Home

Awesome

RedFile

A flask wsgi application that serves files with intelligence, good for serving conditional RedTeam payloads.

quickest start

git clone https://github.com/outflanknl/RedFile
cd RedFile
docker-compose up

(or add -d to run without logging to console)

running code

get a browser and point to:

http://127.0.0.1:8001/test1/one/two?three=drie

This will launch module 'agent', the code for that module can be found on RedFile/code/m/test1/__init__.py

This example returns the request information and the agent information in a json. note the 'agent' field coming from the incoming function call, all other details can be obtained from the flask request object

happy coding

daystart

have a look at the dstart module: http://127.0.0.1:8001/daystart/one/two?three=drie This will serve a payload X times at the start of the day and thereafter serve empty.txt This allows for a stealhy persistence.

Not that at the end of the init function a request call can be made to another webserver for logging purposes. Storage of the state is done in data.shelve

keyer

keyer will serve unique contect for a certain key. The key is a string appended with an md5 of "that first half string + a secret". this means new keys can be generated on the fly and will be valid as often ad you want.

example: http://127.0.0.1:8001/keyer/7103f096074271321c6cebd743ac8d9b5b6b52d65f7e16a8a08a33570275a750/

onePerUser

Now next level, if you can build a payload that will include the username in the call have a look at:

http://127.0.0.1:18080/onePerUser/?u=John
http://127.0.0.1:18080/onePerUser/?u=Alice
http://127.0.0.1:18080/onePerUser/?u=NotExisting

You will see that john.txt and alice.txt get served once, notextist.txt isn't available so error.txt will be served once there. All calls after that point will serve 'default.txt'.

Consider a cronjob that deletes data.shelve every night to have a select group of users being served a payload once a day :)

OPSEC

ofcourse, this is proof of concept code. Consider using a proxy like haproxy to rewrite calls and have them end up at the correct module, also consider building encryption of obfuscation on the url and parameter.