How to escalate privilege from a JRUN4 admin account

[nobody <pentester () yahoo com>]

On my last pen test I did not have time to escalate my privilege from a JRUN4 account where I guessed the admin 
password.

The service was running as local system on a Windows box.  I could logon on as the CFUSION and JRUN4 administrator but 
I had no access to anything else.  I could cause the process to send it's SMB creds to my hacktop - which was running 
CAIN/NTLM downgrade - but no luck with that - the compromised box did not allow NTLM downgrade.  No SMB reflection 
either as the box was patched well. 

I tried to upload both a CFM and a WAR file that we have used to gain command line access ( since the JRUN4 service was 
running as local system - it would have been easy to get local admin in 1 minute) -but I could find no way to point 
either the CFUSION or JRUN functions to any of my boxes, via HTTP or UNC paths, where I had those files stored.  I 
could not find a function in either CFusion or JRUN that would let me execute a command or upload a file that I could 
run a command in.  I did not have time to try RDS via port 80 with Dreamweaver and I am not certain that RDS was turned 
on. 

I bet someone has seen this before and that there is way to escalate privilege.  Anyone have any ideas on this ?

thanks


  


      

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------