Categories
ctf, OS, pentest, WAAS, Web Attacks

Many a times we get caught in the trap of a server is shelled but there is nothing to go on with ; Today we will look at one such possibility that is faced. You have aย  webshell on a server however you want to use old fashioned netcat or socat to connect to it and send commands;

Problems:

  • You are not root
  • Server has no netcat or socat
  • Server has python (not really a problem here now ay ;-))

Possible Solutions

  • Get the portable versions
  • write a netcat like wrapper with python

It would be nice to go with option 1 until you meet a server that notices these bins when they land and flags them ๐Ÿ˜› . so again option 2 may apply; these admins are savage. We would love to go with a minimalistic thing that is contained in a default python install; we don’t want to try and pip our way through since again we are not root.

To deliver this we always breakdown what we need before we code;

love thy scripture for thy scripture shall salvage you on that hardened server with idiotic mistakes .

ย The steps needed are quite simpleย  really:

  • Use raw tcp sockets to open up a listener
  • Receive input in chunks of 1Mb buffers and lock us to that thread to run commands

Now we need to note that bytes aren’t always clean so always ensure your code “strips all the unnecessary clothing ;-)”

 

Native python modules can help us achieve this really ๐Ÿ˜€

  • subprocess– We need this to just run commands by invoking the system function from it
  • socket– We need this to manage raw tcp sockets basically the SYN/ACK stuff :-D… I know you get to use that isht here:-D feel proud
  • sys– we don’t really need this but then again we want clean exits so its nice to have decent breakups

shall we begin;

Creating the listener

Python loves imports so we import the 3 modules now from here we just have to write actual code ๐Ÿ˜€ ; for those that are lazy 3 steps here really:

  • Define an IP (victim IP since script will sit on server)
  • Define a port
  • Open a new TCP socket stream (will initially be blank)
  • Bind to the open TCP stream
  • Print a message to tell us if we successfully lock that ip and port to the socket.
  • Wait to accept anything and everything that lands on us ๐Ÿ˜€

Sounds like a lot of work till you see the code ๐Ÿ˜€ ; it’s actually 8 lines.

Simple Listener

Handling data from the attacker

Whileย the connection is still open and unterminated we wanna do cool things; like :ย 

  • treat everything that comes in as a command ;
  • But commands are strings so all these bytes might just need to be converted to strings.
  • have a decent breakup to close the connection
  • Tell us when we don’t have anything to say that the date isn’t going well ๐Ÿ˜€

The established socket connection will send all results back to you.

Socket Handler

You may now stroke your ego ๐Ÿ˜€

Test “connectivity”

Some things to note above my test victim is a root account as its just something quick i whipped up to replicate the attack ๐Ÿ˜€ ….

Find the script here.

2 replies on “Love thy scripture – Netcat”

Jeremiah Agwaresays:

Hii..

I just really wanted to say you have quite an amazing blog here. The way you write your articles makes it so easy for users to resonate. I must say, I am really impressed. I too am a blogger and I know the kind of work you have to put into an article to make it this amazing.

Leave a Reply

Your email address will not be published. Required fields are marked *

May 2024
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031