There are many qualities and skills necessary to be an effective penetration tester. Experience with a programming language or two is right at the top of that list. I don’t mean that you need to have a development background. Successful attackers should, however, be able to look at the tools and exploits they use and understand they actually work. This exact issue came up on a recent web application assessment we performed.
The target application was an e-commerce site written in .NET. The consultant performing the assessment already had several typical findings largely related to the OWASP Top 10. A little while into the assessment, he stumbled upon a previously unidentified section of the application which contained, more importantly, a page ending in “.cfm.” For those who might be unaware, “cfm” is indicative of Adobe ColdFusion. Penetration testers love ColdFusion for all of the wonderful vulnerabilities historically associated with it. The consultant immediately looked for the infamous ColdFusion admin login page, but it had been removed. He verified that FCKeditor was installed and attempted to run the appropriate Metasploit module. Though initially, the exploit looked promising based on the server response, a Meterpreter session was never returned. Varying the payload settings yielded the same results, and so the consultant decided to move on. Fortunately, I had some free time and decided to dive a little deeper into the issue.
At first I thought maybe the server didn’t have the necessary egress access for us to get a reverse connection. This is an issue we encounter fairly regularly and would fit with the results we were seeing. I decided to try my luck with a .jsp webshell instead of getting a Meterpreter session since that wouldn’t require any egress access. I made some quick modifications to the exploit module to upload a simple web shell upload and tried again. Metasploit claimed success, but when I manually browsed to the supposedly uploaded page, only an intriguing 404 error was returned.
The FCKeditor exploit works by telling the ColdFusion server that it is going to upload a .txt file but with either a .jsp, or a .cfm extension. The server then accepts this file with the “malicious” extension, and places it in a publically accessible directory. In the case of the Metasploit exploit, first a .jsp file is uploaded. Once executed it either initiates a reverse connection or opens up a port for an inbound connection, depending on the payload type. However on this particular server, the .jsp files were not present. After poking around for a few minutes, I decided to request the page again but this time with a .txt extension. The result was a blank page with no errors. At this point it was obvious that egress was not the main issue preventing a successful Meterpreter session.
I decided to try my luck uploading a ColdFusion webshell. After some additional changes were made to the FCKeditor module, the exploit ran successfully giving me shell access to the underlying operating system. Since, on Windows, ColdFusion runs as SYSTEM, the exploit resulted in a complete compromise. Through the webshell we were able to dump out the contents of multiple backend databases and gain access to customer information.
At this point we decided to give the egress access a proper test. Syringe was uploaded and executed through the webshell. Within seconds, a reverse Meterpreter connection (because everything is better with Meterpreter) was made back to us. The original consultant notified the client, and they began the remediation process. I decided to clean up my messy code and steiner convinced me to write a full blown ColdFusion payload encoder (still a work in progress).
This is just a small example of the value of knowing your toolset. We were able to go from no shells to two in just a few lines of code. In this case, the tool happened to be a Metasploit module, and thus a working knowledge of Ruby was necessary. However, Python is also a great choice for penetration testers, and even some experience with a server side language such as ASP, or PHP can come in handy from time to time.
Taking the time to gain a low level understanding of one or more programming languages will increase your value in the eyes of your team and your clients. It might even mean the difference between a successful and unsuccessful engagement some day.