# CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive

This repository contains a proof-of-concept exploit for the authentication bypass vulnerability (CVE-2024-0204) discovered in Fortra's GoAnywhere MFT product. The vulnerability allows an unauthenticated attacker to create an administrative user for the application.

# Description

On December 4, 2023, an internal security advisory was posted by Fortra, highlighting an authentication bypass vulnerability (CVE-2024-0204) in GoAnywhere MFT. The vulnerability enables an unauthenticated attacker to create an administrative user for the application. The discovery was credited to researchers malcolm0x and Islam Elrfai.

# Exploit Overview
The exploit involves manipulating the /..; path traversal technique to bypass the SecurityFilter class and gain unauthorized access to the /wizard/InitialAccountSetup.xhtml endpoint.

# Usage

python --ip <TARGET_IP>
python --targets <TARGETS_FILE_PATH>
+ Replace <TARGET_IP> with the specific target IP or URL you want to test.
+ Replace <TARGETS_FILE_PATH> with the path to a file containing a list of target IPs or URLs (one per line).

This will run the script to check if the specified targets are vulnerable to the CVE-2024-0204 GoAnywhere MFT authentication bypass. The script will attempt to create an administrative user and print the result for each target. If successful, it will provide the created admin user's details (username and password).

# Disclaimer
This script is provided for educational and research purposes only. Unauthorized use of this script on systems or networks without explicit permission is strictly prohibited. The author and the organization (if any) associated with this script are not responsible for any misuse or damage caused by its usage. Users are advised to obtain proper authorization before testing or using this script on any system, network, or application.

By using this script, you agree that you are solely responsible for ensuring compliance with applicable laws and regulations. Any unauthorized access, testing, or exploitation may result in legal consequences.

Use at your own risk and only on systems where you have explicit authorization.

# Indicators of Compromise
Admin Users Group: Check for new additions in the GoAnywhere administrator portal under Users -> Admin Users.
Database Logs: Examine transactional history logs at \GoAnywhere\userdata\database\goanywhere\log\*.log.

# Mitigation
The advisory suggests deleting the /InitialAccountSetup.xhtml endpoint and restarting the service. This mitigates the vulnerability.