Cold Fusion
Start course

In this course, we explore pentesting and privilege escalation as we solve a Windows virtual machine called Arctic.


Hi, within this lecture, we're going to try and find a way in order to upload a shell or any kind of way to send a reverse shell back to our Kali Linux with inside of the ColdFusion Administrator panel over here. So, I don't think that you ever used ColdFusion 8 before. But if you do, then you can actually find this very easy. But, when I first saw the CTF, I haven't used any kind of ColdFusion products before. So, I'm going to exactly show you how I found this out. So, first thing I did, I'm going to just open the Google and I have written down, "how to upload shell to coldfusion." So, this is how easy it is or maybe, we don't know yet. Maybe it's easy, maybe it's not. As you can see, we have one million results over here, more than one million, actually, close to two million. And we can just try to read the tutorials over here in order to understand how this works. Because if you never worked with ColdFusion before, then you don't even know the menus, you don't even know the options. So, you're going to have to cheat a little bit. Of course, you don't want to just open the... I don't know. The Arctic CTF solution like this. So, this is the Arctic Write-up, for example. I have seen this when I first Google it as well, but I haven't opened it because that would be cheating. But, you can actually read the other ones. Like, over here, we see that it's shell.jsp. So, it should be in the JSP format most of the time, I believe. And let's see, if we run, "how to upload file to coldfusion" and let's see if we can find something about this because we can create a JSP easily with MSFvenom. So, I'm just going to search for like that, "how to download file from coldfusion" and see if we can actually make a request because ColdFusion is a web application development portable or some kind of software eventually and there should be a way to download files. So, as you can see, we have the Stack Overflow over here. And, I believe, we can write some functions inside of the ColdFusion Administrator panel over here. So, maybe we can try to find the Scheduled Tasks as we've seen over there and try to see what it does. Let me go over here, And, of course, we're going to have to wait a little bit as usual. And, by the way, it took me much more time to understand that we need to go into the Scheduled Tasks than this research. It took me a lot of Googling. But again, I have found out that if I come over here, I can create a Scheduled Task and the Scheduled Task is exactly like a cron job that we do in Kali Linux or in Linux usually. And over here, we can create a job, like I create a task, and we can assign a URL to it, apparently. So, if we can assign a URL, we can just download that file and save it to some file and folder system inside of the Adobe ColdFusion. And that would be great because we can just create a shell and upload it over here. And there's one question in mind though, how to run that after we save it? We don't even know that. We can write the URL all over here. That is very easy. We can just put it on our Apache web server. And how to actually save that file and run that file? So, it should be somewhere over here, like CFIDE/file, something like that. But we don't know it. So, how to find that file? It took me a lot of time to understand that too. You have to go to the Server Settings and Mappings. So, if you go to 'Mappings', you can see some general information about your ColdFusion 8 Administrator settings. And let me show you what I mean. If you go to the 'Mappings', you will see the Logical Paths over here. So, these are the mappings that our ColdFusion server uses. So, our Director Path is something like this. So, 'ColdFusion8\wwwroot\CFIDE'. So, of course, there is no way of knowing that. You have to look it from the 'Mappings' so that you can come to the Scheduled Tasks. When you create a Scheduled Task, you can just put that root into your file target and then make it work. So, I'm going to show you how to do that. But, just let me search for 'jsp reverse shell', by the way, to see if we can get a reverse shell back from the pentestmonkey or something like that from GitHub or we're going to have to create it with MSFvenom. So, let me see. So, this is the 'jsp-reverse.jsp' and I don't know. It's a backdoor, actually. Maybe we can try to compile this on our own or just download it from the ColdFusion and just make it run and get a shell back to us. Or maybe we can try to do this automatically with MSFvenom. Let me see if we have a Meterpreter session or like 'msfvenom jsp reverse shell'. I don't think we can get the Meterpreter session of this one but at least we can get a shell back. So, let me come over here. Here we go. We have JSP Java Meterpreter Reverse TCP. We have an Meterpreter, what? I don't think we're going to get an Meterpreter shell back but it's worth a shot. Here, you see the command in order to run this. As you can see, it can be found with a quick googling. So, all you going to do is just specify the payload over here which is, java/jsp_shell_reverse_tcp. And, of course, you're going to have to give the LHOST and LPORT. And you're going to have to want to draw and call it into a file called 'shell.jsp'. So, it's usual way of working with MSFvenom. I'm going to run this or you can just copy and paste it from Google or you can just follow along with me. I'm going to say, 'msfvenom'. The payload option over here is '-p java/jsp_shell_reverse_tcp'. And for the 'LHOST='. Of course, you're going to have to write your own. 'LPORT=4444'. It really doesn't matter. I'm going to want it in a raw format and I'm going to just save it under the '/var/www/html'. And, of course, you're going to have to give it a name like 'shell.jsp'. And don't forget to add the extension over here as well like '.jsp'. You don't have to call it shell, you can call it anything you want, but make sure you call it .jsp at the end. So, this will create a JSP shell for us. And now, I'm going to run the 'service apache2 start'. So, in order to run my web server. Now, I'm going to schedule a new task. Now, I can reach that file through my web server. So, I'm going to specify the path, the URL, as my web server. And also, I'm going to specify the path of the file as the mapping that we have copied. So remember, we copied the mapping. So, I'm going to call this 'Test'. And for the URL, I'm going to go for ''. So, this is my web server. You're going to have to write your own IP. I don't require any username and password to reach for this. I'm going to save this to here, the path that we have copied from Mappings. So, let me open this one more time because it seems that I have lost that. This is one of the reasons that we should take notes often. As you can see, I lost that and I have to open this one more time. So, let's wait until 10 seconds so that we can copy it and just come over here and paste it. So, here you go. It's going to be under here. So, of course, you don't have to take in the C because it's already in the local for this one. But, since we do that, it can just come over here and save it under the C itself. And over here, I'm going to write 'shell.jsp' so that this file can be saved to here. So, I'm going to submit this. And, I believe, this will be executed for us and we can see if we get the file or not by just running this. If we can actually reach the JSP file, then it means that we got the file. But maybe, this is the first time that we are doing this on ColdFusion Administrator panel. So, we're going to try and see. So, I'm going to open the MSF console over here because I'm going to create a listener for us. So, here you go. Our task is scheduled. So, I don't think we have given some instructions for scheduling, like run this every minute, run this every 10 minutes. I'm going to see to that as well. So, over here, I'm in the Metasploit. So, what I want to do, I want to go into the multi/handler as usual, and over there we're going to have to set the payload to JSP. So, let me run user exploit, multi/handler. So, I don't have any payload right now, so, I'm going to say 'show payloads'. But I believe it's going to show us a lot of payloads over here. So, let me see if we have one with meterpreter. I don't think so. So, we're just going to use the same old Java JSP. But let me just try to see, because it said meterpreter over there in the website. I don't think so, but let me just find it. So, I don't see it. If you guys found a way to open a meterpreter shell with a JSP payload, then it's very good. But I believe we're going to have to go for the reverse_tcp, anyway, after Java, okay? And let me just take a look around here. I really wonder with this. So, I'm going to search for meterpreter windows jsp shell, okay? MSF console. So, we're going to get a reverse shell back from the jsp file and see if we can make it into the meterpreter shell or not. Nope. I don't think so. Because even though it says that meterpreter shell over here, okay? The payload is still Java/jsp_shell_reverse_tcp. So, I'm just going to go for that, okay? Because let's not waste time over here. It doesn't matter if you get a meterpreter shell back or not. I'm going to set payload to this and I'm going to run show options. So, we're going to have to change the lhost to Lport, I believe we have already defined it as 4444. So, I can run this on the background with running exploit -j -z. And I'm going to come back here, and let me see if we got the jsp file back. So, I'm going to run shell.jsp on that CFIDE over here, okay? And see if we can get this. And let's see, shell.jsp. Of course, we're going to have to wait 10 seconds in order to make this work, and it will show us if we got that file. If we got that file it will open the reverse shell. And here we go, I don't think so. We didn't get it yet, so we don't have a shell back here. So, it says that FileNotFoundException, okay? So, maybe we're going to have to just take a look at this test one more time. Maybe we can just click on here like 'Run Scheduled Task', so that it can run it for us because we haven't specified an interval for this. Like in a Cron Job, you remember the Crontab? So, we have to specify some kind of time frame, and we didn't do that over here. Maybe we are going to have to run this manually like that and see if it works or not. Of course, it will make us wait 10 seconds again before it shows us the result. It says that, 'task was completed successfully.' Let's see if we can get this, okay. Let's see if we got this right now. So, /CFIDE/shell.jsp. Let me run this, and let's see if we get the shell back. If it doesn't work, of course we're going to have to just run the scheduled task one more time with a different setup. So, again, we're waiting 10 seconds, and here you go. We got the FileNotFoundException one more time. So, I believe there are some things that we should consider about the scheduled task itself. So, let me go into the test. And we're going to change some parameters. Let me see. Of course, we're going to have to wait and see for 10 seconds one more time. Again, this is not how you do a CTF. So, I'm going to go into /var/www/html/ to see... Yeah, we have the shell.jsp. And here you go. We have seen the thing over here. So, we are saving it under the right folder and everything seems to be fine. It's saving in the right folder, right name. So, for the frequency we actually specified something without even realizing it. So, it should be one time thingy at some point. So, I'm going to make it daily, every maybe one hour, one minute, okay. Why not make it one minute? And make sure just save the output to a file as well. Maybe that was the problem. So, I changed to one minutes daily every, and also I checked the save output to a file, okay? So, maybe the frequency was the problem, maybe saving this output to a file was the problem. We're going to see. It says that, you need to enter a valid Start Time, okay? I'm going to choose this one more time, but I'm going to leave the save output to a file checked, and we're going to see if that was the problem or not. Okay? Let's see if we can make it work. So, if we can make it work, we can always run this from the Administrator panel. I believe you know that Play button that we have actually clicked on and it said that test completed successfully, why not we do that? We can just try to do that as well. Right? So, I'm going to try that as long as we can submit this. Here you go. Now I can run this by clicking on 'Display' button. And let's see if we can get back the shell this time, okay? We're going to have to wait 10 seconds and then we're going to have to run it from the browser one more time, and here we go. Let me just see. This is finished. I'm going to run this, and we're going to have to wait 10 seconds to get a response back. And then if we get the shell.jsp it should open a reverse shell back to us, to the Kali machine over here. So, let's wait until we see. Here you go. Now we don't get an error if we come over here to Listener. Here you go. Now we have the shell opened, so I'm going to run sessions -l. Now, here you see we have the sessions 1, and I'm going to just interact with it. And let's see what kind of shell we get. It really doesn't matter. As long as we get a shell, we can try to escalate our privileges in a way that we can become an administrator user because we have seen a lot of things about it in the previous section, right? So, let me try this with hitting 'Enter' or something. Here you go. We have the shell back here. So, I'm going to try to find whoami. We are arctic\tolis. So far, so good. I'm going to run systeminfo, and let's see. Here we go. We see all the things over here. So, this is ARCTIC. This is Windows Server actually, Windows Server 2008. Very good. Let's stop here. And within the next lecture we're going to understand how to escalate our privileges together.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.