Phase-II: gaining access to the target

After completing the scanning stage, we know we have a single IP address, that is,

192.168.10.111, running HFS 2.3 file server and IIS 8.5 web services.

The IIS 8.5 server is not known to have any severe vulnerabilities which may lead to the compromise of the entire system. Therefore, let us try finding an exploit for the HFS server. Metasploit offers a search command to search within modules. Let's find a matching module:

We can see that issuing the search HFS command, Metasploit found two matching modules. We can simply skip the first one as it doesn't correspond to the HFS server. Let's use the second one, as shown in the preceding screenshot. Next, we only need to set a few of the following options for the exploit module along with the payload:

Let's set the values for RHOST to 192.168.10.111, RPORT to 8080, payload to windows/meterpreter/reverse_tcp, SRVHOST to the IP address of our system, and LHOST to the IP address of our system. Setting the values, we can just issue the exploit command to send the exploit to the target, as shown in the following screenshot:

Yes! A meterpreter session opened! We have successfully gained access to the target machine. The HFS is vulnerable to remote command execution attack due to a poor regex in the file ParserLib.pas, and the exploit module exploits the HFS scripting commands by using %00 to bypass the filtering.