hackthebox arctic walkthrough

Spread the love

Starting with nmap

Only three ports are open. On browsing http://10.10.10.11:8500 , we see two directories. These two folders represent ColdFusion.

hackthebox – coldfusion

http://10.10.10.11:8500/CFIDE/administrator reveals following page:

hackthebox – coldfusion 8 administrator login page

Coldfusion 6-10 is vulnerable to LFI attack. From the above screenshot, we know we have CF version is 8. We will use the following as suggested here.

http://10.10.10.11/CFIDE/administrator/enter.cfm?locale=................\ColdFusion8\lib\password.properties%00e​n

hackthebox – coldfusion 8 LFI

From above we got

Cracking the hash with john quickly reveals the password is happyday

Now we can login as user admin and above password.

From left-hand side click on “Settings Summary”, you will see the full path of /CFIDE.

hackthebox – coldfusion 8 /CFIDE fullpath

Also from left-hand side we can click on “Scheduled Tasks” to download our payload and execute it.

hackthebox – arctic – upload jsp shell

Here main thing to keep in mind is that we need to setup http server and server cmdjsp.jsp which can be found in kali by default.

save by clicking on submit and run by clicking on green action button.

hackthebox – jsp shell

Our task will run and now the file has been saved in /CFIDE path we can execute it by clicking it.

hackthebox – shell

As we can see we can now run command and can do whatever we want. Lets get a shell.

Run following in the box.

Don’t forget to set the listener.

Run systeminfo command and save it to a file sysinfo.txt. Then run windows-exploit-suggester.py

We got few priv esac suggestion. Other didn’t work for me. Only MS10-059 worked. Download it from here.

Setup another listener.

Download the MS10-059 and run it.

We got a shell with high privilege.

We can now read the flags:


Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *