Hack the Box Challenge: Arctic Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Arctic” which is categories as retried lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much easy until you don’t have some knowledge of vulnerability assessment. Let start and learn how to analysis any vulnerability in a network then exploit it for retrieving desired information.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Arctic is so let’s initiate with nmap port enumeration.

From given below image, you can observe we found port 1135, 8500 and 49154 are open in victim’s network.

Looking toward port 8500 open fmtp service to upkeep flight message transfer protocol between Air Traffic Service, thought to explore it through as URL: in web browser as shown below image.

And found two directories as result, then gone with first link “CFIDE

Next I got index page of CFIDE and saw administrator directory then without wasting time I move with administrator options.

Administrator page contains admin login panel and required user and password for login which I don’t know. At the end of page I notice Adobe coldfusion is running in target system and if I took it as a hint then I will look for any exploit.

So when I Google I found exploit 14641 Adobe Cold Fusion is vulnerable to Directory Traversal then I copied the highlighted text which indicates ColdFusion 8 also stores the administrator hash locally in a file password. Properties. 

Now we can seize the administrator hash using the directory traversal through the following URL:

From given below you can perceive that it has shown hash password, let copied it for its decryption into plain text. 

Using online MD5 decryption I cracked above hash value and found “happyday” as a plaintext password which we can use for login into admin panel.

Using admin:happyday as login credential I logged into admin console and choose scheduled tasks option from inside Debugging & logging for scheduling new task as shown below in image.

The scheduled task setup provides you the facility to download a file from a webserver and save the output locally as shown below image, now fill text filed mention below which are mandatory.

Task Name: reversshell

URL: path of running web server through which it can download any file (Malicious file).

Publish: Enable check box for save the output locally

File: give default path for storing your malicious program file in target’s system (by default C:\ColdFusion8\wwwroot\CFIDE\).

Now we need generate a backdoor shell and for that I had used msfvenom and generated a jsp shell through following command.

On other hand run multi/handler through metasploit framework for reverse connection.

Now we need to transfer our shell.jsp file to target system therefore first we need to run python server on port 80 using following command.

Now upload your shell.jsp file by giving its path in URL filed and enable check box for save the output locally then give default path C:\ColdFusion8\wwwroot\CFIDE\shell.jsp for storing your malicious program file in target’s system and click on submit.

From given below image now you can check our reversshell is added into list of task name, for executing our malicious jsp code we need to run the scheduled task.

We have used metasploit’s and got the reverse connection from target’s network.

From given below image you can observe command shell session1 opened for accessing victim tty shell.

I try post exploit command for upgrading command shell into meterpreter shell but failed therefore at last I open a new metasploit framework  choose web_delivery exploit and copied the highlighted malicious code received after running the exploit.

After copying malicious code, we need to paste it inside command shell session and execute it there and you will get meterpreter shell session 2. Since tty shell that we access has limited privileges therefore now we need to go with privilege escalation.

After trying a lot of post exploit we successfully get a new meterpreter session through ms15_051_client_copy_image module as given below.

From given below image we have meterpreter session 3.

meterpreter> getuid

Now let’s finish the task by grabbing user.txt and root.txt file. First I move into user directory and check available files and directories inside it.

Here I saw so many directories and traverse in each directory except tolis but didn’t get any file.

When I explore tolis/Desktop I saw user.txt and use cat command for reading.

Great!!  Here we had completed 1st task now move to 2nd task.

Similarly after traversing so many directories I got root.txt from inside users/Administrator/Desktop and use cat command for reading.

Fruitfully completed 2nd task!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *