This machine was as brutal as the actual arctic, if only due to how slow it was. This is certainly the least responsive machines on HackTheBox that I’ve come across, possibly due to the software. Nonetheless, I solved it. Here’s how.
As I always do, I began by doing a staged nmap scan:
The scan noted that RPC is open on what seems to be Windows Server 2008. It also noted a mysterious port 8500, which it falsely identified as fmtp. My first intuition was to look up a ports cheat sheet, which ended up pointing me in the right direction.
After getting an idea of what I might find, I navigated to http://10.10.10.11:8500 to see what would come up. I got a directory listing and decided to poke around a bit.
Now it’s clear that the service running on port 8500 is ColdFusion 8. Armed with that information, I decided to start looking for exploits.
Metasploit noted multiple exploits for ColdFusion, including some that work on version 8. Time to give it a shot…
I tried to run the previously highlighted exploit using the settings noted below, but I simply couldn’t get it to work.
Since this exploit was explicitly for ColdFusion 8.0.1 and I couldn’t ascertain any information about the version beyond that it was 8.x, I moved on to the next exploit.
The next exploit I tried was one I found on the internet that allowed for directory traversal. This exploit was critical because it allowed you to view the ‘password.properties’ file that held the hash of the admin password. It was as simple as copy and paste:
In addition, the page source disclosed the hashing algorithm used, which was SHA-1:
If you wanted to take the hash offline and crack it, this information would be useful. There is also a Metasploit module that attempts to figure out the hashing algorithm used, in case you’re not immediately able to find the algorithm used.
SHA-1 is a cryptographically-insecure hashing algorithm, and has been deprecated since 2011, though it has been considered insecure since at least 2005. Given that, I figured one of the many online rainbow table services would be able to crack it faster than Hashcat, especially given my laptop’s weak GPU.
CrackStation was able to crack it. The password was ‘happyday’. With that, I was able to log in to the admin dashboard.
Within the dashboard, the link that interested me most was “Scheduled Tasks”. Looking within, it looked like I was able create a task that would grab a file from a URL at a given time and then save the file. If I could save the file in a web-accessible directory, I’d likely be able to get a reverse shell.
By and large, I find it much easier to escalate privileges using meterpreter. In order to do this on this box, I needed to get system architecture information, create a meterpreter payload, and send that payload to the server. Here was my process for that:
Worth noting that I used the same SimpleHTTPServer from earlier to host the meterpreter payload. I set up a handler within msfconsole, ran the executable on the remote server, and got exactly what I wanted!
From here, I decided to background the current session and run local_exploit_suggester.
I know and have used MS10–092 before, so I decided to go with that.
And there we have it! Zero to root.
Within this box there is actually an actionable lesson for the blue team and developers that is different than those for the other boxes I’ve done. There’s also a more obvious one.
- Be careful with file sources. Best practice for validating/cleansing inputs would be to take the input, normalize it (e.g. convert “%5c” to “\”), then append it to the end of a predefined path. From here, you would calculate the canonical path (which would, for example, translate “../../browser” to “/opt/”). With this, you could validate that the file chosen is on a predefined whitelist or, at the very least, in an approved directory. If it’s allowed, you can serve it. If not, throw an error.
- Patch your software/systems. The usual stuff.
That’s all for now! I’m hopping on a plane to Germany on Wednesday, so I’ll be back at it later this month. Bis später!