mirror of https://github.com/avast/PurpleDome
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
44 lines
1.3 KiB
Python
44 lines
1.3 KiB
Python
#!/usr/bin/env python3
|
|
|
|
""" The remote bastion for the sensor. Used to control the osquery on the target. Opens a web command shell.
|
|
This is not meant to be secure and MUST NOT be used in a productive environment. As we use this in a hacking lab this
|
|
is reasonable.
|
|
|
|
Test with curl:
|
|
|
|
curl -X POST -F 'command=test' localhost:6666/osquery
|
|
|
|
(select timestamp from time)
|
|
"""
|
|
|
|
from flask import Flask, jsonify, request
|
|
import osquery
|
|
|
|
|
|
# TODO: Create a proper tool out of it
|
|
# TODO: Start osqueryi with proper parameters
|
|
# TODO: On the controller side: Find a collection of queries to get the system state
|
|
|
|
# TODO: Interesting tables: appcompat_shims, authenticode, autoexec, certificates, etc_hosts, logged_in_users
|
|
|
|
app = Flask(__name__)
|
|
osquery_instance = osquery.ExtensionClient('/home/vagrant/test.sock')
|
|
osquery_instance.open()
|
|
|
|
|
|
@app.route("/osquery", methods=['POST'])
|
|
def api():
|
|
data = {}
|
|
if request.method == 'POST':
|
|
command = request.form["command"]
|
|
data = {"command": command}
|
|
client = osquery_instance.extension_client()
|
|
data["result"] = client.query(command).response
|
|
return jsonify(data)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
# Important: This is to be run on target hosts only. Those are hacked anyway.
|
|
# Very bad security practice to use it in real world.
|
|
app.run(host='0.0.0.0', port=6666) # nosec
|