pwncat icon indicating copy to clipboard operation
pwncat copied to clipboard

Windows 10 Reverse Shell Fails to be Established

Open Mister-Joe opened this issue 3 years ago • 5 comments

Bug Description

pwncat terminates with the error connection failed: channel receive timed out: b'' a few seconds after receiving a connection from a Windows 10 reverse shell

pwncat version

$ pwncat --version
0.4.3

Target System (aka "victim")

The system in question is "Algernon" from Offensive Security Proving Grounds

4

Steps to Reproduce

  1. 2
  2. Run exploit for RCE vulnerability in SmarterMail: https://www.exploit-db.com/exploits/49216
  3. 1

Expected Behavior

pwncat should establish a fully-interactive (Windows) reverse shell

Screenshots

As shown in the following screenshot, netcat successfully receives the reverse powershell shell.

3

Mister-Joe avatar Oct 07 '21 06:10 Mister-Joe

I'm getting the same issue with powershell one-liner

fsacer avatar Dec 25 '21 12:12 fsacer

Windows support is currently in a... precarious state... pwncat utilized a staged C2 which is currently to disk. Windows Defender has a detection specifically for pwncat and blocks it from executing, which is my initial thought when I see problems like this.

There could also be other issues. For example, many Windows shell implementations do not actually provide full STDIO access for the shell. A lot of them line buffer the IO, which will break pwncat when it tries to spawn the C2 (assuming that the C2 isn't blocked by Defender).

I need to revisit the Windows implementation within pwncat soon, but haven't had the time.

calebstewart avatar Dec 26 '21 08:12 calebstewart

ah cool, well maybe there is no need for that staged C2, I though I could just use pwncat to handle multiple nc sessions, since there isn't any good tools for that afaik

fsacer avatar Dec 26 '21 08:12 fsacer

I am having the same issue. Any chance of solving this issue soon?

PinkPantherX avatar Mar 02 '22 12:03 PinkPantherX

In some situation, certain payload from revshells.com won't work, but payload from msfvenom will work.

Therefore, I suggest you to try generate payload using msfvenom (you can use hta-psh to get base64 powershell payload).

RealFakeAccount avatar Jun 05 '22 14:06 RealFakeAccount