Hack The Box Arctic

Testing Methodologies
 We can start the enumeration by starting a nmap scan

The output shows that the ports 135,8500 and 49154 are open

By visiting port 8500 we have an directory listing

 By visiting the CFIDE directory we have a coldfusion 

 By googling about cold fusion there is Path Traversal Vulnerability that can be used to extract password of admin

 Seems like the password is encrypted which is SHA1 we can use hashcat to crack the password 

The password is "happyday" now we can login to coldfusion

We can now upload a cfexec.cfm script to execute code on the system

Now we can upload a meterpreter shell which can be generated using Veil Evasion which will bypass any antivirus running on the system

We have a meterpreter session now but our session is 32 bit we can convert to to 64 bit using the payload_inject module

By running payload suggester over the session it seems like it is vulnerable to schelevator exploit