Rdp

Machine Information Field Details Name Chatterbox Platform HackTheBox OS Windows Difficulty Medium TL;DR AChat 0.150 beta7 is running on a non-standard port with a known buffer overflow. A public Python PoC gets us a shell as alfred after generating an x86 unicode-compatible reverse shell payload with msfvenom. Once in, the registry gives away autologon credentials (Alfred:Welcome1!) that also work for Administrator — straightforward credential reuse to SYSTEM. Recon 1 nmap -sC -sV -p- 10.129.1.92 Most of the ports are standard Windows noise — RPC, SMB. The interesting ones are 9255 and 9256, both identified as AChat. That’s a Windows chat application that barely anyone runs outside of CTFs, which is a big hint there’s something exploitable there. ...

Old software on an old OS - a combination that keeps on giving. ColdFusion 8, Windows Server 2008 R2, and a privilege that lets you impersonate basically anyone. Arctic is a nice reminder of why patch management matters. Machine info Name Arctic Platform HackTheBox OS Windows Difficulty Easy TL;DR Port scan reveals a ColdFusion 8 server on port 8500. Browsing to it exposes a directory listing and an admin login page. Searchsploit surfaces CVE-2009-2265, a file upload RCE for ColdFusion 8. We mirror the exploit, set our LHOST/RHOST, and catch a shell as arctic\tolis. The service account has SeImpersonatePrivilege - classic potato territory. The OS is Windows Server 2008 R2 (Build 7600), which JuicyPotato handles well. We transfer JuicyPotato via SMB, use it to create a local admin account, then either catch a SYSTEM reverse shell or enable RDP and connect via xfreerdp3. ...