Class Activity 8.1 - Weevely

Webshells like simple-backdoor.php are effective but are not terribly stealthy. Basic IDS/IPS systems will be able to detect "shell-like" behavior by seeing content that looks like commands, prompts and sensitive files like /etc/passwd.

Wireshark Capture of traditional webshell

Target pippin with a traditional websell and capture a dump of /etc/passwd using wireshark on your interface.

  • start wireshark

  • Run the following command to get the dump of etc/password

sudo curl http://10.0.5.25:80/upload/simple-backdoor.php?cmd=cat+/etc/passwd

Deliverable 1. Provide a screenshot that shows the relevant TCP stream similar to the one below. Create a capture filter on port 80 when you do so.

Wireshark capture filtered on with TCP port 80

  • The following packet in wireshark is my GET request asking the server to dump the /etc/passwd file

  • The follwoing packet in wireshark is the HTTP response 200 meaning that the server accepted my request, and sent me back the dump of /etc/passwd

  • In Line-based text data you should be able to see the dump in the dropdown!

Dump of /etc/passwd

Weevely

Helpful resource: https://github.com/epinna/weevely3/wiki/Getting-Started

Deliverable 2. Investigate weevely (a tool in kali). Create a php agent that is uniquely named, upload the agent to pippin and carry on a session.

Weevely is an advanced web shell whereby shell instances can be 'managed' by an agent instance. The initial PHP script creates a funcational backdoor for dynamic remote administration and utilitzes obfuscated request traffic to avoid detection.

https://support.alertlogic.com/hc/en-us/articles/115005896483-PHP-Web-Shell-Weevely

Weevely on kali

Generate Weevely Agent 

sudo weevely generate <password> <file.php>
Generating Weevely agent
contents of the php file

Put the file in the Pippin server

put <file.php>

Start a Session

Use the following command to start a weevley session with the Pippin host 

sudo weevely http://10.0.5.25/path/to/file.php <password>

Once you have a successful session, run the following commands:

  • id

  • whomai

weevely session

Wireshark capture of /etc/passwd

Deliverable 3. Show a dump of /etc/passwd on wireshark. Make sure to use a capture filter for port 80.

Capture of Weevely getting the /etc/passwd dump. When we are making the request for this file, the server is sending the information over the network encrypted. Weevley then has a key to decrypt the information and show the user (me) the /etc/passwd dump in the terminal. As the data is traveling over the network encrypted it is much more stealhly and less likly to be detected then if it was in plain text or backdoor commands.

  • You will notice that there are 2 HTTP 200 OK packets. The first packet is most likely some encrypted communication from the server about how to decrypt the /etc/passwd file. We can't know for sure what it is as its encrypted.

First HTTP OK encrypted information

  • Below is the second HTTP 200 OK packet and we know that this one contains the actual /etc/passwd dump as its much longer then the first one

    • truncated means that the information is much longer it's just showing a shorter version.

As you see below, running cat/etc/passwd displays unencrypted to the user!

PreviousModule 8: Reverse ShellsNextClass Activity 8.2 - Reverse Shells

Last updated