HTB: Artic Writeup w/o Metasploit
Recon
The first thing we did was run nmap. The version scan showed us a few interesting ports.
We can see port 135, 8500, and 49154 is open. I checked to see if 8500 had anything on it and if it was running some type of service. It was. We used Firefox to hit 10.10.10.11:8500. It showed a list of directories. I wasn’t familiar with the web application before this box so I had to do some digging around within these directories.
After some digging around and researching the directory structure and file types, I learned 8500 was running a ColdFusion server. ColdFusion is a development tool for web applications. After more digging around, I stumbled upon an admin page. I tried to throw some sql queries at it, nothing returned. I planned on doing a brute force attack against the admin account, but instead I started looking for ColdFusion 8 exploits.
Enumeration
Eventually I found an exploit on github that returned a shell for us. It really didn’t take too long to find it.
This is the git repo. It was pretty simple to use. We had to create a reverse shell using msfvenom. The instructions for the payload were in the script. They also had instructions to run the python script that will use our payload.
Once the shell code was created (using msfvenom) , we ran the script as instructed in the README file.
It took a minute or two, but eventually it returned a path for us to execute the reverse shell.
I started the netcat listener on port 1234 before browsing to that url (http://10.10.10.11:8500/userfiles/file/9FZJBO.jsp) the script provided. After setting up the listener and browsing to the url we got a shell back.
Now that we are on the box, we just need to escalate our privileges. I checked if we had any special permissions with a whoami /priv command and saw that we did.
Privilege Escalation
Since we do have, the SeImpersonate and SeCreateGlobal permissions set, I tried to use the churrasco.exe exploit to escalate privileges but that did not work. So, I went for the juicy potato exploit and was able to get a shell back as system.
AAR
This box introduced us to ColdFusion if it was our first-time hearing about it.
To mitigate our attack vectors and techniques used, applying the hotfix for ColdFusion is imperative. It should mitigate that vulnerability we exploited to get our initial shell.
We escalated our permissions with juicy potato. Based on research, this attack can be mitigated by securing sensitive accounts and application running service accounts. Disabling DCOM is an alternative but may disrupt other services/functions. Hopefully, you enjoyed this writeup. Here is a video walkthrough.
