1
00:00:00,630 --> 00:00:08,490
Hi, we this lecture, we're going to try and login to the administrator panel or administrator dashboard

2
00:00:08,490 --> 00:00:14,970
of cold fusion, but in order to do that, we're going to have to find an exploit or some kind of a

3
00:00:14,970 --> 00:00:20,270
vulnerability that will lead us to the password of the administrator user.

4
00:00:20,880 --> 00:00:26,170
So we're not going to do brute forcing because of the reasons that we have talked previously.

5
00:00:26,430 --> 00:00:32,370
So what I'm going to do, I'm going to search for search deployed over here in my colleague and I'm

6
00:00:32,370 --> 00:00:35,420
going to search for the cold fusion exploits.

7
00:00:35,970 --> 00:00:43,530
So if you run this, you will see there are a lot of vulnerabilities that has been discovered before

8
00:00:43,530 --> 00:00:47,950
and we can actually see them in our color, things like this.

9
00:00:48,450 --> 00:00:56,670
So these are all related to adobe cold fusion and we don't actually know whether they're going to work

10
00:00:56,670 --> 00:00:57,140
or not.

11
00:00:57,150 --> 00:00:58,690
It depends on the version.

12
00:00:58,710 --> 00:01:04,620
It depends on the security patches and every other parameter as well.

13
00:01:04,890 --> 00:01:13,140
But we can try to narrow it down and we can try to understand if it works, if it's going to give us

14
00:01:13,140 --> 00:01:17,760
the password or any kind of login opportunity.

15
00:01:18,160 --> 00:01:23,520
OK, so let me try to actually understand, what are those?

16
00:01:23,520 --> 00:01:28,350
For example, over here we see nine, less than 11.

17
00:01:28,350 --> 00:01:30,260
So this is eight.

18
00:01:30,270 --> 00:01:36,130
So these must be related to the version number of the cold fusion.

19
00:01:36,540 --> 00:01:40,190
OK, and I believe our version is called Fusion eight.

20
00:01:40,200 --> 00:01:49,740
At least this is what we see in the administrator login page and we can try to understand which one

21
00:01:49,740 --> 00:01:51,670
to test first.

22
00:01:52,260 --> 00:01:52,920
So we're here.

23
00:01:52,920 --> 00:01:54,990
We have the directory traversal.

24
00:01:55,020 --> 00:01:57,630
I don't know if it's going to help us or not.

25
00:01:58,390 --> 00:02:01,700
We have this server, eight point open.

26
00:02:01,710 --> 00:02:05,030
One administrator entered that system.

27
00:02:05,280 --> 00:02:12,090
So it seems promising because maybe it will enter to the administrator login page somehow.

28
00:02:12,090 --> 00:02:18,810
I don't know, because this is the cold fusion eight again, and this seems to be related with the version

29
00:02:18,810 --> 00:02:19,740
eight over here.

30
00:02:19,740 --> 00:02:21,390
So maybe it's worth a shot.

31
00:02:21,720 --> 00:02:30,450
But over here we see it's only access or accessory, not access crosseyed scripting.

32
00:02:31,110 --> 00:02:36,450
Maybe we can just take a look at it because as you can see, we see the whole path over here.

33
00:02:36,750 --> 00:02:40,830
So you can just take the whole path and try to understand it.

34
00:02:40,840 --> 00:02:44,300
So I'm going to just search for the Locate Exploit DB.

35
00:02:44,670 --> 00:02:52,690
And as you can see, we have a lot of exploit DB folders in our clinics available over here.

36
00:02:53,400 --> 00:03:00,800
So what I want to do, I want to just find that specific exploit and try to understand how to use it.

37
00:03:01,200 --> 00:03:06,390
So in order to use it, we going to have to see the description and instructions.

38
00:03:06,660 --> 00:03:10,620
So I'm going to go into the user share exploit DB.

39
00:03:11,070 --> 00:03:22,740
OK, and over here, as you can see, I'm going to go to the CSM Web apps and check this out, but for

40
00:03:22,740 --> 00:03:24,630
some reason I cannot do that.

41
00:03:24,640 --> 00:03:25,910
Let me run Al-Saleh.

42
00:03:26,310 --> 00:03:27,000
Yeah, here you go.

43
00:03:27,000 --> 00:03:32,550
I believe we have to go into the exploits as well, so I'm going to go into this area less.

44
00:03:32,550 --> 00:03:36,630
Leslie, now we have a lot of folders over here.

45
00:03:36,630 --> 00:03:36,840
Yeah.

46
00:03:36,840 --> 00:03:41,250
We have to go into the CFA or we can just get this right now.

47
00:03:42,240 --> 00:03:44,340
Yeah, it says that there is nothing like that.

48
00:03:44,340 --> 00:03:47,040
So let me go into the CFA and see what happens.

49
00:03:47,490 --> 00:03:51,300
Let me go into the Web apps and let me run the Lesli.

50
00:03:52,110 --> 00:04:00,300
So over here we have a lot of text files and actually this is the one that we are looking for.

51
00:04:00,330 --> 00:04:05,010
I don't understand why didn't it work when we were on CAT?

52
00:04:05,010 --> 00:04:13,080
But anyhow, now, as you can see, it says that they'll be cold fusion is prone to HDMI injection vulnerabilities.

53
00:04:13,500 --> 00:04:20,910
And yeah, it gives us some kind of script and a demo script or JavaScript code over here in order to

54
00:04:20,910 --> 00:04:22,200
run on testers.

55
00:04:23,100 --> 00:04:26,340
So I don't think it's going to help us.

56
00:04:26,610 --> 00:04:32,460
OK, but I'm going to try this anyway to see if it has the vulnerability or not.

57
00:04:32,970 --> 00:04:34,350
So I'm going to copy this.

58
00:04:34,380 --> 00:04:41,220
You don't have to do that by by the way, I'm just trying to understand what kind of thing that we should

59
00:04:41,220 --> 00:04:43,320
do in order to run these exploits.

60
00:04:43,620 --> 00:04:51,720
For example, if I run this, even if it works, it's only going to give me some Elad like an vulnerability.

61
00:04:52,050 --> 00:04:59,160
I don't have that very I don't find it very helpful at this point because even if you find any sources

62
00:04:59,160 --> 00:04:59,550
vulnerable.

63
00:05:00,290 --> 00:05:04,290
Then we don't have anyone to report to or something like that.

64
00:05:04,310 --> 00:05:05,760
It's not a bug bounty.

65
00:05:06,170 --> 00:05:08,820
OK, but again, maybe it's worth a shot.

66
00:05:08,840 --> 00:05:11,750
Let me just wait here for 10 seconds and see.

67
00:05:12,710 --> 00:05:15,710
And nothing seems to be happening lower here.

68
00:05:16,070 --> 00:05:17,510
Yeah, nothing happened.

69
00:05:18,050 --> 00:05:21,110
So I don't think that's the way to go.

70
00:05:21,500 --> 00:05:29,300
OK, so for example, in this case, I believe we have to just cross out all the excess vulnerabilities

71
00:05:29,300 --> 00:05:32,960
because even if we can make it work, it won't do much.

72
00:05:33,840 --> 00:05:43,100
OK, so we're going to go for something like a director traversal, because it may lead us to reveal

73
00:05:43,110 --> 00:05:46,240
some kind of files that we are not supposed to be wearing.

74
00:05:46,760 --> 00:05:50,290
OK, maybe that's how we can actually find the password.

75
00:05:50,940 --> 00:05:53,850
So I'm going to try this directory traversal.

76
00:05:54,170 --> 00:05:56,490
It's not under CCF this time.

77
00:05:56,510 --> 00:06:03,090
As you can see, it's under multiple remote and some kind of python files.

78
00:06:03,090 --> 00:06:04,740
So I'm going to just try this.

79
00:06:05,130 --> 00:06:09,150
I'm going to see the dot dot over here, dot, dot.

80
00:06:09,450 --> 00:06:17,510
And now I'm going to go into the multiple and then to remote and then I'm going to cut this profile.

81
00:06:18,030 --> 00:06:18,810
Yeah, here you go.

82
00:06:18,810 --> 00:06:20,040
We have a python file.

83
00:06:20,050 --> 00:06:24,630
Let me see if we actually want to run this or not.

84
00:06:25,950 --> 00:06:29,580
So over here, we see there are a lot of python codes.

85
00:06:29,580 --> 00:06:33,210
Of course, if you can just read it and understand what it does.

86
00:06:33,750 --> 00:06:42,030
And in the comments section, actually, we see that we are given that link.

87
00:06:42,210 --> 00:06:45,180
We are given away to exploit this as well.

88
00:06:45,540 --> 00:06:48,780
So maybe we don't even have to run despite don't file.

89
00:06:48,790 --> 00:06:50,160
I'm just going to try this.

90
00:06:50,640 --> 00:06:59,090
OK, so it's it tries to find the password at properties so that it can give us the administrator password.

91
00:06:59,550 --> 00:07:01,320
So this is very good.

92
00:07:01,320 --> 00:07:05,220
If it works then we can get the password of the administrator user.

93
00:07:05,640 --> 00:07:06,000
Right.

94
00:07:06,010 --> 00:07:14,490
So they actually found a way to exploit the director traversal and also a way to get the administrator

95
00:07:14,490 --> 00:07:17,220
password out of the cold fusion directory.

96
00:07:17,880 --> 00:07:20,940
So if it works, then we are good to go.

97
00:07:20,950 --> 00:07:27,480
I'm going to just delete this and put the thing that we have copied to here and hit enter.

98
00:07:28,560 --> 00:07:34,950
So make sure you get the exact same thing that I have copied from there, OK, or else it wouldn't work.

99
00:07:35,430 --> 00:07:38,300
So I copied after this here from Questionmark.

100
00:07:38,610 --> 00:07:44,610
OK, so we are changing the local parameter over here and here you go.

101
00:07:44,610 --> 00:07:46,790
I believe we got something out of it.

102
00:07:47,340 --> 00:07:56,580
So as you can see, we have a password appearing in the cold fusion login page, but it seems like it's

103
00:07:56,580 --> 00:08:03,960
Hashd and because it says encrypted through over here and it seems like a hash to me anyway.

104
00:08:04,620 --> 00:08:13,170
So and actually we have seen that when we tried with one single quotation marks, encrypted the password.

105
00:08:13,470 --> 00:08:14,790
But again, it's worth a shot.

106
00:08:14,790 --> 00:08:18,630
If you want, you can just come over here and take this as a note.

107
00:08:19,500 --> 00:08:24,810
So I'm going to go into the CD documents, OK, and CTF.

108
00:08:25,230 --> 00:08:36,360
So do we have a folder over here called Let me just go over their CD documents and CDs, CTF and Arctic.

109
00:08:36,360 --> 00:08:36,690
Yep.

110
00:08:36,690 --> 00:08:37,260
Here you go.

111
00:08:37,260 --> 00:08:42,810
I'm going to note none of the notes text and we have the map result.

112
00:08:42,930 --> 00:08:45,360
I'm going to paste a password that we have found.

113
00:08:45,660 --> 00:08:47,550
I'm going to save this and go back.

114
00:08:48,120 --> 00:08:50,610
OK, this is the password that we have found.

115
00:08:51,180 --> 00:08:58,530
I'm going to clear this up and I'm going to run this in a hash identifier so that see if our hash is

116
00:08:58,800 --> 00:09:00,810
if our password is actually hashed.

117
00:09:01,560 --> 00:09:10,920
So as you can see, it says that, yeah, it's possible hash like it's Shabwah or it can mean other

118
00:09:10,920 --> 00:09:11,760
things as well.

119
00:09:12,480 --> 00:09:15,090
So let us try to decrypt that.

120
00:09:15,360 --> 00:09:16,980
OK, it's Siobhan.

121
00:09:16,980 --> 00:09:26,670
So I believe it could be very easy to decrypt this so you can do this online or you can do this offline

122
00:09:26,670 --> 00:09:29,250
with callisthenics as well.

123
00:09:29,520 --> 00:09:35,400
So I'm going to Siobhan Decrypt online over here, OK?

124
00:09:36,150 --> 00:09:44,730
And I'm going to just choose either of these in the five decrypt that and actually this one as well.

125
00:09:45,510 --> 00:09:46,700
Maybe this one as well.

126
00:09:46,710 --> 00:09:53,940
Just opened a couple of them and just try and see if you can get the decrypted back, the decrypted

127
00:09:53,940 --> 00:09:54,660
one back.

128
00:09:54,660 --> 00:09:55,410
And here you go.

129
00:09:55,410 --> 00:09:58,010
We actually found it in the first try.

130
00:09:58,800 --> 00:10:00,270
So far, so good.

131
00:10:00,270 --> 00:10:03,690
So it seems that the password is happy day.

132
00:10:04,320 --> 00:10:05,370
OK, great.

133
00:10:05,370 --> 00:10:07,560
So we know the password right now.

134
00:10:08,040 --> 00:10:18,930
So I'm going to go into here and just write Happy Day and hit enter, OK, and wait for like ten seconds

135
00:10:19,200 --> 00:10:26,100
and see if we can actually login to the administrator dashboard of the Cold Fusion eight.

136
00:10:26,880 --> 00:10:32,790
If we get there, we're going to have to understand how to use cold fusion and.

137
00:10:32,900 --> 00:10:38,090
Try to just have a reverse shellback, so let me try this one more time.

138
00:10:38,090 --> 00:10:39,980
I believe I misspelled the today.

139
00:10:41,060 --> 00:10:47,150
By the way, in the future, if you want to make a vulnerable machine to submit to try hacking your

140
00:10:47,150 --> 00:10:49,780
heck, the bucks, please don't do it like this.

141
00:10:49,790 --> 00:10:53,000
Like waiting 10 seconds time out.

142
00:10:53,000 --> 00:10:57,220
Just to prevent brute forcing is not a good way, in my opinion.

143
00:10:57,230 --> 00:10:57,570
Right.

144
00:10:57,890 --> 00:10:58,810
So here you go.

145
00:10:59,300 --> 00:11:01,580
I believe the password is correct.

146
00:11:01,580 --> 00:11:08,860
So we are going into the administrator panel or dashboard of the Cold Fusion eight.

147
00:11:09,440 --> 00:11:10,110
Here you go.

148
00:11:10,160 --> 00:11:19,520
I think we are in and of course, if you haven't worked with Adobe Fusion before or they'll be fusion

149
00:11:19,520 --> 00:11:27,050
at all, then you're going to have to understand how the cold fusion dashboard's works.

150
00:11:27,500 --> 00:11:33,530
OK, so this is the cold fusion administrator page and we're going to have to understand how it works.

151
00:11:33,560 --> 00:11:40,700
We're going to have to just wander around a little bit to see what kind of options, what kind of menus

152
00:11:40,700 --> 00:11:48,770
we have over here, because we have a lot as you can see, I really suggest you to wander around here

153
00:11:48,770 --> 00:11:53,180
a little bit, spend the time a little bit before going into the next lecture.

154
00:11:53,330 --> 00:11:57,320
But I will see you in the next lecture to solve the CTF.