HackTheBox | Arctic
To start, we’ll do an nmap scan. I was having a lot of trouble running normal scans for some reason (no one else seems to have this issue) so I just ran it with -sS and finally got something back.
Overall, this box was very janky. I was not a fan.
After we cat it out:
After that, I attempted to connect to these ports via the browser to figure out what they were. The only one I could connect to was 8500, which showed two different directories.
I started with the ‘cfdocs’ directory, and found a file in the path of /cfdocs/getting_started/Application.cfm that stated that this was for ColdFusion. ColdFusion is an Adobe product.
Next, I went into the CFIDE directory and found an admin panel exposed at the file path of /CFIDE/administrator/.
A quick search for Adobe ColdFusion 8 returned an exploit for directory traversal.
I did a searchsploit query for coldfusion and grabbed a python script for directory traversal.
Then we run the script, which comes back with a password hash:
I then threw this hash into a txt file, and attempted to crack it with John.
I then logged in to the ColdFusion admin panel, but this appeared to be a waste of time; it was cool though.
I looked at searchsploit again, and all I thought might be worthwhile was a Metasploit module for file upload.
However, I wanted to stay away from using Metasploit to get access. A quick search for ‘coldfusion 8 file upload’ actually led me to a HackTheBox forums post that had a PoC for this.
I needed to create a payload for this, so I utilized msfvenom.
Next, I opened a new terminal and started a nc listener.
Then I finally executed the Python script.
After a little wait; I have a shell.
I then ran systeminfo and copied the text over into a txt document on my machine. After that, I used Windows Exploit Suggester against the txt document.
I then grepped through this as can be seen below:
Honestly, I got a little lost in sauce with the amount of return this ended up having. I tried a manual PoC for a Task Scheduler exploit to escalate privileges but couldn’t get it to work.
THUS, we ended up using msfvenom to generate a meterpreter payload.
I actually realized this wasn’t working due to me already using port 666 for my original shell, so I decided to just redo my payload on 6666.
I migrated into another process with x64 architecture. I tried the conhosts, but it failed everytime — so I settled for jrunsvc.exe.
I then used the local exploit suggester from Metasploit. This broke.. literally every time I ran it. So I ended up finding the Task Scheduler exploit within Metasploit.
And what do you know..
PS, I think with the manual PoC I just needed to run the scheduled task, or just change the parameters within the script itself.