Penetration Testing mailing list archives
How to escalate privilege from a JRUN4 admin account
From: nobody <pentester () yahoo com>
Date: Mon, 22 Mar 2010 12:22:54 -0700 (PDT)
On my last pen test I did not have time to escalate my privilege from a JRUN4 account where I guessed the admin password. The service was running as local system on a Windows box. I could logon on as the CFUSION and JRUN4 administrator but I had no access to anything else. I could cause the process to send it's SMB creds to my hacktop - which was running CAIN/NTLM downgrade - but no luck with that - the compromised box did not allow NTLM downgrade. No SMB reflection either as the box was patched well. I tried to upload both a CFM and a WAR file that we have used to gain command line access ( since the JRUN4 service was running as local system - it would have been easy to get local admin in 1 minute) -but I could find no way to point either the CFUSION or JRUN functions to any of my boxes, via HTTP or UNC paths, where I had those files stored. I could not find a function in either CFusion or JRUN that would let me execute a command or upload a file that I could run a command in. I did not have time to try RDS via port 80 with Dreamweaver and I am not certain that RDS was turned on. I bet someone has seen this before and that there is way to escalate privilege. Anyone have any ideas on this ? thanks ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- How to escalate privilege from a JRUN4 admin account nobody (Mar 23)