OSCP PREPROTİONS – HTB Artic

Artic machine is a vulnerable machine with Windows operating system among retired machines and it is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic scan

Full port scan

As a result of port scanning, 135/tcp msrpc Microsoft Windows RPC, 8500/tcp fmtp?, 49154/tcp ports were found to be open.
Let’s provide enumeration on the 8500 fmtp port, we go here via browser

We encountered two directories in CFIDE cfdocs.
We have enumerated the directories. We continue with the administrator/ directory on the CFIDE/ directory.

Here we encounter the ColdFusion admin panel.

Here we tried default passwords, we tried the generally used passwords, but we were not successful. We investigated whether there is a vulnerability related to this.

We download and modify this code and then run it

After making the arrangements here, we run our code.

That’s how we bought shell.

But when I try to go to the administrator directory it won’t let me. Therefore I provide local enumeration.

With the systeminfo information I obtained, I query the Windows-Exploit-Suggester tool to see if there is a vulnerability or not.

Again we found a few vulnerabilities, the most useful for privilege escalation are kernel vulnerabilities. I’ll start with these
Ms10-059 vulnerability kernel vulnerability, let’s see if there is a googlda github exploit

We download this tool from Github.
Then transfer it to the target machine with smbshrae.py.

We transferred Chimichurri.exe to the target machine.
We then tried to run this tool

Chimichurri.exe ipaddress port usage was like this. So we opened revershell in the back and listened.

In this way, we got the shell, when we checked the shell authorizations, we saw that it was in the systeö user, so we got our root flag.