Socat
Notes from completing this module on Hack The Box Academy (Tier II)
When to use?
When facing a Windows system.
When we can not establish a SSH session with the pivot.
Reverse shell with Socat
We can use the tool Socat to perform port forwarding on Windows and Linux systems. Socat acts like a bidirectional traffic redirector. Using Socat can be an alternative to SSH.
To demonstrate how it is possible to obtain a reverse shell for the Windows server using Socat
, we will replicate the previous scenario involving three systems.
Attacker host: 10.10.15.128
The Ubuntu server - corresponds to the pivot with two interfaces
ens192
: 10.129.202.64ens224
: 172.16.5.129
The Windows server: 172.16.5.19
Start the Socat listener on the Ubuntu server
We compromised the Ubuntu server and gain SSH credential to authenticate to the system. Then, on the Ubuntu server, we could start a Socat listener. The command below tells localhost to listen on port 8080 and to forward every traffic coming to our attacker machine (10.10.15.58) on port 3333.
Configure the multi-handler on our attacker machine
We configured our listener using Metasploit on localhost. Our attacker machine is listening on port 3333 for any incoming connections.
3. Crafting and transferring the payload on the Windows Server
The commands below aim to create the payload that will be executed from the Windows server. When the payload will get executed, it will send a reverse connection on the Ubuntu server on port 8080. The payload will send a connection to the 172.16.5.129 interface.
We transferred the payload on the Windows server in two steps. We used the scp
utility to transfer the payload from our attacker machine to the Ubuntu server. Then, we used the Invoke-WebRequest
method to transfer the payload from the Ubuntu server to the Windows system.
We are able to get a RDP session on the Windows server (172.16.5.19) using local port forwarding with the Ubuntu server as pivot. This allows us to upload and execute the payload from the target system.
The command below tells SSH to forward all traffic sent to our localhost port 1234 to the Windows system port 3389.
Executing the payload
We executed the payload from the Windows server. As said earlier, the payload will send a connection back to the Ubuntu server on port 8080. Because we configured a TCP redirector using the tool Socat, all traffic coming to the Ubuntu server on port 8080 was forwarded to our attacker machine on port 3333 where our multi-handler is located.
As it can be seen in the image below, we successfully got a connection back to our attacker machine on port 3333.
Bind Shell with Socat
Bind shells are also possible using Socat. When using bind shell, our attacker machine will connect to the Socat redirector on the Ubuntu server, and then the traffic is forwarded on an open port on the Windows server. This is a different scenario than with reverse shell where the Windows server connects back to the Ubuntu server (pivot) and then the connection is forwarded to our attacker machine.
Hack The Box provided an illustration of this scenario.
Creating a bind shell payload
We created a bind shell payload using MSFVenom. When executed on the Windows server, this payload will open the port 8443 on the system. We transferred the bind shell payload on the Windows server using the same two steps detailed in the previous scenario.
Configure the Socat redirector
We configured the Socat redirector on the pivot host so that all traffic coming on port 8080 will be forwarded on the Windows Server (172.16.5.19) on port 8443. In others words, the port 8080 on the Ubuntu server is listening for any incoming connection to forward to the Windows server on port 8443.
Configure the bind multi/handler on our attacker machine
We configured our bind multi/handler to connect to the port 8080 on the Ubuntu server.
Executing the bind payload on the Windows Server
As soon as the payload is executed on the Windows server, this opened the port 8443 on the Windows server. We observed a bind connection from our attacker machine to the pivot host (port 8080). This allows us to get a bind shell for the Windows server.
Last updated