Thursday, July 18, 2019

Arctic


ARCTIC

- Layout for this exercise:




1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Arctic, what is a machine from the Hack the Box pentesting platform:

https://www.hackthebox.eu



2 - ENUMERATION

- The IP for Arctic is 10.10.10.11:





- Scanning we find 3 available open ports:




- The port 8500 is used by the built-in web server of ColdFusion web development platform:




- Also it could be used by the protocol fmtp (Flight Message Transfer Protocol):





- Scanning deeper port 8500:




- Connecting to port 8500 we confirm that there is a ColdFusion server running:














3 - EXPLOITATION

- There is a Directory Traversal exploit for ColdFusion:










- Following the instructions of the exploit we find a password hash:









- The hash type is SHA-1:




- Decrypting online:




- Now we can use credentials admin:happyday to login as the ColdFusion Administrator:










4 - GETTING A LOW PRIVILEGE REMOTE SHELL

- Under Debugging & Logging tab there is the option of Scheduled Task, what enables us to upload files or exploits to Arctic:





- Msfvenom helps to create an exploit with .jsp extension because the exploit will be actually a Java Server page run at ColdFusion:





- Now let's transfer myexploit.jsp to Arctic uploading it with option Schedule New Task.

- First, setting a local web server at Kali:




- It is very important to notice the location of ColdFusion webroot folder:






- So the destination folder for myexploit.jsp will be:




- Adding the Task and submitting:






- The task is successfully added:






- To run the task there is two options. The first option works just by clicking the green tab:




- The second option works by clicking at the index page:







- Anyway the exploit is successful and we get a remote low privilege shell:





5 - CAPTURING THE 1st FLAG

- Reading user.txt:





6 - PRIVILEGE ESCALATION

- Access to Administrator's Desktop is not possible for user tolis, so we need Privilege Escalation:






- Let's notice that Arctic is using an x64 architecture:





- Msfvenom creates an executable exploit for architecture x64:









- Transferring exploit_system.exe to Arctic:




- The transfer is successful:




- Setting a meterpreter listening session:




- Executing exploit_system.exe:




- The consequence is a Meterpreter session with low privileges because the user is still tolis:






- Backgrounding the session:




- Searching for a Local Privilege Escalation exploit for Meterpreter Session 1:





- The exploit is completed but no session is created. Why? The reason is that Metasploit took the IP 192.168.1.19, instead of the VPN interface's IP:




- Setting as local host the IP corresponding to Artic's VPN interface the problem is solved:





- Finally we've got a remote System shell with all the privileges:






7 - CAPTURING THE 2nd FLAG

- Reading root.txt: