HTB Retired Machine: Arctic (Windows — Easy) — TCM’s PNPT Course Capstone Box

We will start off with an nmap scan (since our nmap scan is unable to ping the machine, we have to turn off ping scanning)

Time for a service scan

Let’s browse to the site on port 8500

Clicking on CFIDE/Administrator, we find a login page being hosted by ColdFusion

Running searchsploit, we find an RCE

We will download the file using the -m flag

We have to edit the script and input some information

Once the modifications have been made, we just run it and wait

User.txt

Answer: 7d6bcdf301e0a3c842b1697ad0189315

Let’s check our privileges

Let’s run systeminfo to check what architecture the OS is

Since there are no hotfixes installed, it likely has a few vulnerabilities. let’s copy the systeminfo data into a text file within Kali and run Windows Exploit Suggester to see if we can find anything

GitHub - AonCyberLabs/Windows-Exploit-Suggester: This tool compares a targets patch levels against…

We need to run the update using Python2

Trying to run the script, we get an error

Converting this to a Python3 script using 2to3 gives us more errors, so we will try a different tool

GitHub - bitsadmin/wesng: Windows Exploit Suggester - Next Generation

There are a lot to go through, but for now I do not care about the RCE ones and will focus on the Elevation of Privileges ones. Anything related to the Windows Kernel (such as the one below) I’m going to delete from my output file as well. Also IE exploits since browser-based exploits usually require user interaction

I am left with:

Title: Vulnerability in .NET Framework Could Allow Elevation of Privilege
Title: Vulnerability in Active Directory Certificate Services Web Enrollment Could Allow Elevation of Privilege
Title: Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege
Title: Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution
Title: Vulnerability in WINS Could Allow Elevation of Privilege
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Title: Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege
Title: Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege
Title: Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Title: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Title: Vulnerability in Windows Partition Manager Could Allow Elevation of Privilege
Title: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
Title: Vulnerability in Remote Desktop Web Access Could Allow Elevation of Privilege
Title: Vulnerability in Consent User Interface Could Allow Elevation of Privilege
Title: Vulnerability in Task Scheduler Could Allow Elevation of Privilege
Title: Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
Title: Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
Title: Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution
Title: Vulnerability in JScript and VBScript Engines Could Allow Remote Code Execution
Title: Vulnerability in JScript and VBScript Engines Could Allow Remote Code Execution
Title: Vulnerabilities in Kerberos Could Allow Elevation of Privilege
Title: Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege
Title: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Title: Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege
Title: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege
Title: Vulnerabilities in Kerberos Could Allow Elevation of Privilege
Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
Title: Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege

Of the ones above, I’d rather not deal with .NET or the Outlook vulnerabilities since the Outlook one is likely going to require user action and the .NET ones are probably a lot more complex then what this box is trying to teach us. Also this is likely not an AD box, so the Kerberos ones can go as well. One other one I’m getting rid of is anything related to Client/Server

After deleting the above, this leaves us with the following

Title: Vulnerability in WINS Could Allow Elevation of Privilege
Title: Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege
Title: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege
Title: Vulnerability in Windows Partition Manager Could Allow Elevation of Privilege
Title: Vulnerability in Remote Desktop Web Access Could Allow Elevation of Privilege
Title: Vulnerability in Consent User Interface Could Allow Elevation of Privilege
Title: Vulnerability in Task Scheduler Could Allow Elevation of Privilege
Title: Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege
Title: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege

Date: 20110913
CVE: CVE-2011-1984
KB: KB2571621
Title: Vulnerability in WINS Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20120214
CVE: CVE-2012-0148
KB: KB2645640
Title: Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20100810
CVE: CVE-2010-2555
KB: KB982799
Title: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20120508
CVE: CVE-2012-0178
KB: KB2690533
Title: Vulnerability in Windows Partition Manager Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20110809
CVE: CVE-2011-1263
KB: KB2546250
Title: Vulnerability in Remote Desktop Web Access Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20101214
CVE: CVE-2010-3961
KB: KB2442962
Title: Vulnerability in Consent User Interface Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20101214
CVE: CVE-2010-3338
KB: KB2305420
Title: Vulnerability in Task Scheduler Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20120214
CVE: CVE-2012-0149
KB: KB2645640
Title: Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

Date: 20100810
CVE: CVE-2010-2554
KB: KB982799
Title: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege
Affected product: Windows Server 2008 R2 for x64-based Systems
Affected component: 
Severity: Important
Impact: Elevation of Privilege
Exploit: n/a

This might be a weird thought process, but of this list, I’m going to start with the ones that show up multiple times

Date: 20120214
CVE: CVE-2012–0148
Title: Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege

Date: 20120214
CVE: CVE-2012–0149
Title: Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege

Date: 20100810
CVE: CVE-2010–2555
Title: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege

Date: 20100810
CVE: CVE-2010–2554
Title: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege

The Ancillary Function Driver ones are Kernel exploits

CVE-2012-0148: A Deep Dive Into AFD

Which leaves me the Tracing Feature

windows-kernel-exploits/MS10-059: Chimichurri/Compiled at master · egre55/windows-kernel-exploits

We need to set up a netcat session

Root.txt

Answer: 7095d8fc6bedff1bdb6afc76e2083e4b