QuickBox CE/Pro Authenticated RCE and Privilege Escalation Analysis (CVE-2020-13448/13694/13695)

### Vulnerability Overview - **CVE IDs**: CVE-2020-13448, CVE-2020-13694, CVE-2020-13695 - **Affected Versions**: - QuickBox CE /inc/config.php?id=88&servicestart=a;; ``` #### Privilege Escalation - **CE Version**: - Write content to `/etc/shadow` file, use `grep` command, and leverage netcat to send file contents back to a listener, thereby escalating privileges. - **Pro Version**: - Exploit the fact that the `www-data` user can run `sudo mysql` without a password, allowing direct root access via the `mysql` command. ### References - [CVE-2020-13448](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13448) - [CVE-2020-13694](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13694) - [CVE-2020-13695](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13695) - [Exploit-DB](https://www.exploit-db.com/exploits/48536) - [GitHub PoC](https://github.com/s1gh/QuickBox-CE-2.5.5-Authenticated-RCE)

Goal Reached Thanks to every supporter — we hit 100%!

QuickBox CE/Pro Authenticated RCE and Privilege Escalation Analysis (CVE-2020-13448/13694/13695)