checkeriorew.blogg.se - Netcat reverse shell without e over vpn

#Netcat reverse shell without e over vpn code#
#Netcat reverse shell without e over vpn windows#

But first, we must spin up a Netcat listener to catch the connection request.Įverything’s set up! Let’s head back to the cmdasp webshell and run the following command.

#Netcat reverse shell without e over vpn windows#

With our SMB server in place hosting the Windows binary to Netcat, we’re almost ready to instruct the webserver to connect to us. Looks like we’ve got everything in place! Let’s spin up the server to a fileshare named “share” using the following command. Now let’s find the Windows binary for Netcat and copy it to this directory we just made.Ĭp /usr/share/windows-binaries/nc.exe smb In order to use this SMB server, we need to first create a directory to host as a fileshare. Lets locate that and copy it into our current working directory.Ĭp /usr/share/doc/python-impacket/examples/smbserver.py. Kali has a built-in SMB server through a python script. My thought was perhaps we could execute a malicious file from a network share, and load it straight into memory.

#Netcat reverse shell without e over vpn code#

So if we can’t execute malicous code directly on the disk of the machine, how else can we get our code to run? I chose to try hosting my own SMB server first.

“ This program cannot be run in DOS mode”. No matter what I tried, I kept running into an error.

Created my own malicous exe via msfvenom, transferred that to the box, and attempted to execute locally on the disk.

Transferred the windows binary for nc.exe and attempted to execute locally on the disk.

Turning Command Execution to Reverse Shell The output confirms that our box received a ping request from the webserver - great! So we have command execution and can communicate to/from the box, but how do we turn this into an interactive reverse shell? I started a quick tcpdump to capture ICMP requests to/from my VPN connection using the below command, and then execute the ping command in our webshell.

Let’s run a quick ping test to make sure we’re able to communicate from this system to ours. Perfect! So we’ve got the ability to execute commands on the system. Let’s run dir to see if we actually have command execution, and if we do, what directory we’re in. If things worked, we should be able to browse to this webshell by navigating to the following page: Īlright cool, we see the page. Let’s connect back to the FTP client and upload this webshell. Let’s copy this down to our present working directory.Ĭp /usr/share/webshells/aspx/cmdasp.aspx. I created an aspx payload through msfvenom, but I was unable to get a reverse shell this way.įinally, I found Kali has a built-in aspx webshell located in our webshells directory. IIS runs code in asp/aspx, so my next thought was to create an asp/aspx payload to get a reverse shell connection. Great! So we found that we can upload our own webpage to this IIS webserver, and then execute that webpage by browsing to it. Now let’s attempt to browse to our test file. Let’s connect to the FTP client & see if we can add files to the website. Remember how we saw that file on the FTP server from the nmap output? Let’s open a browser and see what we see at that page.Īfter viewing the page source, we see that the website is just pulling up welcome.png as the image. Port 80 is open and running Microsoft IIS 7.5, a webserver. We also see that there are some files present iisstart.html & welcome.png. This is the command I use, but you can use whatever you like best.įrom the output of the scan, we see that FTP on port 21 is open to anonymous login. To start out, let’s run a nmap scan to see what ports are open on the box.

Turning Command Execution to Reverse Shell.

I’m rating this as an easy box since the privilege escalation piece was simple when utilizing a kernel exploit, and the the initial way in isn’t super realistic. This was a simple box, but I did run into a curve-ball when getting my initial foothold.