Writeup > LetsDefend: Adobe ColdFusion RCE

Scenario: Our ERD software was triggered, alerted, and isolated a web server for suspicious use of the “nltest.exe” command. Investigate the Windows Event logs to determine what occurred.

Q1. The testing process utilizes a third-party service to determine if the server is susceptible to remote code execution. What is the complete URL of the third-party service?

Looking at the provided event logs (source sysmon) we will check the process creation logs, we see a abnormal commandline from powershell with base64 encoded script being executed. Lets decode this

Q2. What was the IP of the third-party service to determine if the server is susceptible to remote code execution?

For this, we will run this domain on scanning engines

Q3. The attacker drops a web shell backdoor. What is the web shell backdoor script written in?

From the process creation logs we have another encoded command executed using PowerShell, by decoding this we get

Coldfusion markup language

Q4. What is the attacker’s working directory when injecting the web shell script?

Q5. The web shell was saved to what file?

refer to above image

Q6. What is the full execution command string in the web shell backdoor?

Refering to Q3 decoded script the execution script was <cfexecute>

Q7. The Attacker creates a reverse shell with PowerShell. What is the IP and port number the reverse shell calls back to?

Moving ahead we observed another process create event with different base64 encoding, decoding this we get an obfuscated script

The IP address is obfuscated in a way that it provides index number to compile the IP address {3}.{0}.{1}.{2}:{P`Rt}

Challenge link: https://app.letsdefend.io/challenge/adobe-coldfusion-rce