In this course, we explore pentesting and privilege escalation as we solve a Windows virtual machine called Arctic.
Hi. Within this lecture, we're going to try and log in to the administrator panel or administrator dashboard of ColdFusion. But in order to do that, we're going to have to find an exploit or some kind of a vulnerability that will lead us to the password of the administrator user. So, we're not going to do brute forcing because of the reasons that we have talked previously. So, what I'm going to do, I'm going to search for searchsploit over here in my Kali and I'm going to search for the ColdFusion exploits. So, if you run this, you will see there are a lot of vulnerabilities that has been discovered before and we can actually see them in our Kali Linux like this. So, these are all related to Adobe ColdFusion and we don't actually know whether they are going to work or not. It depends on the version, it depends on the security patches and every other parameter as well, but we can try to narrow it down and we can try to understand if it works, if it's going to give us the password or any kind of login opportunity, okay? So, let me try to actually understand what are those for example, over here we see a 9, <11. So, this is 8 so this must be related to the version number of the ColdFusion, okay? And I believe our version is called Fusion8, at least this is what we see in the administrator login page, and we can try to understand which one to test first. So, over here we have the directory traversal, I don't know if it's going to help us or not. We have this server 8.0.1 /administrator/enter.cfm. So, it seems promising because maybe it will enter to the administrator login page somehow, I don't know, because this is the ColdFusion8 again, and this seems to be related with the version 8 over here, so maybe it's worth a shot. But over here we see it's only CSS or XSS. Sorry, not CSS Cross-site Scripting. Maybe we can just take a look at it because as you can see, we see the whole path over here so you can just take the whole path and try to understand it. So, I'm going to just search for the locate exploitdb. And as you can see, we have a lot of exploitdb folders in our Kali Linux available over here. So, what I want to do, I want to just find that specific exploit and try to understand how to use it. So, in order to use it, we're going to have to see the description and instructions. So, I'm going to go into the /usr/share/exploitdb, okay? And over here as you can see, I'm going to go to the cfm/webapps and cat this out, but for some reason I cannot do that. Let me run ls -la. Yeah, here we go. I believe we have to go into the exploits as well. So, I'm going to go into this and run ls -la. Now we have a lot of folders over here. Yeah, we have to go into the cfm or we can just cat this right now. Yeah, it says that there is nothing like that. So, let me go into the cfm and see what happens. Let me go into the webapps and let me run ls -la. So, over here, we have a lot of txt files and actually this is the one that we are looking for. I don't understand why didn't it work when we run cat but anyhow. Now as you can see, it says that Adobe ColdFusion is prone to HTML- injection vulnerabilities and it gives us some kind of script, an HTML script or JavaScript code over here in order to run and test this. So, I don't think it's going to help us, okay? But I'm going to try this anyway to see if it has the vulnerability or not. So, I'm going to copy this. You don't have to do that by the way, I'm just trying to understand what kind of thing that we should do in order to run these exploits. For example, if I run this, even if it works, it's only going to give me some alert like an XSS vulnerability. I don't find it very helpful at this point because even if you find an XSS vulnerability then we don't have anyone to report to or something like that. It's not a bug bounty, okay? But again, maybe it's worth a shot. Let me just wait here for 10 seconds and see. And nothing seems to be happening over here. Yes, nothing happened. So, I don't think that's the way to go, okay? So, for example in this case I believe we have to just cross out all the XSS vulnerabilities because even if we can make it work, it won't do much, okay? So, we're going to go for something like a directory traversal because it may lead us to view some kind of files that we are not supposed to be viewing, okay? Maybe that's how we can actually find the password. So, I'm going to try this directory traversal. It's not under cfm this time as you can see, it's under multiple remote and some kind of Python file. So, I'm going to just try this. I'm going to cd .., over here, .. and now I'm going to go into the multiple and then to remote and then I'm going to cat this py file. Yeah, here we go. We have a Python file, let me see if we actually want to run this or not. So, over here we see there are a lot of Python codes of course we can just read it and understand what it does. And in the commands section actually we see that we are given a link, we are given a way to exploit this as well. So, maybe we don't even have to run this Python file. I'm just going to try this, okay? So, it tries to find the password.properties so that it can give us the administrator password. So, this is very good. If it works then we can get the password of the administrator user, right? So, they actually found a way to exploit the directory traversal and also a way to get the administrator password out of the ColdFusion directories. So, if it works then we are good to go. I'm going to just delete this and put the thing that we have copied to here and hit 'Enter'. So, make sure you get the exact same thing that I have copied from there, okay? Or else it wouldn't work. So, I copied after the cfm question mark, okay? So, we are changing the locale parameter over here. And here we go, I believe we got something out of it. So, as you can see we have a password appearing in the ColdFusion login page but it seems like it's hashed and because it says encrypted through over here and it seems like a hash to me anyway. So, and actually we have seen that when we tried with one single quotation mark, it encrypted the password. But again it's worth a shot if you want you can just come over here and take this as a note. So, I'm going to go into the cd Documents and CTF. So, do we have a folder over here called, let me just go over there cd Documents and cd CTF/Arctic. Yes, here we go. I'm going to note nano do notes.txt and we have the nmap result. I'm going to paste the password that we have found. I'm going to save this and go back, okay? This is the password that we have found. I'm going to clear this up and I'm going to run this in a hash identifier. So, let's see if our password is actually hashed. So, as you can see it says that it's possible hash like it's SHA -1 or it can be other things as well. So, let us try to decrypt it, okay? It's SHA -1, so I believe it could be very easy to decrypt this. So, you can do this online or you can do this offline with Kali Linux as well. So, I'm going to run sha1 decrypt online, over here, okay? And I'm going to just choose either of these md5decrypt.net and actually this one as well. Maybe this one as well, just open a couple of them and just try and see if you can get the decrypted back, the decrypted one back and here we go. We actually found it in the first try. So far, so good. So, it seems that the password is happyday. Okay, great. So, we know the password right now. So, I'm going to go into here and just write happyday and hit 'Enter' and wait for like 10 seconds and see if we can actually log into the administrator dashboard of the ColdFusion8. Now if we can then we're going to have to understand how to use ColdFusion and try to just have a reverse shell back. So, let me try this one more time, I believe I misspelled the happyday. By the way in the future if you want to make a vulnerable machine to submit to the TryHackMe or HackTheBox, please don't do it like this, like waiting 10 seconds timeout just to prevent brute forcing. It's not a good way in my opinion, right? So, here you go. I believe the password is correct. So, we are going into the administrator panel or dashboard of the ColdFusion8. Here we go. I think we are in and of course if you haven't worked with Adobe Fusion8 before or Adobe Fusion at all, then you're going to have to understand how the ColdFusion dashboard works, okay? So, this is the ColdFusion administrator page and we're going to have to understand how it works. We're going to have to just wander around a little bit to see what kind of options, what kind of menus we have over here because we have a lot, as you can see. I really suggest you to wander around here a little bit, spend a time a little bit before going into the next lecture but I will see you in the next lecture to solve the CTF.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.