Just popped another Windows box. This time, it’s Arctic. This machine, I imagine, is easy when using metasploit. However, I’m not here to point and click exploit. I’m trying to prep for OSCP so round these parts we do things the hard way lol
If I had to put a difficulty on this I’d say it’s somewhere between easy and medium without metasploit. Not too challenging but it’s definitely not a point and click.
Mapping the Attack Surface
Interesting open ports. I run netcat against each and the only one that responds is 8500 IT appears it’s an HTTP response though it’s extremely slow. I’m not sure what’s causing the delay
When I visit the page in the browser, there’s a huge delay in all responses, so just be patient.
Navigating through the directories, and I find this directory which seems to have some administrator panels accessible
When I open one of them, I get this. It looks like ColdFusion 8 is installed
Getting a Shell
I googled for ColdFusion 8 Exploits and I came up with this one here
Coldfusion 8 exploit~> https://www.exploit-db.com/exploits/50057
Before running the exploit, you’ll need to change the ip’s and ports inside the exploit
Once you have those values changed out, you can run the exploit and if it works, it’ll drop you into a shell
Don’t forget to grab your user flag, then you can move on to Privilege escalation
Privilege Escalation
To start, I run systeminfo
Once I have this, I copy it over to my attacking box and run the Windows-Exploit-Suggester against it
(I tried a few different exploits but the one that worked the best for me was Chimichurri.exe)
https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059:%20Chimichurri/Source
This machine was very tricky for me to get files over to it. I’m not sure if I’m just green for windows machines still or if this one was intentionally difficult. Regardless, if you’re not using metasploit, you need to find a way to get files over.
I managed to come up with a couple powershell commands to do this. Originally I did this in a single command but for the life of me, I couldn’t get it to execute. Once I broke it out into it’s own powershell script though, it worked like a charm.
Executing this exploit on the machine the first time crashed my shell. I tried a number of ways to get it to execute and each time it just froze. So my guess is that there was some exception or output that was being hidden from me.
I needed a better shell to try this again.
I pulled a 64 bit version of netcat down to my attacking machine you can find it here https://github.com/int0x33/nc.exe/blob/master/nc64.exe
Using the same script as before, I pull it down to my victim box
I ran another listener and sent myself a proper reverse shell
Once I had my proper shell I was able to see what the problem with my exploit was
It looks like it needed a couple arguments to go with it. In order to get this exploit to run, It appears you need to setup a listener and it sends you an admin shell if it’s successful
So I started yet another listener and ran the exploit
As you can see, I get another shell, and when I run whoami I see that I’m now running as system!
On to the next
