- #NETCAT REVERSE SHELL WITHOUT E WITH VPN CODE#
- #NETCAT REVERSE SHELL WITHOUT E WITH VPN WINDOWS#
#NETCAT REVERSE SHELL WITHOUT E WITH VPN WINDOWS#
Transferred the windows binary for nc.exe and attempted to execute locally on the disk. Turning Command Execution to Reverse Shell The output confirms that our box received a ping request from the webserver - great! So we have command execution and can communicate to/from the box, but how do we turn this into an interactive reverse shell? I started a quick tcpdump to capture ICMP requests to/from my VPN connection using the below command, and then execute the ping command in our webshell. Let’s run a quick ping test to make sure we’re able to communicate from this system to ours. Perfect! So we’ve got the ability to execute commands on the system. Let’s run dir to see if we actually have command execution, and if we do, what directory we’re in. If things worked, we should be able to browse to this webshell by navigating to the following page: Īlright cool, we see the page. Let’s connect back to the FTP client and upload this webshell. Let’s copy this down to our present working directory.Ĭp /usr/share/webshells/aspx/cmdasp.aspx. I created an aspx payload through msfvenom, but I was unable to get a reverse shell this way.įinally, I found Kali has a built-in aspx webshell located in our webshells directory. 
#NETCAT REVERSE SHELL WITHOUT E WITH VPN CODE#
IIS runs code in asp/aspx, so my next thought was to create an asp/aspx payload to get a reverse shell connection. Great! So we found that we can upload our own webpage to this IIS webserver, and then execute that webpage by browsing to it. Now let’s attempt to browse to our test file. Let’s connect to the FTP client & see if we can add files to the website. Remember how we saw that file on the FTP server from the nmap output? Let’s open a browser and see what we see at that page.Īfter viewing the page source, we see that the website is just pulling up welcome.png as the image. Port 80 is open and running Microsoft IIS 7.5, a webserver. We also see that there are some files present iisstart.html & welcome.png.
This is the command I use, but you can use whatever you like best.įrom the output of the scan, we see that FTP on port 21 is open to anonymous login. To start out, let’s run a nmap scan to see what ports are open on the box.
Turning Command Execution to Reverse Shell. I’m rating this as an easy box since the privilege escalation piece was simple when utilizing a kernel exploit, and the the initial way in isn’t super realistic. This was a simple box, but I did run into a curve-ball when getting my initial foothold.
0 kommentar(er)
