFS through searchsploit and come back with several exploits.


I decide to look at exploits/windows/remote/ - remote code execution would be nice.


I need to set up netcat to listen on a local port, edit the exploit to update my local host and port, and set up an nc.exe executable on a local web server for the exploit to run on the target machine. I grab an .exe version of netcat and start my local Apache server.


I start netcat:


I modify a copy of the exploit script to set it to my IP and my netcat listener's port:


And I execute the exploit.


Success! I have a user shell.


Let's grab the user flag and move to escalate our privileges.


Now I enumerated a number of services and network and system settings, but I wasn't sure what to do. I'm new to this. I opted to get a user shell through Metasploit so I could take advantage of it's local_exploit_suggestor module to figure out how to escalate my privilege.

I search Metasploit for "HFS" modules and do not find anything. Maybe it was because I mis-typed 'HFS' as 'HSF.' However, I remember that the searchsploit title of my RCE exploit was "Rejetto HTTP File Server..." I look for "rejetto" modules. Success.


I run the module and get a user shell.


Now I background the meterpreter session, as I already have the user flag, and run the local_exploit_suggestor module for privilege escalation options.


There are 2 results. I know from my previous enumeration that the kostas user is not in the Administrators group, so the first module will not work. I try the second:


And get a root shell.


Now I can grab my root flag:


Discussion (0)

Editor guide