Last active
May 9, 2020 15:47
-
-
Save noraj/b4b153ac914ba4cd187f105719371d8f to your computer and use it in GitHub Desktop.
Side files for HackTheBox Obscurity Writeup https://rawsec.ml/en/hackthebox-obscurity-write-up/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import random, string | |
| import os | |
| import time | |
| import crypt | |
| import traceback | |
| import subprocess | |
| path = ''.join(random.choices(string.ascii_letters + string.digits, k=8)) | |
| session = {"user": "", "authenticated": 0} | |
| try: | |
| session['user'] = input("Enter username: ") | |
| passW = input("Enter password: ") | |
| with open('/etc/shadow', 'r') as f: | |
| data = f.readlines() | |
| data = [(p.split(":") if "$" in p else None) for p in data] | |
| passwords = [] | |
| for x in data: | |
| if not x == None: | |
| passwords.append(x) | |
| passwordFile = '\n'.join(['\n'.join(p) for p in passwords]) | |
| with open('/tmp/SSH/'+path, 'w') as f: | |
| f.write(passwordFile) | |
| time.sleep(.1) | |
| salt = "" | |
| realPass = "" | |
| for p in passwords: | |
| if p[0] == session['user']: | |
| salt, realPass = p[1].split('$')[2:] | |
| break | |
| if salt == "": | |
| print("Invalid user") | |
| os.remove('/tmp/SSH/'+path) | |
| sys.exit(0) | |
| salt = '$6$'+salt+'$' | |
| realPass = salt + realPass | |
| hash = crypt.crypt(passW, salt) | |
| if hash == realPass: | |
| print("Authed!") | |
| session['authenticated'] = 1 | |
| else: | |
| print("Incorrect pass") | |
| os.remove('/tmp/SSH/'+path) | |
| sys.exit(0) | |
| os.remove(os.path.join('/tmp/SSH/',path)) | |
| except Exception as e: | |
| traceback.print_exc() | |
| sys.exit(0) | |
| if session['authenticated'] == 1: | |
| while True: | |
| command = input(session['user'] + "@Obscure$ ") | |
| cmd = ['sudo', '-u', session['user']] | |
| cmd.extend(command.split(" ")) | |
| proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) | |
| o,e = proc.communicate() | |
| print('Output: ' + o.decode('ascii')) | |
| print('Error: ' + e.decode('ascii')) if len(e.decode('ascii')) > 0 else print('') |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import argparse | |
| def encrypt(text, key): | |
| keylen = len(key) | |
| keyPos = 0 | |
| encrypted = "" | |
| for x in text: | |
| keyChr = key[keyPos] | |
| newChr = ord(x) | |
| newChr = chr((newChr + ord(keyChr)) % 255) | |
| encrypted += newChr | |
| keyPos += 1 | |
| keyPos = keyPos % keylen | |
| return encrypted | |
| def decrypt(text, key): | |
| keylen = len(key) | |
| keyPos = 0 | |
| decrypted = "" | |
| for x in text: | |
| keyChr = key[keyPos] | |
| newChr = ord(x) | |
| newChr = chr((newChr - ord(keyChr)) % 255) | |
| decrypted += newChr | |
| keyPos += 1 | |
| keyPos = keyPos % keylen | |
| return decrypted | |
| parser = argparse.ArgumentParser(description='Encrypt with 0bscura\'s encryption algorithm') | |
| parser.add_argument('-i', | |
| metavar='InFile', | |
| type=str, | |
| help='The file to read', | |
| required=False) | |
| parser.add_argument('-o', | |
| metavar='OutFile', | |
| type=str, | |
| help='Where to output the encrypted/decrypted file', | |
| required=False) | |
| parser.add_argument('-k', | |
| metavar='Key', | |
| type=str, | |
| help='Key to use', | |
| required=False) | |
| parser.add_argument('-d', action='store_true', help='Decrypt mode') | |
| args = parser.parse_args() | |
| banner = "################################\n" | |
| banner+= "# BEGINNING #\n" | |
| banner+= "# SUPER SECURE ENCRYPTOR #\n" | |
| banner+= "################################\n" | |
| banner += " ############################\n" | |
| banner += " # FILE MODE #\n" | |
| banner += " ############################" | |
| print(banner) | |
| if args.o == None or args.k == None or args.i == None: | |
| print("Missing args") | |
| else: | |
| if args.d: | |
| print("Opening file {0}...".format(args.i)) | |
| with open(args.i, 'r', encoding='UTF-8') as f: | |
| data = f.read() | |
| print("Decrypting...") | |
| decrypted = decrypt(data, args.k) | |
| print("Writing to {0}...".format(args.o)) | |
| with open(args.o, 'w', encoding='UTF-8') as f: | |
| f.write(decrypted) | |
| else: | |
| print("Opening file {0}...".format(args.i)) | |
| with open(args.i, 'r', encoding='UTF-8') as f: | |
| data = f.read() | |
| print("Encrypting...") | |
| encrypted = encrypt(data, args.k) | |
| print("Writing to {0}...".format(args.o)) | |
| with open(args.o, 'w', encoding='UTF-8') as f: | |
| f.write(encrypted) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import socket | |
| import threading | |
| from datetime import datetime | |
| import sys | |
| import os | |
| import mimetypes | |
| import urllib.parse | |
| import subprocess | |
| respTemplate = """HTTP/1.1 {statusNum} {statusCode} | |
| Date: {dateSent} | |
| Server: {server} | |
| Last-Modified: {modified} | |
| Content-Length: {length} | |
| Content-Type: {contentType} | |
| Connection: {connectionType} | |
| {body} | |
| """ | |
| DOC_ROOT = "DocRoot" | |
| CODES = {"200": "OK", | |
| "304": "NOT MODIFIED", | |
| "400": "BAD REQUEST", "401": "UNAUTHORIZED", "403": "FORBIDDEN", "404": "NOT FOUND", | |
| "500": "INTERNAL SERVER ERROR"} | |
| MIMES = {"txt": "text/plain", "css":"text/css", "html":"text/html", "png": "image/png", "jpg":"image/jpg", | |
| "ttf":"application/octet-stream","otf":"application/octet-stream", "woff":"font/woff", "woff2": "font/woff2", | |
| "js":"application/javascript","gz":"application/zip", "py":"text/plain", "map": "application/octet-stream"} | |
| class Response: | |
| def __init__(self, **kwargs): | |
| self.__dict__.update(kwargs) | |
| now = datetime.now() | |
| self.dateSent = self.modified = now.strftime("%a, %d %b %Y %H:%M:%S") | |
| def stringResponse(self): | |
| return respTemplate.format(**self.__dict__) | |
| class Request: | |
| def __init__(self, request): | |
| self.good = True | |
| try: | |
| request = self.parseRequest(request) | |
| self.method = request["method"] | |
| self.doc = request["doc"] | |
| self.vers = request["vers"] | |
| self.header = request["header"] | |
| self.body = request["body"] | |
| except: | |
| self.good = False | |
| def parseRequest(self, request): | |
| req = request.strip("\r").split("\n") | |
| method,doc,vers = req[0].split(" ") | |
| header = req[1:-3] | |
| body = req[-1] | |
| headerDict = {} | |
| for param in header: | |
| pos = param.find(": ") | |
| key, val = param[:pos], param[pos+2:] | |
| headerDict.update({key: val}) | |
| return {"method": method, "doc": doc, "vers": vers, "header": headerDict, "body": body} | |
| class Server: | |
| def __init__(self, host, port): | |
| self.host = host | |
| self.port = port | |
| self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) | |
| self.sock.bind((self.host, self.port)) | |
| def listen(self): | |
| self.sock.listen(5) | |
| while True: | |
| client, address = self.sock.accept() | |
| client.settimeout(60) | |
| threading.Thread(target = self.listenToClient,args = (client,address)).start() | |
| def listenToClient(self, client, address): | |
| size = 1024 | |
| while True: | |
| try: | |
| data = client.recv(size) | |
| if data: | |
| # Set the response to echo back the recieved data | |
| req = Request(data.decode()) | |
| self.handleRequest(req, client, address) | |
| client.shutdown() | |
| client.close() | |
| else: | |
| raise error('Client disconnected') | |
| except: | |
| client.close() | |
| return False | |
| def handleRequest(self, request, conn, address): | |
| if request.good: | |
| # try: | |
| # print(str(request.method) + " " + str(request.doc), end=' ') | |
| # print("from {0}".format(address[0])) | |
| # except Exception as e: | |
| # print(e) | |
| document = self.serveDoc(request.doc, DOC_ROOT) | |
| statusNum=document["status"] | |
| else: | |
| document = self.serveDoc("/errors/400.html", DOC_ROOT) | |
| statusNum="400" | |
| body = document["body"] | |
| statusCode=CODES[statusNum] | |
| dateSent = "" | |
| server = "BadHTTPServer" | |
| modified = "" | |
| length = len(body) | |
| contentType = document["mime"] # Try and identify MIME type from string | |
| connectionType = "Closed" | |
| resp = Response( | |
| statusNum=statusNum, statusCode=statusCode, | |
| dateSent = dateSent, server = server, | |
| modified = modified, length = length, | |
| contentType = contentType, connectionType = connectionType, | |
| body = body | |
| ) | |
| data = resp.stringResponse() | |
| if not data: | |
| return -1 | |
| conn.send(data.encode()) | |
| return 0 | |
| def serveDoc(self, path, docRoot): | |
| path = urllib.parse.unquote(path) | |
| try: | |
| info = "output = 'Document: {}'" # Keep the output for later debug | |
| exec(info.format(path)) # This is how you do string formatting, right? | |
| print(info.format(path)) | |
| cwd = os.path.dirname(os.path.realpath(__file__)) | |
| docRoot = os.path.join(cwd, docRoot) | |
| if path == "/": | |
| path = "/index.html" | |
| requested = os.path.join(docRoot, path[1:]) | |
| if os.path.isfile(requested): | |
| mime = mimetypes.guess_type(requested) | |
| mime = (mime if mime[0] != None else "text/html") | |
| mime = MIMES[requested.split(".")[-1]] | |
| try: | |
| with open(requested, "r") as f: | |
| data = f.read() | |
| except: | |
| with open(requested, "rb") as f: | |
| data = f.read() | |
| status = "200" | |
| else: | |
| errorPage = os.path.join(docRoot, "errors", "404.html") | |
| mime = "text/html" | |
| with open(errorPage, "r") as f: | |
| data = f.read().format(path) | |
| status = "404" | |
| except Exception as e: | |
| print(e) | |
| errorPage = os.path.join(docRoot, "errors", "500.html") | |
| mime = "text/html" | |
| with open(errorPage, "r") as f: | |
| data = f.read() | |
| status = "500" | |
| return {"body": data, "mime": mime, "status": status} | |
| serv = Server('127.0.0.1', 7777) | |
| serv.listen() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment