PHP Reverse Shell Persistent Connection Issue: No Route To Host

HTB Content Academy
, , , ,
1

Hi all,

I am scratching my head over the fact that I am unable to get a reverse shell connection. Here are the specifics:
Lab: Pentester Job Role Path - Getting Started Module - Knowledge Check

Steps I have followed:

  1. scanned server with nmap and identified among other things port 80 is running an Apache webserver.

  2. Enumerate website and log into admin portal with credentials discovered.

  3. navigate to the /admin/theme.php page and edit the gettingstarted.htb/theme/Innovation/template.php theme template. Initially I change this to the GitHub - pentestmonkey/php-reverse-shell script we most likely all know and love.

  4. When I load the main site page with a listener set up on the correct port, I do not get a connection from the server. The premise is that when I load the page, the theme should be loaded (the theme which I have replaced with my own script) and so I should get a connection back. I do get an error in my browser from the php-reverse-shell script which is ‘WARNING: Failed to daemonise. This is quite common and not fatal. No route to host (113)’

Steps I have taken to troubleshoot:
Naturally with the ‘No route to host’ error I thought it was a simple issue with how I had configured my php-reverse-shell script with my ip and port, however I was soul-crushingly wrong. I can confirm that I was using the ipv4 address from my tun0 interface, the correct port, I only had one vpn connection at a time, I downloaded the correct vpn file, and I even tried following advice on other forum posts such as use a tcp vpn connection and set up a listener on 443 (which obviously I cannot set up a listener on a reserved port which my browser is using). I also can ping and connect to the server just fine, and ping my vpn gateway, and I can ssh into boxes. Also, the php was definitely being executed as confirmed by me using an echo 1 php script for a sanity check. I configured iptables to accept all on port 9000 (the port I was using) as well. I have tried every which possible way to configure this script to connect to my machine using different ports, and commands, none of which have worked and I have used both UDP and TCP vpn connections.

All this leads me to just a few conclusions:

  1. My home network gateway is blocking the connection somehow (I cannot find and configs for this so this is highly unlikely).
  2. There is an issue in the HTB network so that a firewall is blocking the traffic from the server box to my machine (also highly unlikely).
  3. I have some misunderstanding about how the server box connects to my machine through the vpn (the most likely of the conclusions). The long and short of it is I am configuring the php-reverse-shell to connect to the ip on my local tun0 interface (10.10.x.x) and on port 9000 (but I have tried many other ports), setting up a listener on my local machine on the same port I specified in the script, and executed the script on the server box by requesting the main page of the site, and getting the ''WARNING: Failed to daemonise. This is quite common and not fatal. No route to host (113) " error.

Any help or insight would be greatly appreciated as this is quite a sticky situation. On my last box I obtained flags by issuing commands through repeated php script uploads which was laborious and not how the task was intended to be completed so I don’t want to do this.

Sorry for any obscurity, if there is any more info that is needed please let me know,

Thanks

update:
After doing absoultely nothing I get a new error: “WARNING: Failed to daemonise. This is quite common and not fatal. Connection timed out (110)” and the browser is trying to connect by loading. I think this indicates that the traffic is no longer being blocked (if it was in the first place).

But still no connection