Arctic

# ENUMERATION

NMAP:
PORT      STATE SERVICE
135/tcp   open  msrpc
8500/tcp  open  fmtp
49154/tcp open  unknown

- Not much to go off of...

==================================================

# ENUMERATION

- Server is extremely slow... it's Friday night, so HTB is probably rockin'

- found directory listings on port 8500
Google says this is Cold Fusion

Index of /CFIDE/
Parent ..                                              dir   03/22/17 08:52 μμ
Application.cfm                                       1151   03/18/08 11:06 πμ
adminapi/                                              dir   03/22/17 08:53 μμ
administrator/                                         dir   03/22/17 08:55 μμ
classes/                                               dir   03/22/17 08:52 μμ
componentutils/                                        dir   03/22/17 08:52 μμ
debug/                                                 dir   03/22/17 08:52 μμ
images/                                                dir   03/22/17 08:52 μμ
install.cfm                                          12077   03/18/08 11:06 πμ
multiservermonitor-access-policy.xml                   278   03/18/08 11:07 πμ
probe.cfm                                            30778   03/18/08 11:06 πμ
scripts/                                               dir   03/22/17 08:52 μμ
wizards/  

Index of /cfdocs/
Parent ..                           dir   03/22/17 08:55 μμ
copyright.htm                      3026   03/22/17 08:55 μμ
dochome.htm                        2180   03/22/17 08:55 μμ
getting_started/                    dir   03/22/17 08:55 μμ
htmldocs/                           dir   03/22/17 08:55 μμ
images/                             dir   03/22/17 08:55 μμ
newton.js                          2028   03/22/17 08:55 μμ
newton_ie.css                      3360   03/22/17 08:55 μμ
newton_ns.css                      4281   03/22/17 08:55 μμ
toc.css 

- found an image with ColdFusion 8 on it
http://10.10.10.11:8500/cfdocs/images/background.jpg

- found default install documentation
http://10.10.10.11:8500/cfdocs/dochome.htm

- found some scripts
http://10.10.10.11:8500/CFIDE/scripts/



==================================================

# FIND EXPLOITS

- enumeration seems to suggest a standard Cold Fusion 8 installation
- time for google and searchsploit

==================================================

# ENUMERATION
# SEARCHSPLOIT

kali@kali:~/HTB/RETIRED/Arctic$ searchsploit coldfusion 8
-------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                  |  Path
-------------------------------------------------------------------------------- ---------------------------------
Adobe ColdFusion - 'probe.cfm' Cross-Site Scripting                             | cfm/webapps/36067.txt
Adobe ColdFusion - Directory Traversal                                          | multiple/remote/14641.py
Adobe ColdFusion - Directory Traversal (Metasploit)                             | multiple/remote/16985.rb
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Co | windows/remote/43993.py
Adobe ColdFusion 2018 - Arbitrary File Upload                                   | multiple/webapps/45979.txt
Adobe ColdFusion 9 - Administrative Authentication Bypass                       | windows/webapps/27755.txt
Adobe ColdFusion < 11 Update 10 - XML External Entity Injection                 | multiple/webapps/40346.py
Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-S | cfm/webapps/33170.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm' Q | cfm/webapps/33167.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query Stri | cfm/webapps/33169.txt
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?startRow | cfm/webapps/33168.txt
Allaire ColdFusion Server 4.0 - Remote File Display / Deletion / Upload / Execu | multiple/remote/19093.txt
Allaire ColdFusion Server 4.0.1 - 'CFCRYPT.EXE' Decrypt Pages                   | windows/local/19220.c
ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit)               | cfm/webapps/16788.rb
ColdFusion 9-10 - Credential Disclosure                                         | multiple/webapps/25305.py
ColdFusion MX - Missing Template Cross-Site Scripting                           | cfm/remote/21548.txt
ColdFusion Scripts Red_Reservations - Database Disclosure                       | asp/webapps/7440.txt
Macromedia ColdFusion MX 6.0 - Remote Development Service File Disclosure       | multiple/remote/22867.pl
-------------------------------------------------------------------------------- ---------------------------------

==================================================

# EXPLOIT
# CVE-2009-1872 

http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?%3E&#039;%22%3E%3Cscript%3Ealert(&#039;DSECRG_XSS&#039;)%3C/script%3E
- just brought me back to an admin login page

==================================================

# EXPLOIT
# CVE-2018-15961 - FILE UPLOADS
https://www.exploit-db.com/exploits/45979 

- this is not a script.  It looks like something that BurpSuite would manipulate...

==================================================

# METASPLOIT

- the file upload exploit found by searsploit uses metasploit... I don't want to be using that right now
- Going to move onto a new box after watching the tutorial for this.

==================================================