HTB Writeups
  • HTB Writeups
  • Boxes: Very Easy
    • Academy
    • Archetype
    • Arctic
    • Base
    • Bike
    • Blue
    • Explosion
    • Included
    • Markup
    • Oopsie
    • Redeemer
    • Responder
    • Shield
    • Unified
    • Vaccine
  • Boxes: Easy
    • Analytics
    • Armageddon
    • Bashed
    • Beep
    • Blocky
    • Bounty Hunter
    • Buff
    • Cap
    • CozyHosting
    • Devel
    • Explore
    • Forest
    • Grandpa
    • Granny
    • Horizontall
    • Jerry
    • Keeper
    • Knife
    • Lame
    • Late
    • Legacy
    • Mirai
    • Netmon
    • Nibbles
    • Optimum
    • Paper
    • Photobomb
    • Precious
    • RedPanda
    • Return
    • Sau
    • ScriptKiddie
    • Sense
    • Servmon
    • Shocker
    • Shoppy
    • Squashed
    • Trick
  • Boxes: Medium
    • Poison
  • Challenges
    • Behind the Scenes
    • Canvas
    • Debugging Interface
    • Digital Cube
    • Easy Phish
    • Find the Easy Pass
    • Forest
    • Infiltration
    • misDIRection
    • Pusheen Loves Graphs
    • Retro
    • Signals
    • The Secret of a Queen
    • Wrong Spooky Season
  • Fortresses
  • Cyber Apocalypse 2023: The Cursed Mission
    • The Cursed Mission
    • Alien Cradle
    • Critical Flight
    • Debug
    • Extraterrestrial Persistence
    • Getting Started
    • Needle in the Haystack
    • Orbital
    • Packet Cyclone
    • Passman
    • Perfect Sync
    • Persistence
    • Plaintext Tleasure
    • Questionnaire
    • Reconfiguration
    • Relic Maps
    • Roten
    • Secret Code
    • Shattered Tablet
    • Small StEps
  • Hack the Boo 2023
    • Hauntmart
    • Spellbrewery
    • Trick or Treat
    • Valhalloween
  • Cyber Apocalypse 2024: Hacker Royale
    • Hacker Royale
    • An Unusual Sighting
    • BoxCutter
    • BunnyPass
    • Character
    • Data Siege
    • Delulu
    • Dynastic
    • Fake Boost
    • Flag Command
    • Game Invitation
    • It has begun
    • KORP Terminal
    • Labyrinth Linguist
    • LockTalk
    • Lucky Faucet
    • Makeshift
    • Maze
    • Packed Away
    • Phreaky
    • Primary Knowledge
    • Pursue the Tracks
    • Rids
    • Russian Roulette
    • Stop Drop and Roll
    • Testimonial
    • TimeKORP
    • Unbreakable
    • Urgent
  • CYBER APOCALYPSE 2025: Tales from Eldoria
    • Tales from Eldoria
    • A New Hire
    • Cave Expedition
    • Echoes in Stone
    • Eldorion
    • Embassy
    • EncryptedScroll
    • HeliosDEX
    • Quack Quack
    • Silent Trap
    • Stealth Invasion
    • Tales for the Brave
    • The Ancient Citadel
    • The Hillside Haven
    • The Stone That Whispers
    • Thorins Amulet
    • ToolPie
    • Traces
    • Trial by Fire
    • Whispers of the Moonbeam
Powered by GitBook
On this page
  • Enumeration
  • HFS RCE
  • Credential Pillaging
  • Basic Privesc
  1. Boxes: Easy

Optimum

Personal Rating: Easy

PreviousNibblesNextPaper

Last updated 1 year ago

Enumeration

sudo nmap -A <IP>

nmap: PORT   STATE SERVICE VERSION
80/tcp open  http    HttpFileServer httpd 2.3
|_http-title: HFS /
|_http-server-header: HFS 2.3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
<SNIP>

There is a html login at view-source:

HFS RCE

There seems to be a RCE for the tool HFT 2.3 that is running on the server. I found a Python PoV (CVE-2014-6287)

rejetto_hfs_exec

Credential Pillaging

There is a file called hfs.exe in the user folder

I ran LaZagne on the host to find credentials:

???????????? RDP Sessions
    SessID    pSessionName   pUserName      pDomainName              State     SourceIP
    1         Console        kostas         OPTIMUM                  Active    

Logon Id:                     223667

???????????? Looking for AutoLogon credentials
   Some AutoLogon credentials were found
    DefaultUserName               :  kostas
    DefaultPassword               :  kdeEjDowkS*

???????????? Enumerating Security Packages Credentials
  Version: NetNTLMv2
  Hash:    kostas::OPTIMUM:1122334455667788:9ff31d29534077ed01593e0b36129655:0101000000000000b6a223a7954cd90162427ab7f97a15d500000000080030003000000000000000000000000020000059e3276229747c33b040dbd9582ed5fc450d68281352578d738581afeeabf1650a00100000000000000000000000000000000000090000000000000000000000

This could have been done with other scripts and also with manual enumeration in Powershell for example if you needed to be more stealthy or LOL

Basic Privesc

For the hfs executable I found there was a privesc called ms16_032_secondary_logon_handle_privesc that I found after running a local exploit suggester.

http://10.10.10.8/~login
HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)Exploit Database
Logo
Privilege Escalation with AutorunsHackTricks
Logo