-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathautohack.src
692 lines (550 loc) · 17.5 KB
/
autohack.src
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
// Requirements:
// json.src
// to be saved into {home_dir}/src/includes/
// the required includes should also be on the github
// Edit this line to match your home dir since import_code doesn't like using home_dir variable
import_code("/home/salmon/src/includes/json.src")
// Program version output
version_output = "
//////////////////////////////////////
// Simple autohack by 5n4k3 //
// Modifications by Salmon85 //
//////////////////////////////////////
// Version: <color=#70FF70>1.0</color> //
// //
// Changes //
// Added colour to the output so //
// that you can see <color=#A50000><b>root</b></color> easier. //
// //
// Added a cache for the exploits //
// so that you don't need to scan //
// the libs every time for exploits //
//////////////////////////////////////
5n4k3 = https://github.com/psimonson
Salmon85 = https://github.com/salmon85
"
// Program usage output
usage_output = "
Usage: " + program_path.split("/")[-1] + " [address] [port] [(opt) lanip/password]
[--setup-server] for configuring the cache server (must be ran on the server and requires root)
[--serup-server-remote] for configuring the remote cache server (run on your machie, cache server needs ssh setting up and root access)"
// ************************************************************
// These are just temporary and are updated via the script
// Do not touch unless you know what you're doing..
// Hell I shouldn't even be touching these
globals.Cacheusername = ""
globals.Cachepassword = ""
globals.Cacheaddr = ""
globals.Cacheport = 22
globals.Cacheuse = false
globals.UsedCache = false
globals.Cacheadmin = false
globals.pc = get_shell.host_computer
globals.pc_shell = get_shell
globals.cache_folder = home_dir + "/Config/hackcache"
globals.cache_config = cache_folder + "/config.txt"
CacheConfig = {}
// ************************************************************
mx = include_lib("/lib/metaxploit.so")
if not mx then
mx = include_lib(parent_path(program_path) + "/metaxploit.so")
end if
if not mx then
exit("Cannot find metaxploit.so in /lib/ or current directory")
end if
if params[0] == "-v" or params[0] == "--version" then
exit(version_output)
end if
// Start of Functions
TestRepo = function(repo)
write_access = false
read_access = false
if repo.host_computer.File("/home/ftpguest/hackcache").has_permission("w") then
write_access = true
end if
if repo.host_computer.File("/home/ftpguest/hackcache").has_permission("r") then
read_access = true
end if
wait(1)
if write_access then
print("<color=#FF1010>WARNING:</color> account has write access, you should fix this and retry")
end if
if read_access then
return true
else
print("Unable to read the test file on the server. Make sure there is a file called test in /home/ftpguest/hackcache/")
end if
end function
CreateCache = function()
CacheConfig.usecache = false
CacheConfig.admin = false
CacheConfig.server = {}
CacheConfig.server.ip = "127.0.0.1"
CacheConfig.server.port = 22
CacheConfig.server.username = "ftpguest"
print("\nCache config not found\n")
first_time = user_input("Do you want to use the remote cache feature?\nY/N : ")
if first_time.lower == "n" or first_time.lower == "no" then
pc.create_folder(home_dir + "/Config", "hackcache")
pc.touch(cache_folder + "/", "config.txt")
CacheConfig_json = toJSON(CacheConfig)
z = pc.File(cache_config).set_content(CacheConfig_json)
return
end if
CacheConfig.usecache = true
globals.CacheServer = false
print("
Are you an admin on the cache server?
WARNING: you do not want to do this on a server you don't own
since the cache server could be used to sniff your credentials
this script will not store your password anywhere on the system
so the only way you can lose credentials is if the cache server is
compromised
")
we_admin = user_input("Are we wanting Admin mode?\nY/N : ")
if we_admin.lower == "y" or we_admin.lower == "yes" then
CacheConfig.admin = true
end if
while CacheServer == false
cache_server = user_input("IP:Port of the cache ssh server\nIP:port : ")
if cache_server.indexOf(":") then
a = cache_server.split(":")
CacheConfig.server.ip = a[0]
CacheConfig.server.port = a[1].to_int
globals.Cacheaddr = CacheConfig.server.ip
globals.Cacheport = CacheConfig.server.port
if CacheConfig.admin then
print("<color=#FF0000>WARNING:</color> admin mode is active, this is meant only for populating the cache server")
print("if you dont want to use this, disable it in the source and recompile")
print("to continue enter your root password on the cache server\n")
CacheConfig.server.username = "root"
globals.Cacheusername = CacheConfig.server.username
globals.Cachepassword = user_input("Password : ", true)
repo_shell = get_shell.connect_service(Cacheaddr, Cacheport, Cacheusername, Cachepassword, "ssh")
else
globals.Cacheusername = CacheConfig.server.username
globals.Cachepassword = CacheConfig.server.username
repo_shell = get_shell.connect_service(Cacheaddr, Cacheport, Cacheusername, Cachepassword, "ssh")
end if
wait(1)
if repo_shell then
if CacheConfig.admin == 1 then
clear_screen
print("connection made... skipping tests because admin mode")
testrepo = true
else
clear_screen
print("connection made... testing permissions")
testrepo = TestRepo(repo_shell)
end if
wait(1)
if testrepo then
CacheServer = true
pc.touch(cache_folder + "/", "config.txt")
CacheConfig_json = toJSON(CacheConfig)
z = pc.File(cache_config).set_content(CacheConfig_json)
end if
end if
end if
end while
end function
SetupCache = function()
config_file = pc.File(cache_config)
z = config_file.get_content
if z then CacheConfig = parse(z) else exit("missing config file for some reason")
globals.Cacheaddr = CacheConfig.server.ip
globals.Cacheport = CacheConfig.server.port
globals.Cacheusername = CacheConfig.server.username
if CacheConfig.admin then
globals.Cachepassword = user_input("Admin mode: enter root password :\n : ", true)
else
globals.Cachepassword = Cacheusername
end if
globals.Cacheuse = CacheConfig.usecache
globals.Cacheadmin = CacheConfig.admin
end function
ToFile = function(anyObject)
if typeof(anyObject) == "shell" then
return anyObject.host_computer.File("/")
end if
if typeof(anyObject) == "computer" then
return anyObject.File("/")
end if
if typeof(anyObject) == "file" then
while anyObject.parent
anyObject = anyObject.parent
end while
return anyObject
end if
return null
end function
CheckUser = function(anyObject)
rootFolder = ToFile(anyObject)
for folder in rootFolder.get_folders
if folder.name == "root" then
if folder.has_permission("r") and folder.has_permission("w") and folder.has_permission("x") then
return "<color=#A50000><b>root</b></color>"
end if
break
end if
end for
homeFolder = ToFile(anyObject)
for folder in rootFolder.get_folders
if folder.name == "home" then
for userFolder in homeFolder.get_folders
if userFolder.name != "guest" then
if userFolder.has_permission("r") and userFolder.has_permission("w") and userFolder.has_permission("x") then
return userFolder.name
end if
end if
break
end for
break
end if
end for
return "<color=#6699ff><b>guest</b></color>"
end function
GetCache = function(ret)
repo = get_shell.connect_service(Cacheaddr, Cacheport, Cacheusername, Cachepassword, "ssh")
a = repo.host_computer.File("/home/ftpguest/hackcache/" + ret.name + "-" + ret.version)
if a then
z = parse(a.get_content)
if typeof(z) == "map" then
globals.UsedCache = true
return z
else
return false
end if
else
return false
end if
end function
UpdateCache = function(ret)
ret_json = toJSON(ret)
repo = get_shell.connect_service(Cacheaddr, Cacheport, Cacheusername, Cachepassword, "ssh")
a = repo.host_computer.File("/home/ftpguest/hackcache/" + ret.name + "-" + ret.version)
if a then
z = a.set_content(ret_json)
else
b = repo.host_computer.touch("/home/ftpguest/hackcache/", ret.name + "-" + ret.version)
a = repo.host_computer.File("/home/ftpguest/hackcache/" + ret.name + "-" + ret.version)
z = a.set_content(ret_json)
zz = a.chmod("o-w")
zz = a.chmod("o+rx")
zz = a.set_owner("root")
zz = a.set_group("root")
end if
end function
ScanLib = function(metalib = null, metax = null)
if not metalib then
return null
end if
if not metax then
return null
end if
ret = {}
ret.name = metalib.lib_name
ret.version = metalib.version
if Cacheuse == true then
ret = GetCache(ret)
end if
if ret == false or Cacheuse == false then
ret = {}
ret.name = metalib.lib_name
ret.version = metalib.version
ret.memorys = {}
memorys = metax.scan(metalib)
if typeof(memorys) != "list" then
return null
end if
for memory in memorys
ret.memorys[memory] = []
data = mx.scan_address(metalib, memory).split("Unsafe check: ").replace(char(10), "")
for line in data
if line == data[0] then
continue
end if
value = line[line.indexOf("<b>") + 3 : line.indexOf("</b>")]
ret.memorys[memory].push(value)
end for
end for
end if
if Cacheadmin == true and Cacheuse == true and UsedCache == false then
UpdateCache(ret)
end if
return ret
end function
SetupCacheServer = function(remote)
clear_screen
print("
*************************************************************
* ___ _ ___ *
* / __|__ _ __| |_ ___ / __| ___ _ ___ _____ _ _ *
* | (__/ _` / _| ' \/ -_) \__ \/ -_) '_\ V / -_) '_| *
* \___\__,_\__|_||_\___| |___/\___|_| \_/\___|_| *
* |_ _|_ _ __| |_ __ _| | |__ _| |_(_)___ _ _ *
* | || ' \(_-< _/ _` | | / _` | _| / _ \ ' \ *
* |___|_||_/__/\__\__,_|_|_\__,_|\__|_\___/_||_| *
* *
*************************************************************
Disclaimer:
This is meant for setting up the cache server (the server
that holds the cache files that is accessed remotely)
")
if remote then
print("You are running this in remote setup mode. This expects your target server to have an ssh open and you using the root login
If you don't want to do a remote setup, close the script and re-run with --setup-server for local install.
")
proceed = user_input("Do you wish to proceed?\n[Y/N]: ")
if proceed.lower == "n" or proceed.lower == "no" then
exit
end if
else
print("You are running this in local setup mode. This expects that you have root access
If you don't want to do a remote setup, close the script and re-run with --setup-server-remote for remote install.")
proceed = user_input("Do you wish to proceed?\n[Y/N]: ")
if proceed.lower == "n" or proceed.lower == "no" then
exit
end if
end if
clear_screen
if remote then
cache_server = user_input("IP:Port of the cache ssh server\nIP:port : ")
if cache_server.indexOf(":") then
a = cache_server.split(":")
Cacheaddr = a[0]
Cacheport = a[1].to_int
end if
Cacheusername = "root"
Cachepassword = user_input("Script only runs as root, please enter root password\n : ", true)
server_shell = get_shell.connect_service(Cacheaddr, Cacheport, Cacheusername, Cachepassword, "ssh")
server = server_shell.host_computer
else
if active_user == "root" then
server_shell = get_shell
server = server_shell.host_computer
else
root_pw = user_input("Script only runs as root, please enter root password\n : ", true)
server = get_shell("root", root_pw).host_computer
end if
sshd = include_lib("/lib/libssh.so")
if not sshd then
server.launch("/bin/apt-get", "update")
server.launch("/bin/apt-get", "install libssh.so")
sshd = include_lib("/lib/libssh.so")
end if
z = sshd.install_service
if z != true then
exit(z)
end if
print("ssh server installed, setting up ftpguest account")
end if
account = server.create_user("ftpguest", "ftpguest")
if account == "Error: can't create user. ftpguest already exists." then
server.change_password("ftpguest", "ftpguest")
end if
print("securing the server")
server_root = server.File("/")
server_home = server.File("/home/ftpguest/")
z = server_root.chmod("o-rwx", true)
if server_home then
z = server.create_folder("/home/ftpguest/", "hackcache")
z = server_home.chmod("o+rx", true)
z = server_home.set_owner("root", true)
z = server_home.set_group("root", true)
else
z = server.create_folder("/home/", "ftpguest")
if z then
server_home = server.File("/home/ftpguest/")
z = server.create_folder("/home/ftpguest/", "hackcache")
z = server_home.chmod("o+rx", true)
z = server_home.set_owner("root", true)
z = server_home.set_group("root", true)
else
exit(z)
end if
end if
clear_screen
exit("
server should be configured and secured.
The ftpguest account only has access to the /home/ftpguest with read and execute permissions.
The guest account has had it's access removed from every other file and folder on the system.
If this server is used for anything else, you may need to fix some permissions.
")
end function
// End of Functions
if params.len == 1 and params[0] == "--setup-server" then
SetupCacheServer(false)
end if
if params.len == 1 and params[0] == "--setup-server-remote" then
SetupCacheServer(true)
end if
if params.len < 2 or params.len > 3 or params[0] == "-h" or params[0] == "--help" then
exit(usage_output)
end if
// The meat of the program starts here
if not pc.File(cache_config) then
CreateCache
end if
SetupCache()
wait(1)
targetIP = params[0]
if not is_valid_ip(targetIP) then
targetIP = nslookup(targetIP)
end if
if not is_valid_ip(targetIP) then
exit("IP address invalid.")
end if
targetPort = params[1].to_int
if typeof(targetPort) != "number" then
exit("Port needs to be a number.")
end if
if targetPort < 0 or targetPort > 65535 then
exit("Port range is 0-65535.")
end if
injectArg = ""
if params.len > 2 then
injectArg = params[2]
end if
ns = mx.net_use(targetIP, targetPort)
if not ns then
exit("Cannot connect to net session.")
end if
lib = ns.dump_lib
if not lib then
exit("Cannot dump library.")
end if
// Scans for remote exploits.
print()
exploits = ScanLib(lib, mx)
if not exploits then
exit
end if
// Use exploits in auto hack.
objects = []
for memory in exploits.memorys
for value in memory.value
result = lib.overflow(memory.key, value, injectArg)
if typeof(result) != "shell" and typeof(result) != "computer" and typeof(result) != "file" then
continue
end if
objects.push(result)
end for
end for
if objects.len == 0 then
exit("No shells found.")
end if
option = 0
while option <= 0 or option > objects.len
info = "ID TYPE USER"
i = 1
for object in objects
if typeof(object) == "shell" then
info = info + "\n" + str(i) + "<color=#A50000><b> " + typeof(object) + " </b></color>" + CheckUser(object)
end if
if typeof(object) != "shell" then
info = info + "\n" + str(i) + "<color=#6699ff><b> " + typeof(object) + " </b></color>" + CheckUser(object)
end if
i = i + 1
end for
print(format_columns(info) + "\n")
option = user_input("Enter ID: ").to_int
if typeof(option) != "number" then
exit("Option ID out of range.")
end if
end while
if option <= 0 or option > objects.len then
exit("Option ID out of range.")
end if
object = objects[option - 1]
if typeof(object) == "shell" then
object.start_terminal
else if typeof(object) == "computer" then
homeFolder = object.File("/home")
if not homeFolder then
exit("Cannot find home directory.")
end if
result = null
for userFolder in homeFolder.get_folders
if userFolder.name != "guest" then
for configFolder in userFolder.get_folders
if configFolder.name == "Config" then
result = configFolder
break
end if
end for
end if
end for
file = object.File("/etc/passwd")
if file != null and file.has_permission("r") then
print("Password file:\n" + file.get_content)
end if
print("Mail Accounts:")
for file in result.get_files
if not file.has_permission("r") then
continue
end if
if file.name == "Mail.txt" then
print(file.get_content)
end if
end for
print("Bank Accounts:")
for file in result.get_files
if not file.has_permission("r") then
continue
end if
if file.name == "Bank.txt" then
print(file.get_content)
end if
end for
else if typeof(object) == "file" then
rootFolder = object
while rootFolder.parent
rootFolder = rootFolder.parent
end while
result = null
for folder in rootFolder.get_folders
if folder.name == "home" then
for userFolder in folder.get_folders
if userFolder.name != "guest" then
for configFolder in userFolder.get_folders
if configFolder.name == "Config" then
result = configFolder
break
end if
end for
end if
end for
end if
end for
filePasswd = null
for folder in rootFolder.get_folders
if folder.name == "etc" then
for file in folder.get_files
filePasswd = file
break
end for
end if
end for
if filePasswd != null and filePasswd.has_permission("r") then
print("Passwords:\n" + filePasswd.get_content + "\n")
end if
print("Mail Accounts:")
for file in result.get_files
if not file.has_permission("r") then
continue
end if
if file.name == "Mail.txt" then
print(file.get_content)
end if
end for
print("Bank Accounts:")
for file in result.get_files
if not file.has_permission("r") then
continue
end if
if file.name == "Bank.txt" then
print(file.get_content)
end if
end for
end if