HackTheBox – Arctic Walkthrough

Just popped another Windows box. This time, it’s Arctic. This machine, I imagine, is easy when using metasploit. However, I’m not here to point and click exploit. I’m trying to prep for OSCP so round these parts we do things the hard way lol

If I had to put a difficulty on this I’d say it’s somewhere between easy and medium without metasploit. Not too challenging but it’s definitely not a point and click.

Mapping the Attack Surface

Interesting open ports. I run netcat against each and the only one that responds is 8500 IT appears it’s an HTTP response though it’s extremely slow. I’m not sure what’s causing the delay

When I visit the page in the browser, there’s a huge delay in all responses, so just be patient.

Navigating through the directories, and I find this directory which seems to have some administrator panels accessible

When I open one of them, I get this. It looks like ColdFusion 8 is installed

Getting a Shell

I googled for ColdFusion 8 Exploits and I came up with this one here

Coldfusion 8 exploit~> https://www.exploit-db.com/exploits/50057

Before running the exploit, you’ll need to change the ip’s and ports inside the exploit

Once you have those values changed out, you can run the exploit and if it works, it’ll drop you into a shell

Don’t forget to grab your user flag, then you can move on to Privilege escalation

Privilege Escalation

To start, I run systeminfo

Once I have this, I copy it over to my attacking box and run the Windows-Exploit-Suggester against it

(I tried a few different exploits but the one that worked the best for me was Chimichurri.exe)

https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059:%20Chimichurri/Source

This machine was very tricky for me to get files over to it. I’m not sure if I’m just green for windows machines still or if this one was intentionally difficult. Regardless, if you’re not using metasploit, you need to find a way to get files over.

I managed to come up with a couple powershell commands to do this. Originally I did this in a single command but for the life of me, I couldn’t get it to execute. Once I broke it out into it’s own powershell script though, it worked like a charm.

Executing this exploit on the machine the first time crashed my shell. I tried a number of ways to get it to execute and each time it just froze. So my guess is that there was some exception or output that was being hidden from me.

I needed a better shell to try this again.

I pulled a 64 bit version of netcat down to my attacking machine you can find it here https://github.com/int0x33/nc.exe/blob/master/nc64.exe

Using the same script as before, I pull it down to my victim box

I ran another listener and sent myself a proper reverse shell

Once I had my proper shell I was able to see what the problem with my exploit was

It looks like it needed a couple arguments to go with it. In order to get this exploit to run, It appears you need to setup a listener and it sends you an admin shell if it’s successful

So I started yet another listener and ran the exploit

As you can see, I get another shell, and when I run whoami I see that I’m now running as system!

On to the next

Leave a Reply

2 + 14 =