Pentesting and Privilege Escalation with Arctic


Arctic Setup
PREVIEW13m 48s
Admin Dashboard
PREVIEW11m 57s

The course is part of this learning path

Arctic Setup

In this course, we explore pentesting and privilege escalation as we solve a Windows virtual machine called Arctic.


Hi, within this section, we're going to solve another Window's machine from the Hack The Box, which is called Arctic. So, if you don't have any VIP membership, just make sure you watch this section and not skip it. So, if you come over here, you can search for Arctic and just find the machine yourself. So, this machine is considered easy but, and also, again, it's created by the ch4p, so I believe this is the guy that has been in our life because we have already solved one of his CTFs in the previous section. And if you take a look at this, you can see it represents the real life, and it also leans towards the CVE in the privilege escalation site. So, that's why we are, actually, trying to solve this. So, it actually includes a service called some, kind of, Adobe service that is commonly used in government buildings or government facilities and also in some big corporations. So, it's a good practice to solve this. Not only privilege escalation wise, but also getting access, gaining excess wise as well. So, my IP Address is going to be for this machine and my VPN is running on the my Kali Linux as usual. So, I'm connected to the Hack The Box servers.

So, let me see. Here you go. I can ping the machine. Now, it's very good, I can ping this and as you can see, I have the same IP address my tun0 over here. So, what I'm going to do, of course, I'm going to go for Nmap. You can do this with Zmap as usual or you can... I'm just going to go for the intense scan that we have been doing so far. You can just go for any of this, by the way, like you can go for the old TCP ports or something like that, or you can just go for the old ports if you want, okay? So, it really doesn't matter at this point. You can just go for your custom Nmap. This is not an Nmap course, I assume you already have some experience on this. I'm just going to go for Nmap all ports with intense scan and with verbose, okay? And I'm just going to go for it. So, here you go. Since I'm doing this for all ports, it's going to take some time. It already started to find some things, like I believe we have discovered open port 135 over here. So, it seems like, we don't have any 80 ports or a web server but maybe we have, I don't know yet. So, it's going to scan 65535 ports, so it's going to take some time.

As you can see, 10% of this is done. And again, why we are doing this because we want to understand how to gain access to the Windows machines and after that how to escalate our privileges in a way that we haven't seen before. And this represents real life in a good way so that's why we are going for Arctic. Let me see if we have any kind of, webserver going on over here while we wait. So, I'm going to go for, and let's see. It seems like it's trying to connect but nothing is happening over here. So, we are just waiting, we are just waiting. I don't believe we have a web service at least proper web service right now, so I believe we're going to have to wait until this is done. So, I'm going to pause the video and wait for three minutes to come back here so just do the same thing. So, here you go. I waited for three minutes and this is our results back. So, let's see what kind of pores or services we are dealing with. But before that I'm going to just copy this as usual, okay? And I'm going to put this output into a file in my Documents folder. I believe we have a CTF folder. I'm going to create a new folder called Arctic. I'm going to go into the Arctic, and I'm going to nano a new notes.txt. So, I'm going to paste all the things that we have copied and I'm going to save this by clicking Control or Enter Ctrl+X. So far, so good. So, now let me scan this a little bit. It started to scan, it found some ports. Let me see, we have the 135 which is MSRPS, RPC, sorry, we have something called FTMP but I don't know what we can do with that. Over here, we have the Windows as operating system guess. So, it's definitely Windows, we don't know the exact version or version over here and it doesn't seem that we have too much information, right? So, we're going to go for either of these like 135, 8500. So, let's see. Maybe we don't even know what is an MS RPC. Okay, so we can just go for ms rpc exploit to see if we can find some kind of exploit that works for all RPC versions, okay?

So, as you can see RPC is the Microsoft Remote Procedure Call, okay? So, if we come over here, we can see that it's kind of a service that lets us remotely do something on the target machine. So, if it's more, misconfigured then most probably we can get a shell back or we can just execute a code in a way that we want, but we don't know yet. We don't even know the service version over here. In the version, as you can see we only get this Microsoft Windows RPC but we don't get a particular version. Maybe we can try to run Nmap one more time. But before we do that, let me just search for the FMTP as well. So, what is FMTP? Its Flight Message Transfer Protocol. Let me just go for the exact port. So, as you can see 8500. So, what is FMTP? It's really Flight Message Transfer Protocol. So, we are against a very different part over here. So, I don't believe I have seen this one in previous CTFs, not only in this course, but also all the previous CTFs combined. So as you can see this is to enable the international operational requirements for the coordination and transfer of aircraft. So, I don't know what we're going to do with those, right? So if I come over here we can see it can run on the port 8500 really, and it can be both the TCP or UDP apparently. Let me just try to connect to those like this. So, let me see if it can work over here, if it's kind of sending a request or if you're getting a response back and I don't believe it's working so let me go for the other ones. So, let me see, we have 135 and 49154. So, in the 8500 we have two tanks. So, let me come over here, and if I click one of these, let me try to open this in another tab and this one as well. And for some reason, as you can see, before we get a response, we are waiting for some minute or some maybe 10 seconds or let me see, let me see if we get a response back and here we go, we're waiting for some kind of interval over here, I don't know why it's happening or is it a buck? So, we're going to see later on. So, it happens everywhere if we just click on one of these, as you can see, we wait until it's shown for a certain amount of time. I believe this is how the server is configured, right? For some reason we don't know that reason yet. So, under the CF docs that we have found we have a lot of files and folders and we're going to have to see and understand what it does. So, over here we have some jpegs or images, okay? So, we have html files over there, a lot of html files, so we can just take a look at those if we want like go into the app events, I don't know what it does. So, of course, we can try to see the jpegs over here I don't think we're going to get something out of that. But anyway, so we have a CFM file over here, we have a dB folder, database folder. Let me just try to broaden this a little bit, and it's annoying to have that pink, that time out thingy and I believe it has a reason that they gave us this time out. So if we just click on one of the images over here, it says that Cold Fusion. So, this is a hint but we're going to see much more for that as well I believe. Over here, we have some, kind of, Cold Fusion documentation link again and over here we have some, kind of, new files and folders. Let me just go into the administrator folder. We have the application.cfm one more time. So, let's click on that and see what happens. So, ColdFusion, by the way, is a service an Adobe tool or a service, we're going to see how to work with that. But again, I believe this is a hint that lets us know that this server is capable of running ColdFusion or actively running ColdFusion. So, if you search for coldfusion on Google, you can see a lot of searches for that already like exploit or something like that. You can just search for it and you will see that it's Adobe product. So, it's a commercial web application development platform. So again, this is commonly used in government facilities or in big corporations. So, if you see that, this is okay by the way if it has the proper configuration or proper patches or proper security settings, but if it doesn't maybe it can lead us somewhere. For example, over here we have found an administrator panel like this. So, the username is admin apparently and we have a password over here. So, if we can find the password of this admin then we can log into the ColdFusion, okay? So, this is under CFID, okay? CFID folder that we have found in the first place and when I saw the administrator folder I just clicked them. So, if you cannot find it just go and type this link. So, let me just try this password. Here you go. I just give it a single quotation mark to see if we have a basic SQL injection over here. But as you can see it's, actually, it's, kind of, decrypt or encrypts the message or encrypts the password before sending the request and the response gets a response back that we got his email password, okay. So, what can we do over here? As you can see, we have found the administrative panel and we have to find the password of this admin user. So, there are a couple of possibilities. We can go for a SQL injection. We can go for brute forcing, and we can try to find the password or like in a hint or in any folder or file that we have been presented with or we can just try to find if we have vulnerability regarding to ColdFusion8 in the administrative panel, right? So, I believe the time out that we're getting is there because of the brute forcing. So, I believe the CTF doesn't want us to do any brute forcing, okay? So, there isn't any tip in the weave source page as well. So, what I have in mind is that we're going to have to search for the exploit of this ColdFusion8 rather than try to brute force this because each passwords try will take like 10 seconds to complete and it will take ages to complete this. As you can see, once I refresh that it will make me wait 10 seconds or something like that or maybe eight seconds, I don't know, but it's close to 10 seconds and it will then give me the response back. So, we're going to have to get creative over here. Let's stop here and do get creative in the next lecture.

About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.