id: privesc-socat

info:
  name: Socat - Privilege Escalation
  author: daffainfo
  severity: high
  description: |
    Socat is a command-line utility that establishes two bidirectional byte streams and transfers data between them. It can be used for a wide range of networking tasks, such as file transfer, port forwarding, and network testing. Socat is known for its versatility and is often used for creating complex network connections and proxies.
  reference:
    - https://gtfobins.github.io/gtfobins/socat/
  metadata:
    verified: true
  tags: code,linux,socat,privesc

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      whoami

  - engine:
      - sh
      - bash
    source: |
      socat stdin exec:whoami

  - engine:
      - sh
      - bash
    source: |
      sudo socat stdin exec:whoami

    matchers-condition: and
    matchers:
      - type: word
        part: code_1_response
        words:
          - "root"
        negative: true

      - type: dsl
        dsl:
          - 'contains(code_2_response, "root")'
          - 'contains(code_3_response, "root")'
        condition: or
# digest: 4a0a004730450220755e5136cf6b0ec3b416358ecc2a90892c26dab2f7a3fbb6ef098cdfe1ac68d8022100f798e038d59ab5edcbefa1ed088bd0d541ef503ae79805012bebf24995cac979:922c64590222798bb761d5b6d8e72950