Many a times we get caught in the trap of a server is shelled but there is nothing to go on with ; Today we will look at one such possibility that is faced. You have a webshell on a server however you want to use old fashioned netcat or socat to connect to it and send commands;
- You are not root
- Server has no netcat or socat
- Server has python (not really a problem here now ay ;-))
- Get the portable versions
- write a netcat like wrapper with python
It would be nice to go with option 1 until you meet a server that notices these bins when they land and flags them 😛 . so again option 2 may apply; these admins are savage. We would love to go with a minimalistic thing that is contained in a default python install; we don’t want to try and pip our way through since again we are not root.
To deliver this we always breakdown what we need before we code;
love thy scripture for thy scripture shall salvage you on that hardened server with idiotic mistakes .
The steps needed are quite simple really:
- Use raw tcp sockets to open up a listener
- Receive input in chunks of 1Mb buffers and lock us to that thread to run commands
Now we need to note that bytes aren’t always clean so always ensure your code “strips all the unnecessary clothing ;-)”
Native python modules can help us achieve this really 😀
- subprocess– We need this to just run commands by invoking the system function from it
- socket– We need this to manage raw tcp sockets basically the SYN/ACK stuff :-D… I know you get to use that isht here:-D feel proud
- sys– we don’t really need this but then again we want clean exits so its nice to have decent breakups
shall we begin;
Creating the listener
Python loves imports so we import the 3 modules now from here we just have to write actual code 😀 ; for those that are lazy 3 steps here really:
- Define an IP (victim IP since script will sit on server)
- Define a port
- Open a new TCP socket stream (will initially be blank)
- Bind to the open TCP stream
- Print a message to tell us if we successfully lock that ip and port to the socket.
- Wait to accept anything and everything that lands on us 😀
Sounds like a lot of work till you see the code 😀 ; it’s actually 8 lines.
Handling data from the attacker
While the connection is still open and unterminated we wanna do cool things; like :
- treat everything that comes in as a command ;
- But commands are strings so all these bytes might just need to be converted to strings.
- have a decent breakup to close the connection
- Tell us when we don’t have anything to say that the date isn’t going well 😀
The established socket connection will send all results back to you.
You may now stroke your ego 😀
Some things to note above my test victim is a root account as its just something quick i whipped up to replicate the attack 😀 ….
Find the script here.