In this guide I show how to launch base64-encoded shellcode payload using an open source package named CACTUSTORCH. Here’s how to disguise and launch your shellcode with Cactustorch.
Table of Contents
What you need
- Link to the Github repo
- Convenience bash script
Attack Plan
The strategy is to go about generating a meterpreter reverse tcp shell in Metasploit using msvenom. The payload is then encoded in base64 and placed into the value of a variable in a predefined template setup by the author of Cactustorch Vincent Yiu.
Setup
Start a Kali Linux VirtualBox instance.
Now start a Windows 7 VirtualBox instance and ensure they are both on the same network. (ping, verify VirtualBox settings)
Generate the Payload
# put the convenience script in your root dir and run it
root@kali:~ ./cactus.sh
If you are familiar with using msvenom to generate payloads you will quickly recognize what is happening here. The convenience bash script is 1) generating the payload and then 2) hosting the payload using apache2 web server service. This is identical to the two separate steps involved in the normal process to setting up a payload and then starting apache to host it.
Host and Deliver the Payload
To deliver the payload which is the meterpreter reverse tcp shell you have multiple options. HTA files are full fledged applications, in this Microsoft formatted file. To use the javascript payload define the filename as a script source in an HTML file.
Open a web browser in IE or Chrome on your Windows 7 instance. Go to the ip address of your Kali Linux instance. This should resolve to the content being served by the apache2 web server now running on Kali.
For the purposes of this tutorial I chose to launch the shellcode via the HTA file option, but here is an example for using javascript.
Run the Payload
Download and run the HTA file and move past any silly warnings by Microsoft.
The convenience script chooses the payload option as the shikata_ga_nai payload for the x86 Windows platform. If you are successful the shell will call back to your Kali Linux instance and you will now be able to launch remote commands.
