Add loot credentials support to SSH command

BishopFox · Jul 1, 2021 · dedcb42 · dedcb42
1 parent 43323ae
commit dedcb42
Show file tree

Hide file tree

Showing 2 changed files with 78 additions and 0 deletions.
diff --git a/client/command/bind-commands.go b/client/command/bind-commands.go
@@ -1857,6 +1857,7 @@ func BindCommands(app *grumble.App, rpc rpcpb.SliverRPCClient) {
 			f.String("i", "private-key", "", "path to private key file")
 			f.String("P", "password", "", "SSH user password")
 			f.String("l", "login", "", "username to use to connect")
+			f.Bool("s", "skip-loot", false, "skip the prompt to use loot credentials")
 		},
 		Run: func(ctx *grumble.Context) error {
 			fmt.Println()

diff --git a/client/command/shell.go b/client/command/shell.go
@@ -20,15 +20,20 @@ package command
 
 import (
 	"bufio"
+	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"log"
 	"os"
 	"strings"
+	"text/tabwriter"
 
+	"github.com/AlecAivazis/survey/v2"
 	"github.com/bishopfox/sliver/client/core"
+	"github.com/bishopfox/sliver/protobuf/clientpb"
 	"github.com/bishopfox/sliver/protobuf/rpcpb"
 	"github.com/bishopfox/sliver/protobuf/sliverpb"
 
@@ -158,6 +163,14 @@ func runSSHCmd(ctx *grumble.Context, rpc rpcpb.SliverRPCClient) {
 	hostname := ctx.Args.String("hostname")
 	command := ctx.Args.StringList("command")
 
+	if password == "" && len(privKey) == 0 && !ctx.Flags.Bool("skip-loot") {
+		oldUsername := username
+		username, password, privKey = tryCredsFromLoot(rpc)
+		if username == "" {
+			username = oldUsername
+		}
+	}
+
 	commandResp, err := rpc.RunSSHCommand(context.Background(), &sliverpb.SSHCommandReq{
 		Username: username,
 		Hostname: hostname,
@@ -188,3 +201,67 @@ func runSSHCmd(ctx *grumble.Context, rpc rpcpb.SliverRPCClient) {
 		}
 	}
 }
+
+func tryCredsFromLoot(rpc rpcpb.SliverRPCClient) (string, string, []byte) {
+	var (
+		username string
+		password string
+		privKey  []byte
+	)
+	confirm := false
+	prompt := &survey.Confirm{Message: "No credentials provided, use from loot?"}
+	survey.AskOne(prompt, &confirm, nil)
+	if confirm {
+		loot, err := selectCredentials(rpc)
+		if err != nil {
+			fmt.Printf(Warn + "invalid loot data, will try to use the SSH agent")
+		} else {
+			switch loot.CredentialType {
+			case clientpb.CredentialType_API_KEY:
+				privKey = []byte(loot.Credential.APIKey)
+			case clientpb.CredentialType_USER_PASSWORD:
+				username = loot.Credential.User
+				password = loot.Credential.Password
+			}
+		}
+	}
+	return username, password, privKey
+}
+
+func selectCredentials(rpc rpcpb.SliverRPCClient) (*clientpb.Loot, error) {
+	allLoot, err := rpc.LootAllOf(context.Background(), &clientpb.Loot{
+		Type: clientpb.LootType_LOOT_CREDENTIAL,
+	})
+	if err != nil {
+		fmt.Printf(Warn+"%s\n", err)
+	}
+
+	// Render selection table
+	buf := bytes.NewBufferString("")
+	table := tabwriter.NewWriter(buf, 0, 2, 2, ' ', 0)
+	for _, loot := range allLoot.Loot {
+		fmt.Fprintf(table, "%s\t%s\t%s\t\n", loot.Name, loot.CredentialType, loot.LootID)
+	}
+	table.Flush()
+	options := strings.Split(buf.String(), "\n")
+	options = options[:len(options)-1]
+	if len(options) == 0 {
+		return nil, errors.New("no loot to select from")
+	}
+
+	selected := ""
+	prompt := &survey.Select{
+		Message: "Select a piece of credentials:",
+		Options: options,
+	}
+	err = survey.AskOne(prompt, &selected)
+	if err != nil {
+		return nil, err
+	}
+	for index, value := range options {
+		if value == selected {
+			return allLoot.Loot[index], nil
+		}
+	}
+	return nil, errors.New("loot not found")
+}