Disassembly of ippsec’s youtube video HackTheBox - Arctic. Focus on Windows and basic enumeration, intercepting an application communications via burp. Shell creation with Unicorn and powershell usage along with windows enumeration.
Legal Usage: The information provided by execute@will is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risks/responsibilities.
This series of write-up will contain comprehensive write-ups of hackthebox machines. In an effort to sharpen reporting techniques and help solidify the understand and methodologies used during penetration testing.
Enumeration
nmap scan:
1 |
|
(results)
Port 135 = Windows RPC Port 8500 = doesn’t know what it is Port 49154 = Windows RPC
investigate 8500
page takes a significant amount of time to load possibly why the name Arctic.
exploring paths /CFIDE
an “administrator” page is found.
administrator/
if page loads correct should say Cold Fusion 8
searchploit
1 |
|
we have results pointing to the version 8.x.x but are cross site scripting. But there is
which is a metasploit file upload, a possible way to get a foothold into the box.
metasploit
1 |
|
exploit/windows/http/coldfusion_fckeditor
looks like the same exploit from the searchsploit.
1 |
|
almost immediately fails due to the response time that needs to be adjusted in metasploit.
Modify advanced options
1 |
|
hoping to see a POST request and a server response.
If the module doesn’t support a proxy script we can push the module/communications to burp:
setup burp to intercept application
proxy tab > options > add proxy listeners
bind to 8500
Request Handling:
tick box for running:
go to web browser localhost:8500
every time we connect to 8500 we get redirected to 10.10.10.11:8500
Turn intercept on:
In metasploit:
1 |
|
and at this point we are now redirecting through burp (forward first request) then:
see the request metasploit is trying to make. Next send to repeater and send:
how this exploit works is that the Post request is sent to CurrentFolder and a .jsp file is added but with a %00 null byte at the end which confuses the web-server and allows for the file to upload.
Finished 200 response:
Futhermore, the script is going to try to open a connection to our local box on port 4444 thus we need to have a listener setup to catch the connection.
setup listener
1 |
|
navigate to the k.jsp page
1 |
|
wait the 20-30s for the connection to establish.
Reverse Shell - RCE
a connection is established via the K.jsp file to port 4444:
this is just a reverse shell and we need to upgrade it.
unicorn to upgrade shell
Github Link: https://github.com/trustedsec/unicorn
1 |
|
usage:
1 |
|
output’s two files when it’s done.
First file: unicorn.rc - all commands to load unicorn in metasploit Second file: powershell_attack.txt = unicorn powershell exploit
1 |
|
command is very long but can return a shell. Sending this all through one terminal might not be the best call the better option would be to have the file sent to target.
load metasploit w/ unicorn command
1 |
|
create powershell_attack to html
create a new file with a pasted clipboad of the exploit and named it exploit.html
delete the double quote in the beginning and the end of the powershell script to have a pure version of it. Now we have a script that has been obfuscated to evade antivirus.
setup local SimpleHTTPServer
1 |
|
On target shell:
1 |
|
box hits the web-server:
Meterpreter Shell:
firstly, check the sysinfo to see architecture and the meterpreter session is in a 32bit session.
enumerate windows
1 |
|
search suggest - checks KBs on box and recommended exploits
1 |
|
1 |
|
first ran in a 32bit bit process and then migrate to a x64 as different exploits become available. Run PowerUp.ps1 if nothing returns. (results)
save results as a copy locally.
migrate to 64bit
Meterpreter:
1 |
|
Looking for a process with an x64 and a 1 as that means its interactive and there is more leverage on the things it has the ability to do. None in this case.
migrate to conhost:
1 |
|
Run “sysinfo” to verify were on a x64 process:
1 |
|
confirmed x64, background with ctrl+z show options # check for suggester run
returns only one that appears to be vulnerable. Save to notes
Compare notes:
ms10_092_schelevator reported on both architectures. Which should be a stong first to try.
Root&Loot
1 |
|
in this scenairo it actually used a local 172. IP which was not intendted as so the set LHOST 10.10.12.194 was sent again and ran.
session 2 was successfully opened
1 |
|
Achieved NT AUTHORITY\SYSTEM
loot
1 |
|
If you don’t know who ippsec is check him out at:
Youtube: https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA Twitter: https://twitter.com/ippsec