This writeup is for one of the Retired boxes on HackTheBox called Arctic .
I started with Nmap, UDP Proto Scanner, Nikto and Dirbuster. Starting with Nmap we have
nmap -sSV -A -T4 10.10.10.11
Based on the results, I went first to check if there was any metasploit module to use on port 135 (msrpc). MSRPC is the Microsof Remote Procedure Call and there is a well known exploit on Metasploit for it, MS03_026_DCOM -
exploit/windows/dcerpc/ms03_026_dcom - but it's for Windows NT/2000/XP/2003.
So, I then moved on to port 8500. Accessing port 8500 there is a Coldfusion 8 Application. At the time, I had not played with a Coldfusion App before, so I went to look for information on how to exploit it. 
ColdFusion is a web application development platform. The programming language used with that platform is also commonly called ColdFusion, but the correct name of it is ColdFusion Markup Language (CFML). So, Coldfusion handles CFML pages.
At the time there was only one Coldfusion exploit in Metasploit for version 8, but there was no success.
1. Directory Traversal in http://[HOSTNAME:PORT]/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%en 2. Brute Force password in http://10.10.10.11:8500/CFIDE/componentutils/login.cfm?But the Coldfusion 8 FCKeditor exploit was stuck in my mind and I couldn't believe why it wasn't working. As a result, I decided to take another look at it and try to figure out the reasons why the exploit was not working.
So, there are three ways to check what's going wrong with your metasploit exploit.
set VERBOSE true
The first one didn't help at all. I used
set VERBOSE true but Metasploit didn't give me any extra information. However, I was able to find out what's wrong using Wireshark first and then with Burp Suite.
1. Fire Wireshark and monitor your traffic in tun0 2. Set your exploit in Metasploit, as shown in the Image above 3. Hit exploit and watch the traffic in Wireshark
Focus on the 2 HTTP Packets, the first one is our Request (payload) and the second is the Response, which gives a 200. Now, go on and right click on the HTTP Response, Follow -> HTTP Stream, in order to see what's going on.
So, we do get a 200 HTTP Response saying that our shell is uploaded but the path is a bit weird,
/userfiles/file/FAOX.jsp/EQ0JQKNF.txt instead of
userfiles/file/FAOX.jsp. So, what will happen if I access
userfiles/file/FAOX.jsp - Is my shell going to be executed?
I fired a terminal using
nc -lvp 1233 and accessed
Boom reverse shell and user flag!!
You could also intercept the request and check what's going on using Burp Suite too.
1. In Metasploit set the RHOST as 127.0.0.1 and RPORT as 8500 (Image 1) 2. Open Burp Suite and go to Intercept - Options - Proxy Listeners - Add - Loopback only and Bind to Port 8500 (Image 2) 3. Then go to the next Tab (Request Handling) - Redirect to Host - Redirect to Port and enter 10.10.10.11:8500 (Image 3)
So, what we are doing here is sending our request to 127.0.0.1:8500 and then redirecting it to 10.10.10.11:8500. As a result, we can intercept the request from Metasploit, modify it, forward it and check the response.
So now we have a reverse shell as user tolis, how do we go from that to Admin?
First of all, I noticed that my shell kept breaking and I wanted to fire a meterpreter one in order to run scripts like
post/multi/recon/local_exploit_suggester. However, initially my problem was that the box was a 64bit one and I was using a 32bit reverse tcp shell. Luckily, following this tutorial  I was able to create a solid shell and then use meterpreter.
Next, I used
run post/multi/recon/local_exploit_suggester and it gave me only one exploit ms10_092_schelevator. I fired it up and I got system...