HackTheBox: Optimum - Writeup
date_range 04/05/2019 17:54 infosorthtblabel
HackTheBox: Optimum was a fairly easy machine which involved exploiting CVE’s to get a reverse shell and system privileges.
I first started by doing a port scan of Optimum (10.10.10.8).
The port scan reveals that only 1 port is open (port 80). Several useful information including the version of the web server is displayed which can be enumerated to check for a CVE.
A quick look at website shows that it is a web server for browsing files. The version is displayed
httpFileServer 2.3, confirming again the version which was also shown in the nmap scan.
searchsploit to search for a vulnerability on the version, one is found for
hfs which is remote command execution (RCE),
this can be used to get a reverse shell on the web server. The exploit is in metasploit which is booted up and the exploit is
The user is then found easily, however the shell does not have root privileges which means further enumeration on the system has to be conducted to get system access.
3.1 Post Exploitation
The first thing to check for is the system information, including architecture, operating system and versions. This can be done by running the command
systeminfo. In addition to that looking around the file system to
check what files is there. A windows local exploit finder can be used to gather possible vulnerabilities
that the system contains.
Sherlock is a powershell script which searches for possible vulnerabilities locally. Sherlock is downloaded from the
Once downloaded, i then uploaded the powershell scrip to the target using
meterpreter's upload command.
Success, the powershell script was uploaded.
3.2 Post Exploitation - Running Sherlock
The powershell scrip is executed by doing:
Several vulnerabilities are found with Sherlock after running the script. The exploits
did not work for me, even after some changes to the code. However, after looking through the output of the script,
i found it is also vulnerable to the
MS16-098 exploit, which works! Searching the exploit on google, the exploit is
then downloaded and ready for transfer onto the target.
The exploit is uploaded and the privileges are escalated. Then by navigating to the
directory, the root flag is found!