Arctic
Last updated
Last updated
From the nmap scan we see 3 ports open
So next I tried to go to 10.10.10.11:8500 in firefox and it showed a filesystem.
So next I looked through the files and found a login page for adobe ColdFusion version 8.
And this gave me the information needed to gain access to the machine.
I found an exploit in msfconsole relating to this product pretty quickly but I am trying to avoid using the Metasploit framework. So I resorted to the next best thing, looking for an exploit in GitHub, and found a small python script.
Using this script I can perform an Arbitrary File Upload exploit and upload a reverse shell payload.
Here we can see the payload in the /userfiles/file directory
And by clicking the JSP file we can catch a reverse shell on the machine.
And from here I can grab the user flag :D
First I examined the systeminfo to see what I'm working with.
So we are in a Windows Server 2008 R2 Standard with an OS version of 6.1.7600 N/A Build 7600.
Using the systeminfo output and this python script I can get possible exploits.
So using PowerShell I can transfer the exe to the target machine.
The next step was to set a listener and run that exe and...pray
And success!!! :)
We are now the superuser.
2 ports have and 1 port has file message transfer protocol (fmtp). After searching for some exploits for these services and I didn't find anything...
I wanted to try and upload a exe to see if I can find any other points of interest so I downloaded the exe and checked the PowerShell version on the machine using powershell.exe (Get-Host).Version so I can see what commands I can use to download the file from my python http server. Sadly the exe didn't work so the next best thing was .
From the output, we see some kernel exploits and after some experimenting and testing I narrowed down that that allows us to perform privileged escalation.
