Love thy scripture – Netcat

Many a times we get caught in the trap of a server is shelled but there is nothing to go on with ; Today we will look at one such possibility that is faced. You have aΒ  webshell on a server however you want to use old fashioned netcat or socat to connect to it and send commands;

Problems:

  • You are not root
  • Server has no netcat or socat
  • Server has python (not really a problem here now ay ;-))

Possible Solutions

  • Get the portable versions
  • write a netcat like wrapper with python

It would be nice to go with option 1 until you meet a server that notices these bins when they land and flags them πŸ˜› . so again option 2 may apply; these admins are savage. We would love to go with a minimalistic thing that is contained in a default python install; we don’t want to try and pip our way through since again we are not root.

To deliver this we always breakdown what we need before we code;

love thy scripture for thy scripture shall salvage you on that hardened server with idiotic mistakes .

Β The steps needed are quite simpleΒ  really:

  • Use raw tcp sockets to open up a listener
  • Receive input in chunks of 1Mb buffers and lock us to that thread to run commands

Now we need to note that bytes aren’t always clean so always ensure your code “strips all the unnecessary clothing ;-)”

 

Native python modules can help us achieve this really πŸ˜€

  • subprocess– We need this to just run commands by invoking the system function from it
  • socket– We need this to manage raw tcp sockets basically the SYN/ACK stuff :-D… I know you get to use that isht here:-D feel proud
  • sys– we don’t really need this but then again we want clean exits so its nice to have decent breakups

shall we begin;

Creating the listener

Python loves imports so we import the 3 modules now from here we just have to write actual code πŸ˜€ ; for those that are lazy 3 steps here really:

  • Define an IP (victim IP since script will sit on server)
  • Define a port
  • Open a new TCP socket stream (will initially be blank)
  • Bind to the open TCP stream
  • Print a message to tell us if we successfully lock that ip and port to the socket.
  • Wait to accept anything and everything that lands on us πŸ˜€

Sounds like a lot of work till you see the code πŸ˜€ ; it’s actually 8 lines.

Simple Listener

Handling data from the attacker

WhileΒ the connection is still open and unterminated we wanna do cool things; like :Β 

  • treat everything that comes in as a command ;
  • But commands are strings so all these bytes might just need to be converted to strings.
  • have a decent breakup to close the connection
  • Tell us when we don’t have anything to say that the date isn’t going well πŸ˜€

The established socket connection will send all results back to you.

Socket Handler

You may now stroke your ego πŸ˜€

Test “connectivity”

Some things to note above my test victim is a root account as its just something quick i whipped up to replicate the attack πŸ˜€ ….

Find the script here.

Leave a Reply

Your email address will not be published. Required fields are marked *