Pentesting Days : It’s not over yet

Alright lads,

Hope you guys are doing well.

Just like day-to-days work I was hunting for critical bugs on client’s public environment and I came across a domain which was not tested much so I started fuzzing the URL and on 404 page it triggered an error.

May be lack of error handling.

“Railo”.. hmm…. did quick google search and found out that it is an open source CFML(ColdFusion Markup Language) server but the version they were using is very old and I found several known vulnerabilities and a exploit tool called ‘clusterd’.

Clusterd Tool :

By exploiting directory traversal vulnerability I retrieved encrypted password of web admin user from configuration file.

I am not that good in cryptography. I tried my best to decrypt it but no luck. After reading about vulnerabilities I came to know that Railo uses a static hard-coded key to encrypt passwords with Java blow-fish algorithm.

‘Clusterd’ would have made my job easy but that tool was not working at all. It was not retrieving configuration file as it was failing to fingerprint Railo.

Below is the Railo code snippet that is responsible for password decryption using static key.

I decided to analyze the exploit code to see what it is doing after retrieving the encrypted password so I can directly jump to decryption phase.

I found a function which was doing the decryption thing. It was parsing retrieved encrypted password as argument to decryption tool.

I managed to successfully decrypt the password.

‘Clusterd’ tool uses a external java program ‘railopass’ for password decryption. Below is the command to decrypt the password.

Tool path : /clusterd/src/railo/railopass/

java RailoPasswordTool d [encrypted password]

I logged into web panel to find out possible ways to achieve code execution. The framework has a functionality where a web admin can set custom error pages and from there it was possible to read ( or may be include) system files.

I was able to retrieve shadow file that means web server is running as root. if I execute code on the server it is possible to get root shell without any priv escalation.

I tried several things to escalate it —

  1. I tried to exploit /proc/self/environ but user agent was not reflecting in the response. May be it is a directory traversal fuck… I am mad.
  2. Retrieved ssh keys so that I can ssh into it but port was closed externally.
  3. Retrieved Apache Tomcat user configuration file but console was restricted.

Nope.. “It’s not over yet”.

I decided to go back to ‘clusterd’ tool’s source code and found out that it is exploiting ‘task scheduler’ to upload shell on the server. It was right in front of me whole time while I was trying to get through rabbit holes. Damn.

I created a task to download web shell from my python+ngrok server and save the output to web root directory.

After executing the task I got a hit on my python server.

BINGO! got shell.

Thanks for reading 🙂