A few weeks ago, I released this tool, I had been working on for days. When I was playing an HTB box, this idea came to my mind. what would you do if you wanted to share something from your machine to the HTB box? python2/python3 HTTP server, maybe PHP HTTP server, netcat, or if you are something of a scientist yourself SMB or FTP. well, there are many ways to do that. But I just wanted to combine TCP RAW requests and HTTP requests together. I wanted to create something that would accept HTTP as well as a TCP RAW request and will act accordingly. That’s what exactly Loki does. You can form an HTTP request using curl or you can use the netcat to create a RAW TCP request.
You can read its structure from server.h
and you can even change the values according to you if you are compiling it on your system. I would also recommend it since it is all up to you, cause you only know the size of the file you want to transfer.
Everything is described here about the function, what it does and what it takes as arguments to work.
void serve(void* client_st); // Capture the request & serve according to that request.
int checker(struct SERVE_THREAD THREAD); // check if we are able to fulfil the request (HTTP/ RAW).
int listener(int port); // listener for incoming connections.
void free_mem(char *pointer, long long int l); //free the heap
int file_exists(char* request); // checks if we are able to fulfill the request
int http_send(int client_sock, char* request); // serve to http clients like curl, wget etc
int raw_send(int client_sock, char* request); // serve the raw TCP requests from netcat, telnet etc
int input_validate(char* request); // checks if the request is malicious
void my_log(char* input, int x);
You can change the first 5 macros according to you. You can change the REQUEST_LEN value to a larger number, in case your file name is more than 1000 chars. You can change the MAX_THREADS value if you want to handle more or fewer requests. changing FILE_CONTENT_SIZE would let you share large files. PORT can be defined here which is a default value or you can supply it as an argument. INPUT_VALIDATION if this is enabled you won’t have full file system access to the system or you can say that file inclusion won’t be possible here. But you can take advantage of this since it is us who are using it and we can start the server in any directory and access any directory of the system.
You can simply download the binary from the release of Loki’s Repo. I have not tested this on Windows, so there is tenee-tiny chance that the compilation of Loki may not work on Windows. But you can give it a try. But It should work on Linux. To compile this on your Linux you can do make
git clone https://github.com/luckythandel/loki.git
cd loki
make
Everything is perfect if you don’t get any error while compilation, but raise an issue on GitHub so that I might resolve it. We can execute the binary which is stored in ./bin directory. And we will use wget and netcat as clients. For demonstration purposes, I have a flag file at /root and I will try to download it.
I supplied //root/flag as the endpoint because the INPUT_SANITIZATION is disabled and I can access the whole system. I can do the same thing with netcat.
This is pretty cool, right? I have made a checker function which checks if the requesting data is HTTP or just TCP. It checks if it is a GET request, if so then a function is defined to send packets as a web server would but there is one thing missing. Have you ever seen how IDM (internet download manager) works? It downloads a file in multiple segments. Well, Loki is not able to achieve it yet. I thought about it, it was a little complex to implement. But I may soon implement it. If the request seems not to be HTTP then it runs a function which sends back data from the file in RAW TCP packets.
I have also implemented an auditing function which keeps track of all incoming requests which you can later take a look upon.
It checks whether the file exists on the system or not and also checks for a malicious payload in the request (INPUT_SANITIZATION=1). Then log every entry in a file `requests.log` in the current directory.