Hackthebox Walkthrough — Arctic
Being taking the PWK courses and preparing for the OSCP exam recently. I got inspired a lot from many Hackthebox machines besides the pwk labs. So I decided to start writing some hackthebox retired machines walkthroughs (inspired from hackingarticles, infosec, ippsec’s youtube videos and etc, thanks for all of these amazing materials of Penetration Testing!)
Target: 10.10.10.11
Local IP: 10.10.14.9
Nmap Enumeration:
First we run nmap enumeration to see what ports are open
Nmap reveals windows RPC and an unknown service running on port 8500
browse the page 10.10.10.11:8500 (waiting for 20 seconds for loading the page)
we got two directories
browse the /CFIDE/, go to the administrator/ and we got a coldfusion log in page
Google a little bit about the adobe coldfusion 8 CVE
and we found this directory traversal exploit
try this onsite and we got an encrypted log in password
decrypt the password to get log in credentials
the password is happyday
Log in with the password and now let’s work on uploading a reverse shell
choose Scheduled Tasks under Debugging and logging
create our java reverse payload with msfvenom and name it reverseshell.jsp
let’s transfer this shell to the target system
give it a default path C:\ColdFusion8\wwwroot\CFIDE\reverseshell.jsp
use metasploit to get our reverse connection back when executing this scheduled task
Since this doesn’t work well for me, so I decide to use another exploit of Coldfusion for uploading the payload
with this coldfusion 8.0.1 arbitrary file upload CVE
save the python script as exploit.py and upload our jsp shell
browse the file location and we got a reverse shell back on netcat
grab our first user.txt flag!
let’s transfer this netcat shell to a meterpreter session and work on privilege escalation
use post/multi/recon/local_exploit_suggester
let’s try this privilege escalation exploit/windows/local/ms10_092_schelevator
and we got another meterpreter session
we are NT AUTHORITY\SYSTEM now ! Let’s grab the root.txt flag
