1

U n i v e r s i t y o f T r e n t o , I t a l y F e b 2 0 , 2 0 1 6

Report submitted in Partial Fulfillment of the Course

Offensive Technologies

Università degli Studi di Trento Master of Science in Computer Science

EIT Digital Master of Science in Security and Privacy https://securitylab.disi.unitn.it/doku.php?id=course_on_offensive_technolog

ies

AmitGupta

CodeanalysisofHackingTeam’sexploits

AliDavanian

2

TableofContents

Sl.No. Content PageNumber1 rcs-db-ext/PythonandRuby 32 core-win32 143 poc-x 204 References 25

3

1.rcs-db-ext/PythonandRubyPurposeofthecode:The rcs-db-ext repository is the soul of the HackingTeam’s RemoteControlSystem.Thisrepositorycontainsthebinaries,hugelibrariesandthird party libraries that form the foundation of the execution ofapplication.Therepositoryhas fourprimepackages– Java,nsis,pythonand ruby. Like the names suggest, each of these packages have thecontentsbasedonthelanguageofcode.Inthisanalysisreport,theprimefocusislaidonthepythonandtherubypackagesonly.TheprimepurposeofthecodebaseistosupportthefunctionalitiesoftheRCSwiththerequiredlibraryfunctions,3rdPartylibrariesandcompiledbinaries.Additionallytherearesomelibraries,whichhelpthedevelopertosetupthedevelopmentenvironmentandtheplay-environmenttoruntheRCS.We analyzed the code repository and dig-in for portions of the code,which seem interesting to us. Initiallywewent through theRCS adminand service manuals [1] to understand the features of the RCS anddevelopahighlevelpictureoftheapplication.Havingthatinmind,inthissectionthemotivewastounderstandhowtheRCSismakinguseof thelibraryfilesinthercs-dblibrary.Interestingportionsofthecode:Thissectiondemonstratesthesectionsofthesourcecode,thedirectorystructuresandthesnippets/libraryfunctions,whichseemtohavesignificantvaluetotheapplication.Therearetwoparts in which we have divided theinteresting codes/snippets observed intherepository:a. Pythonb. RubyFig01:Thedirectorystructureofrcs-db-ext

4

A. Python:

Inthissectionwetakeintoconsideration,thesourcecodethatispresentinthepythonfolderonly.Atahighlevel,thepythonrepositorymostlycontainsthecompiledDLLequivalentfilesinthepydfileformat(binaries)andoff-the-shelflibraries.However,lookingdeeperintotherepositorywefoundsomeinterestingmethodsandlibraries.

Fig02:Thefolderstructureofrcs-db-ext/Python

Oneoftheinterestingsub-packagesinthePythonfolderisthescriptsfolderunderTools.ThisdirectorycontainsacollectionofexecutablePythonscripts thatareusefulwhilebuilding,extendingormanagingPython.

5

Fig03:DLLFilesinpythonpackage.

TheToolsdirectory[2]containsacollectionofexecutablePythonscripts that are useful while building, extending or managingPython.Thetablementionedbelowisalistofthefilesinthetoolsfolderandtheirhighleveldescription:

6

analyze_dxp.pyAnalyzestheresultofsys.getdxp()byext.pyPrintlines/words/charsstatsoffilesbyextensionbyteyears.pyPrintproductofafile'ssizeandagecheckappend.pySearchformulti-argument.append()callscheckpyc.pyCheckpresenceandvalidityof".pyc"filesclassfix.pyConvertoldclasssyntaxtonewcleanfuture.pyFixreduntantPython__future__statementscombinerefs.py A helper for analyzing PYTHONDUMPREFSoutput.copytime.pyCopyonefile'satimeandmtimetoanothercrlf.pyChangeCRLFlineendingstoLF(WindowstoUnix)cvsfiles.pyPrintalistoffilesthatareunderCVSdb2pickle.pyDumpadatabasefiletoapicklediff.pyPrintfilediffsincontext,unified,orndiffformatsdutree.pyFormatdu(1)outputasatreesortedbysizeeptags.pyCreateEmacsTAGSfileforPythonmodulesfind_recursionlimit.py Find the maximum recursion limit on thismachinefinddiv.pyAgrep-liketoolthatlooksfordivisionoperatorsfindlinksto.py Recursively find symbolic links to a given pathprefixfindnocoding.py Find source files which need an encodingdeclarationfixcid.pyMassiveidentifiersubstitutiononCsourcefilesfixdiv.pyTooltofixdivisionoperators.fixheader.pyAddsomecppmagictoaCincludefilefixnotice.pyFixthecopyrightnoticeinsourcefilesfixps.pyFixPythonscripts'firstline(if#!)ftpmirror.pyFTPmirrorscriptgoogle.pyOpenawebbrowserwithGooglegprof2html.pyTransformgprof(1)outputintousefulHTMLh2py.pyTranslate#define'sintoPythonassignmentshotshotmain.py Main program to run script under control ofhotshotidleMainprogramtostartIDLEifdef.pyRemove#if(n)defgroupsfromCsourceslfcr.pyChangeLFlineendingstoCRLF(UnixtoWindows)linktree.pyMakeacopyofatreewithlinkstooriginalfileslll.pyFindandlistsymboliclinksincurrentdirectorylogmerge.pyConsolidateCVS/RCSlogsreadfromstdinmailerdaemon.py parse errormessages frommailer daemons(Sjoerd&Jack)md5sum.pyPrintMD5checksumsofargumentfiles.methfix.pyFixoldmethodsyntaxdeff(self,(a1,...,aN)):mkreal.pyTurnasymboliclinkintoarealfileordirectory

7

ndiff.pyIntelligentdiffbetweentextfiles(TimPeters)nm2def.py Create a template for PC/python_nt.def (MarcLemburg)objgraph.pyPrintobjectgraphfromnmoutputonalibraryparseentities.pyUtilityforparsingHTMLentitydefinitionspathfix.pyChange#!/usr/local/bin/pythonintosomethingelsepdeps.pyPrintdependenciesbetweenPythonmodulespickle2db.py Load a pickle generated by db2pickle.py to adatabasepindent.pyIndentPythoncode,givingblock-closingcommentsptags.pyCreatevitagsfileforPythonmodulespydocPythondocumentationbrowser.pysource.pyFindPythonsourcefilesredemo.pyBasicregularexpressiondemonstrationfacilityreindent.pyChange.pyfilestouse4-spaceindents.rgrep.pyReversegrepthroughafile(usefulforbiglogfiles)serve.pySmallwsgiref-basedwebserver,usedinmakeserveinDocsetup.pyInstallallscriptslistedheresuff.pySortalistoffilesbysuffixsvneol.pySetssvn:eol-styleonallfilesindirectorytexcheck.py Validate Python LaTeX formatting (RaymondHettinger)texi2html.pyConvertGNUtexinfofilesintoHTMLtreesync.pySynchronizesourcetrees(veryideosyncratic)untabify.pyReplacetabswithspacesinargumentfileswhich.pyFindaprogramin$PATHxxci.pyWrapperforrcsdiffandci

Forthepurposeofdebugginganddevelopment.asymboliclinksym-link-rcs-common is suggested to be created. The symlink is createdfromthercs-commonrepository.

Apartfromthese,therearesomelibraryfunctionsandconfigurationscripts that support auxiliary features. Some of the files are the tcllibraries,easyinstallationscripts,compilersetc(referfigure04).

8

Fig04:libraryfunctionsinthepythondirectory.

9

B.Ruby:

Inthissection,wedescribetheinterestingportionsofthecodesintheRubydirectoryofthercs-db-extrepository.Westartwiththedirectorystructureofthefolder,whichmakesiteasiertocreateaperspectiveofthecodebaseonthereader’smind.

Fig05:Thefolderstructureofrcs-db-ext/Ruby

As is seen in this section of the code, the developed ruby applicationwasconfigured to export file formats “exe”, “.cmd”, “.bat” etc.which shows thatthe RCS application utilizing this library base targets the windows filesystem.

Fig06:therubylibraryisbuiltforsupportingwindowssystems.In

particulari386-mingw32/32bitWindowsOS.

10

Theruby/binoffersmultiplelibraryfileswhichsupportthedevelopmentandtoalargeextentthefeaturesofRemoteControlSystem.

bitcoin_dns_seedandbitcoin_dns_seed.bat

Bitcoin-rubyisarubylibraryforinteractingwiththebitcoinprotocol/network.Itcanparseandgenerateprotocolmessages,runbasicscripts,connecttootherpeersanddownloadandstoretheblockchain.IntheRCS,thisrubylibraryisusedtoimplementthebitcoinpaymentsolution.

bitcoin_guiandbitcoin_gui.bat

bitcoin_nodeandbitcoin_node.batbitcoin_node_cliand

bitcoin_node_cli.batbitcoin_shelland

bitcoin_shell.batbitcoin_walletand

bitcoin_wallet.batbundleandbundle.bat Bundlerprovidesaconsistent

environmentforRubyprojectsbytrackingandinstallingtheexactgemsandversionsthatareneeded.

bundlerandbundler.bat

coderayandcoderay.bat CodeRayisaRubylibraryforsyntaxhighlighting.

ItmusthavehelpedthecodersofRCSsubsystemstoanalyzetheircodesbetter.Itsworkingissimple,youputyourcodein,andyougetitbackcolored;Keywords,strings,floats,comments-allindifferentcolorsandwithlinenumbers.

erbanderb.bat ERBisatemplatinglanguagebasedonRuby.PuppetcanevaluateERBtemplateswiththetemplateandinlinetemplatefunctions.

gemandgem.bat Selfcontainedapplicationpackagethatprovidesastandardformatfordistributing

htmldiffandhtmldiff.bat Adifflibrarythatuseshtmltagstoshowdifferences

11

irbandirb.bat InteractiveRubyorirbisaninteractiveprogrammingenvironmentthatcomeswithRuby.

ldiffandldiff.bat Providesaconvenientwaytogenerateadifffromtwostringsorfiles.

minitarandminitar.bat Apure-Rubylibraryandcommand-lineutilitythatprovidestheabilitytodealwithPOSIXtar(1)archivefiles.

pryandpry.bat PryisapowerfulalternativetothestandardIRBshellforRuby.Here,pryisabundleinstallfor9.6.0.

rakeandrake.bat RakeisaMake-likeprogramimplementedinRuby.TasksanddependenciesarespecifiedinstandardRubysyntax.Here,rakeisabundleinstallfor9.6.0

rdocandrdoc.bat RDocproducesHTMLandonlinedocumentationforRubyprojects.RDocincludestherdocandritoolsforgeneratinganddisplayingonlinedocumentation.

restclientandrestclient.bat SimpleHTTPandRESTclientforRuby,inspiredbymicroframeworksyntaxforspecifyingactions.

riandri.bat Likerdoc,riisastandaloneprograms;yourunthemfromthecommandline.

rspecandrspec.bat Providesabehaviourdrivendevelopmentframeworkforthelanguage,allowingwritingapplicationscenariosandtestingthem.

12

ruby.exeandrubyw.exe rubyw.exeispartofRubyinterpreter1.9.3p125[i386-mingw32].WindowsdoesnotprovideaPOSIXenvironmentbyitself,sosomesortofemulationlibraryisrequiredinordertoprovidethenecessaryfunctions.ThereareseveralportsofRubyforWindows:themostcommonlyusedonereliesontheGNUWin32environment,andiscalledthe“cygwin32”port.Thecygwin32portworkswellwithextensionlibraries,andisavailableontheWebasaprecompiledbinary.Anotherport,“mswin32,”doesnotrelyoncygwin.

VirusTotalReport:1ofthe48anti-virusprogramsatVirusTotaldetectedtherubyw.exefile.That'sa2%detectionrate.

Another important segment of the ruby codebase is the Ruby EventMachine.Delivered as a deep-seated java application in the ruby package repository, theeventmachine, inanutshell, eventmachine is a fast,simpleevent-processinglibraryforRubyprograms.[3]RubyEventmachineEventMachine provides lightweight framework for implementing Ruby programsthat can use the network to communicate with other processes. UsingEventMachine,Rubyprogrammerscaneasilyconnecttoremoteserversandactasservers themselves.EventMachinedoesnotsupplant theRuby IP libraries. Itdoesprovideanalternatetechniqueforthoseapplicationsrequiringbetterperformance,scalability, and discipline over the behavior of network sockets, than is easilyobtainable using the built-in libraries, especially in applications which arestructurallywell-suitedfortheevent-drivenprogrammingmodel.EventMachineprovidesaperpetualevent-loop,whichyourprogramscanstartandstop.Within the event loop, TCP network connections are initiated and accepted,basedonEventMachinemethodscalledbyyourprogram.Youalsodefinecallbackmethods,which are called byEventMachinewhen events of interest occurwithintheevent-loop.Userprogramswillbecalledbackwhenthefollowingeventsoccur:*Whentheeventloopacceptsnetworkconnectionsfromremotepeers*Whendataisreceivedfromnetworkconnections*Whenconnectionsareclosed,eitherbythelocalortheremoteside*Whenuser-definedtimersexpireLookingbackupatEchoServer,youcanseethatwe'vedefinedthemethodreceivedata, which (big surprise) is called whenever data has been received from theremoteendoftheconnection.Wegetthedata(aStringobject)andcandowhateverwewishwith it. In this case,weuse themethodsenddata to return the received

13

data to the caller,with some extra text added in. And if the user sends theword"quit,”we’llclosetheconnectionwith(naturally)closeconnection.

14

2.core-win32Purposeofthecode:The windows-core32-repository is one of the source code repository for theHackingTeam’s famousRemote–Access-Tool (RAT) calledRemoteControl System(RCS).Likeothercoderepositoriesthatarespecifictodifferentoperatingsystems,thewindows-core32packageswerecompiledfor32-bitwindowssystemsonly.ThepurposeoftheinjectedDLLsistounlinkitselffromthePEB(ProcessEnvironmentBlock) module list and start an inter-process-communication channel tocommunicate with other processes and, ultimately talk to the RCS’s commandserverwhichcouldthensendthepayloadandcontrolinstructions.Howdoesitwork?::ProcessflowDiagram[4]::Thewindows-core32exploit quite amusingly compromises the end computer andstillmanagestokeepitselfundercover.TheinstallationoftheinfectedbinariesandhowitultimatelyleadstoacompromisedperipheriesofaPCcanbeexplainedusingthebelowflowchart:

Fig07:theworkflowdiagramexplaininghowwindows-core32worksontargetPC.

15

InterestingPortionsofCode:

Fig08:thefilestructureofthewindows-core32package.It is very revealing to note the capabilities of RCS. Based on the source code [1]analysis, it was observed that the system has been divided into multiple sub-modules,whicharealsoreferredasagents.(Theterm‘agent’hereisdifferentfromtheircontextintheadministrativeRCSmanuals)Thefollowingmajorfunctionalitieswereunderstood:

1) HM_ContactAgent (package1*):grabdataandfilesfromMicrosoftoutlooklikeemailids,inboxcontents,messagesetc.

2) HM_IM_Agent (package): grabs all the contact information and theconversation logs frommajor internetmessengers like Skype,MSN, YahooMessengeretc.

3) HM_MailAgent(package):checksifoutlookisinstalledinthedevice,utilizeMicrosoft’sMAPItogetthedirectorystructureofinbox,createfolders,dumpemailmessageheadersandifrequiredwholeemaildumps.

1*packagemeansthefolderartifact

16

4) HM_MicAgent (package):utilizesthespeexmoduletomakerecordingsonwindowsOS.

5) HM_PWDAgent (package): Main module responsible for grabbing storedpasswords fromFirefox,Internet Explorer,Opera,Chrome,Thunderbird,Outlook,MSNMessenger,Paltalk,Gtalk,andTrillian.

6) SkypeACL (package): uses SHA256 algorithm to generate encrypted keysusingtheskypeuserId.

7) Social (package): grab and dump cookies of Chrome, Internet Explorer,Firefox and keeps a handle over social sites like twitter, facebook, gmailoutlookLive,Yahoo.

8) Speex:specialcodecusedtorecordskypeaudio.9) AM_Core.cpp: Provides the core functionalities to the to application.

Primarily registration of the core functions to monitor/control systeminformation like start/stop the IPC agent, file system, snapshots, logging,VOIPrecordingetc.

10) HM_AmbiMic.h:used tohandle themicrophone codec.Mainly to start andstop the recordings. This codec records ambient noise through peripheralmicrophones.

11) HM_Application.h:usedtogetapplicationlistandmonitorthefunctionalityofrunningapplications.

12) HM_ClipBoard.h:grabanydatathatiscopiedtotheclipboardoftargetuser.13) HM_Contacts.h: supportingmethodswhichareusedto take fullcontrolon

thecontactsdirectory,forinstance,add,delete,sendrequest,copy,etc.14) HM_IMAgent.h: handle Skype Messenger functionalities and receive

responsestoqueriesformessages,messageheaders,etc.15) HM_KeyLog.h:keylogger toget thecompositionstrings fromthekeyboard

andmouseinputs.16) HM_MouseLog.h: Triggers the inter process communication agents to

control the mouse inputs. This library helps in recording all mousemovementsandevents.

17) HM_PDAAgent.h:protrude the infection fromthePC to themobiledevices(andPDAtoPDA)bycopyingtheinfectiontothememorycards.

18) HM_ProcessMonitors.h: Initiate the file agent to create/delete files andcontrolfileagentdispatch.

19) webcam_grab.cpp:takesnapshotsfromthewebcamperiodicallyandsave.20) HM_UrlLog.h:TorecordvisitedURLsinFirefox,Chrome,IE,andOpera.

When the project was imported into an IDE [5], we were able to analyze theworkflow and the call hierarchy of the code much clearly. It seems that the fileHM_sMain is theentrypointof thepackage,whichbasicallydrives therestof themethodhierarchy.AmongstthefunctionalitiestriggeredbyHM_sMain,thefirsteventistoregisterthefunctionaldriversintothePC.[Refer:Fig07:Workflow]Todothis,theInitAgents()iscalled,whichisdefinedtobecalledbyAM_Startup().Figure 09, explains the functions that are being called from the HM_sMain. Thenames of the functions are quite close to their defined functionalities. It is

17

interestingtonotethatjuxtapositionoftheRCSfunctionalitiesasdefinedintheusermanuals[1]resemblethefunctionnamesquiteclosely.It isunderstoodfromfigure07,howafterregistrationofthespecificagentsofthesystem, the drivers compromise native functionalities of the target’s PC andinterceptthedata.

Fig09:CallhierarchyfromHM_sMain::AM_Startup(void)callsInitAgents.

AM_Startup(void)callsInitAgents.InitAgentsisresponsibletoregisterfunctions: PM_FileAgentRegister(); PM_KeyLogRegister(); PM_SnapShotRegister(); PM_WiFiLocationRegister(); PM_PrintAgentRegister(); PM_CrisisAgentRegister(); PM_UrlLogRegister(); PM_ClipBoardRegister(); PM_WebCamRegister(); PM_MailCapRegister(); PM_PStoreAgentRegister(); PM_IMRegister(); PM_DeviceInfoRegister();

18

PM_MoneyRegister(); PM_MouseLogRegister(); PM_ApplicationRegister(); PM_PDAAgentRegister(); PM_ContactsRegister(); PM_AmbMicRegister(); PM_SocialAgentRegister(); PM_VoipRecordRegister();Thoughalltheagentregistrationmethodsaresimilartoeachother.WewillexplaintheflowofcallsofoneoftheinterestingfeaturesofRCS.Wetalkaboutthefeatureoftrackingthelocationofthetarget’scomputerbasedontheWiFiheisaccessing.RCSusesthewirelessLANAPIfunctionsfromwlanapi.dlltoenumeratenearbyWiFihotspots. For the reason that many hotspots expose geographic locationinformation,RCSlooksforthis informationsoitcandeterminewheretheinfectedmachine is, even when it is hiding behind a VPN or proxy. The library fileHM_WiFiLoation.h calls the snippet to register the agent to record the Wi-FilocationoftheuserandfeedthedatatotheRCS.

voidPM_WiFiLocationRegister(){ AM_MonitorRegister(L"position",PM_WIFILOCATION,NULL,(BYTE*)PM_WiFiLocationStartStop,(BYTE*)PM_WiFiLocationInit,NULL);}

Fig10:enumerationofthewifilocationsofthewifi.

19

Therestofthetwentyagentregistrationmethodsfollowacodedesignandhaveavery similar hookup mechanism through the driver to the system and can beextrapolatedeasily.Forthepurposeofthisreportandavoidingredundancyofdata,wechosetokeepthereportcogent.

20

3.poc-xPurposeofthecode:ThepackageisaproofofconceptfordemonstratinginjectionofmalwareandHTTPSinterceptionoftrafficdataonahost.Theauthorofthecodehasbuiltarubyapplication,whichissupposedtosendtheintercepteddatatoalocallysetup socks server (exploit server) (see figure 11). This application isactuallyaproofof concept forHTNetwork Injectorpatent,meaning that itsitsbetweenuserandthefinalservertointercepttheconcernedhost’strafficandpassthemontothemaster’send.Furthermoreitdeliverstheexploitstotheendnodebymanipulatingthetraffic.

The source code was given to the team as a part of the project handout,however, since the code ismadeavailableopen-sourceonGIT repositories[6], we accessed the dump from there as well. We also referred to emailconversationsaboutthePOCwhichareavailableopen-sourceonWikiLeaks[7].In addition to the analyzed code, we also came across one of the emailconversationsinwhichDanieleMilan,OperationsManagerofHackingTeam,incollaborationwithAlessandroScarafile,exchangedEndUserAgreementtobe signed by the potential customers to whom they give the demo of theworkingcode.[Seereference[8]].

21

SomeinterestingpartsofthecodeIn the code base, we came across many interesting parts of the definedfunctionalities,whichdemonstratethenetworkinjection.Belowaresomeoftheinterestingpartsofthecode,whichperformsignificantfunctionalitiesoftheapplication.Firstofalllet’slookatthelocalserversetupintheapplicationenvironment,whichtakeslogsoftheintercepteddataandservestothehamlpage.ThePoCprojectusesasocksserverforthispurpose.ASOCKS serveris a general-purposeproxy serverthat establishes a TCPconnectiontoanotherserveronbehalfofaclient,thenroutesallthetrafficback and forthbetween the client and theserver. Itworks for anykindofnetworkprotocolonanyport.

Fig11: Thesocksservercreating the log file.Thehaml fileconsumesdatafromthesocksservertodisplayontheUI.

22

1. Blockwindowsupdatetokeepitvulnerable.

Fig12:TheflowtrafficisredirectedtoanotherIP(localhost)|source:[09]

2. Appending(Fig:13)theruletoallthepacketsforwardertothedportwitha

tcp-reset. The interesting part is how neatly the hacker redirects traffic tolocalportsothathecaneavesdropthetraffic.

Fig13:Redirectallpacketstoport8080.HTTPSinterception.|sourcefile:[10]

3. Allowthei-Frametoacceptallthetrafficfrom10.0.0.1,whichishostedby

theprogrammer,asthisisapoofofconcept.However,thisIPcanbeany

23

serveroverHTTP.Thiswaytheexploitisembeddedtotheuser’strafficonthewebpages.

Fig:14AllowiFrametoaccepttrafficonlyfromdesignatedexploitserver.|

source:[11]

4. TheSockssniffersloggingalltheinformationfromthetarget’scomputerintothetextdocuments.

Fig15:loggingallGETorPOSTdata|source:[12]

5. mitmdumpis the command-line companion to mitmproxy. It provides

tcpdump-like functionality to let you view, record, and programmaticallytransformHTTPtraffic.

Fig16:Themitmdumstartstheinject.pyscripttosniffallTCPtransactions.|

source:[13]

6. Theauthorhasmadea simplifiedhamldocumentview todemonstrate theintercepteddata,configurationsandlogsthataresniffedovertheinjectionoftheexploit.Thehamldocumentisconsumedbyrubytogenerateatranslatedhtmlfile,whichshowstablesforintercepteddata,configuration,logs,etc.

24

Fig17:simplehamlUItoshowtheintercepteddata,configurationandlogscomingfromthedatadumpedintothetxtfiles.|source:[14].

25

4.References[1] https://wikileaks.org/hackingteam/emails/emailid/761004[2] https://github.com/hackedteam/rcs-db-ext/tree/master/Python/Tools/scripts[3] Informationaboutrubyeventmachine

https://rubygems.org/gems/eventmachine/versions/1.0.3-x86-mingw32[4] Thediagramwasmadeusingonlinetoolhttps://www.draw.io/[5] ForustheIDEusedwasVISUALSTUDIO2012[6] https://github.com/hackedteam/poc-x[7] https://wikileaks.org/hackingteam/emails/[8] https://wikileaks.org/hackingteam/emails/emailid/3468[9] https://github.com/hackedteam/poc-x/blob/master/inject.py[10] https://github.com/hackedteam/poc-

x/blob/master/scripts/07_proxy443_start.sh[11] https://github.com/hackedteam/poc-x/blob/master/inject.py[12] https://github.com/hackedteam/poc-

x/blob/master/scripts/09_sockssniff_start.sh[13] https://github.com/hackedteam/poc-

x/blob/master/scripts/03_mitmproxy_start.sh[14] https://github.com/hackedteam/poc-x/blob/master/views/index.haml